DevGuard Unauthenticated Identity Assertion Vulnerability via X-Admin-Token Header

A vulnerability in DevGuard's SessionMiddleware prior to version 1.2.2 allows unauthenticated identity assertion. The middleware accepts a client-supplied X-Admin-Token HTTP request header and uses its raw string value as the authenticated user ID when no Kratos session cookie is present. An attacker who knows or can guess a target user's Kratos identity UUID can issue requests as that user. If the target user is an organization admin or owner, the attacker gains full control over that organization's DevGuard resources.

Impact

Exploitation of this vulnerability allows for unauthorized actions to be performed on behalf of a target user, potentially leading to unauthorized access or modification of resources, especially if the target user holds an admin or owner role within an organization.

Reproduction

To reproduce this vulnerability, send a request to the DevGuard API without a Kratos session cookie. Include the X-Admin-Token header with a value that corresponds to a valid user's identity UUID. If the user is an organization admin or owner, the request will be processed with elevated privileges.

Remediation

Update DevGuard to version 1.2.2 or later. If an immediate update is not possible, configure a reverse proxy to remove the X-Admin-Token header before forwarding requests to the DevGuard API.