Wiki.js Privilege Escalation Vulnerability in GraphQL Users Update Mutation

A critical privilege escalation vulnerability has been identified in Wiki.js versions through 2.5.312. The issue arises in the GraphQL 'users.update' mutation, which accepts an arbitrary array of group IDs and applies them to the database without any validation. This lack of oversight allows users with the 'manage:users' permission, typically assigned to moderators, to self-assign themselves to the Administrators group. After re-authenticating, these users receive a JSON Web Token (JWT) that includes 'manage:system' privileges, granting them full administrative access.

Impact

Exploitation of this vulnerability allows a user with 'manage:users' permissions to gain full administrative rights on the Wiki.js platform, including the ability to access all user data, execute operating system-level code, manage administrative accounts, modify or delete wiki content, and manipulate authentication settings.

Reproduction

To reproduce this vulnerability, log in as a user with 'manage:users' permissions. Once authenticated, use the 'users.update' mutation to add the current user to the Administrators group by including 'groups:[1]' in the mutation request. After the group assignment is accepted, re-authenticate to receive an escalated JWT that includes 'manage:system' permissions, granting full administrative access.

Remediation

Users are advised to update to Wiki.js version 2.5.313 or later, where this vulnerability has been fixed.