# Vulnerability Summary: OWASP DefectDojo Authorization Bypass (IDOR) ## Vulnerability Overview **Vulnerability Name**: Authorization Bypass / IDOR - Access to Other People's Risk Acceptances via raid Parameter Substitution **Vulnerability Type**: Insecure Direct Object Reference (IDOR) **Affected Versions**: ≤ 2.55.4 (fixed in 2.56.0) **Reporter**: noname13371 **Report Date**: February 23, 2026 **Fix Date**: March 2, 2026 **Core Issue**: The system only performs permission checks on the `engagement` (project), but when loading `risk_acceptance`, it does not verify whether the risk acceptance belongs to a project accessible by the current user. An attacker can access other projects' risk acceptance data by modifying the `raid` parameter. ## Impact Scope * **Read**: View accepted findings, notes, and details of other products. * **Actions**: Edit, expire, restore, or delete others’ risk acceptances. * **Data Leakage**: Via `accepted_findings`, obtain finding names, severity levels, and descriptions from other products. ## Vulnerable Code Analysis The page indicates that the following function is vulnerable — it only validates `eid` (engagement ID) and does not validate ownership of `raid` (risk_acceptance ID): ```python # will only be called by view_risk_acceptance and edit_risk_acceptance def view_edit_risk_acceptance(request, eid, raid, *, edit_mode=False): risk_acceptance = get_object_or_404(RiskAcceptance, pk=raid) # -- No check that raid belongs to eid! ``` ## Fix Solution **Fix Status**: Merged in PR #14375 (February 26, 2026). **Fix Logic**: Added proper ownership validation in all affected functions to ensure `raid` must belong to `eid`. **Example of Correct Protection Implementation**: ```python user_is_authorized(Engagement, Permissions.Engagement_View, "eid") def download_risk_acceptance(request, eid, raid): ... risk_acceptance = get_object_or_404(RiskAcceptance, pk=raid) # Ensure the risk acceptance is under the supplied engagement if not Engagement.objects.filter(risk_acceptance=risk_acceptance, id=eid).exists(): raise PermissionDenied ... ```