WACRM Authorization Bypass Vulnerability in Automation Engine Allowing Cross-Tenant Contact Modification

An authorization bypass vulnerability has been identified in WACRM versions prior to commit 73041bf. This vulnerability allows authenticated attackers to access and modify contacts belonging to other tenants. Exploitation involves supplying a caller-controlled contact_id in the POST request body, bypassing tenant ownership verification. The vulnerability arises from the use of a service-role client that ignores row-level security, enabling attackers to alter contact fields such as name, email, and company across tenant boundaries, using only a known contact UUID.

Impact

Exploitation of this vulnerability could lead to unauthorized access and modification of contacts across different tenants, allowing attackers to manipulate contact information such as names, emails, and company details.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to the WACRM automation engine endpoint with a contact_id that belongs to a different tenant. The request will bypass tenant ownership checks, allowing the user to modify the contact's information. This can be done using the service-role client, which ignores row-level security, to update fields like name, email, and company for the targeted contact.

Remediation

Users are advised to update to the latest version of WACRM, which includes a patch for this vulnerability. The patch can be found in the commit 73041bf on the WACRM GitHub repository.