Skip to content
This repository was archived by the owner on May 29, 2026. It is now read-only.

[CRITICAL] C4: IDOR DoS/account-disable — any user can disable any account including admin #329

Description

@rubenvdlinde

Severity: CRITICAL

Location: lib/Controller/ContactpersonenController.php lines 1022–1113; lib/Service/ContactpersoonService.php lines 1273–1404

Description:
POST /api/contactpersonen/{id}/disable is @NoAdminRequired with zero service-level authorisation. Any authenticated user can disable any account by ID, including the admin account. Combined with C2 (privilege escalation) this creates a permanent admin lockout: escalate to super-user, disable admin, take over the instance.

Scenario:

POST /api/contactpersonen/<admin-contact-id>/disable

Sent as any authenticated user → admin account disabled → permanent lockout.

Suggested fix:

  • Gate with admin or org-admin check.
  • Verify that the caller has authority over the target contact's organisation before allowing disable.

Source: deep team-reviewer pass 2026-05-27

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions