All Topics
All Topics
Technology
Technology
Design
Design
Programming
Programming
Science
Science
News
News
Gaming
Gaming
Entertainment
Entertainment
Business
Business
Finance
Finance
Sports
Sports
Health
Health
Food
Food
Travel
Travel
Art
Art
Music
Music
Books
Books
Education
Education
Politics
Politics
Personal
Personal
No algorithm. No AI slop. No ads. Just RSS. Pro-human. Indie writers. Real journalism. Open web. Chronological. Hand toasted.

Critical IDOR Vulnerability in CoreEvent GraphQL API Exposes Order and Event Data

3d ago· 6 min readenInsight
Bagel score 90 of 100
90/100
Golden Brown
Bagelometer

Slow-proofed and worth the wait. Worth its weight in flour.

Score90TypeanalysisSentimentvery negative

Summary

A critical broken access control vulnerability (IDOR/BOLA) was discovered in the CoreEvent GraphQL API. The getOrder and getEvent queries trust any user-supplied ID without verifying ownership or permissions, allowing attackers to access any order or event data. In a single request, approximately 10,968 accreditations were retrieved, each containing personally identifiable information (PII). This enables ticket fraud, unauthorized entry, and mass data scraping. The issue is classified as API1: Broken Object Level Authorization under the OWASP API Top 10.

Key quotes

· 3 pulled
Querying getOrder and getEvent exposes: The server trusts any user-supplied ID without checking ownership or permissions.
In a single request, I retrieved ~10,968 accreditations, each containing: Ticket fraud, unauthorized entry, mass data scraping — all trivially possible from one request.
Critical Classic API1: Broken Object Level Authorization (OWASP API Top 10).
Snippet from the RSS feed
Broken access control in GraphQL API allowing unauthorized access to orders and event data.

You might also wanna read

Critical Authentication Bypass Vulnerabilities Found in Casdoor IAM Platform (CERT/CC VU#780781)

Casdoor versions 2.362.0 and earlier contain critical identity and access management vulnerabilities in SAML processing, account binding, an

kb.cert.org·1d ago

CVE-2026-48710 (BadHost): Critical Starlette Host-Header Auth Bypass Vulnerability Affects FastAPI and Python ASGI Applications

A critical security vulnerability (CVE-2026-48710, dubbed "BadHost") has been discovered in Starlette web framework versions prior to 1.0.1,

badhost.org·5d ago

Researcher Discovers Critical React2Shell RCE Vulnerability (CVE-2025-55182) Affecting Millions of Websites

A security researcher recounts discovering a critical remote code execution vulnerability (CVE-2025-55182, dubbed "React2Shell") in the Reac

lachlan.nz·23d ago

Copy Fail exploit (CVE-2026-31431) allows unprivileged users to gain root shell in Linux containers

A security vulnerability (CVE-2026-31431) called "Copy Fail" was publicly disclosed on April 29th, 2026. The exploit allows a local unprivil

garrido.io·23d ago

Dirty Frag: Universal Linux Local Privilege Escalation Vulnerability Reported

A security researcher (Hyunwoo Kim) reports a universal Linux Local Privilege Escalation (LPE) vulnerability called "Dirty Frag" that affect

openwall.com·24d ago

Security Vulnerability in Ramp's Sheets AI Allowed Data Exfiltration via Spreadsheet Formulas

A security vulnerability was discovered in Ramp's Sheets AI, an agentic product that helps users operate on spreadsheets. The feature could

promptarmor.com·1mo ago