July 5, 2026
🦎Broken Access Control: Low Privilege, Full Organization Visibility
الحمد لله الذي عَلَّمَ بالقلم.. عَلَّمَ الإنسانَ ما لم يَعْلَم والصلاةُ والسلامُ على خيرِ مُعَلِّمي الناسِ الخير محمد أما بعد

By 0xMo7areb 🥷
1 min read
Here we go ^_^
Target Overview
The target application uses a role-based access control system to manage user permissions at the organization level.
Each request is associated with a user role that defines what data and actions are allowed, such as Admin, Super User, User, and Restricted User.
These roles are expected to be enforced consistently across all API endpoints.
How I Found It
While testing different user roles in an organization, I noticed that some information was visible only to Admin users in the application.
To verify whether the restriction was enforced on the backend, I captured a request made by an Admin account and replayed it using a Restricted User account session.
The server returned the same data, even though the Restricted User should not have had access to it.
The Vulnerability
The API endpoint failed to properly validate user permissions.
A Restricted User could access organization information that was intended for higher-privileged users, including:
- Member email addresses
- Internal user IDs
- Membership information
- Inactive accounts
- Deleted user records
This data was not available through the application's UI, but it could still be accessed directly through the API.
Proof of Concept
- Log in as an Admin user and capture the following request:
GET /api/v1/organization/{organization_id}/?_expand=membershipsuser,inactive_membershipsuser&_fields=id,membershipsGET /api/v1/organization/{organization_id}/?_expand=membershipsuser,inactive_membershipsuser&_fields=id,memberships- Send the request to Burp Suite Repeater.
- Replace the Admin session cookie with a Restricted User session.
- Forward the request.
- Observe that the Restricted User receives sensitive organization data, including member emails, internal user IDs, membership information, and inactive user records that should only be accessible to Admin users.
Impact
This vulnerability allows low-privileged users to access sensitive organizational information.
An attacker could use this information for:
- User enumeration
- Targeted phishing attacks
- Internal organization mapping
- Gathering information about inactive or deleted accounts
It also breaks the application's role-based access control model.
Report Status
Unfortunately, this finding had already been reported. Although it was not eligible for a reward, the experience reinforced the importance of thoroughly testing API endpoints for access control weaknesses.
"سُبْحَانَكَ اللَّهُمَّ وَبِحَمْدِكَ ، أَشْهَدُ أَنْ لا إِلَهَ إِلا أَنْتَ ، أَسْتَغْفِرُكَ وَأَتُوبُ إِلَيْكَ"