PlaciPy Admin Privilege Escalation Vulnerability via Unverified JWT Claims

A vulnerability in PlaciPy version 1.0.0 allows for admin privilege escalation. The issue arises because the admin authorization middleware trusts client-controlled JSON Web Token (JWT) claims, specifically 'role' and 'scope', without implementing server-side role verification. This flaw enables non-admin users to gain unauthorized access to admin functionalities, including user management and institutional controls, potentially leading to unauthorized modifications of critical records and a complete compromise of the system by exploiting admin routes that manage core platform operations.

Impact

Exploitation of this vulnerability allows non-admin users to gain admin access, exposing them to admin API functionalities. This access could lead to unauthorized modifications of critical records and a complete compromise of the system, as admin routes control essential platform operations.

Remediation

To address this vulnerability, remove all role checks based on JWT claims and enforce server-side role validation exclusively through Cognito Groups. Additionally, apply a defense-in-depth approach by validating roles in both the middleware and service layers, and treat JWT claims as identity indicators rather than authorization credentials.