Severity: HIGH
Location: lib/Controller/SettingsController.php lines 1237–1330 (streamProgress)
Description:
The streamProgress SSE endpoint is missing the user-null check present in its sibling getProgress. It also sets Access-Control-Allow-Origin: *, making it subscribable from any cross-origin page. Any unauthenticated or cross-origin request can subscribe to any operationId and receive real-time progress updates for another user's import/sync operation.
Scenario:
- Attacker tricks admin into visiting a malicious page while the admin runs a large import.
- The page subscribes to the SSE stream with the operation ID (discoverable or brute-forced).
- Real-time progress data (file names, counts, error messages) streams to the attacker.
Suggested fix:
- Authenticate the request and return 401 if user is null.
- Bind
operationId to the authenticated user so that cross-user subscriptions are rejected.
- Remove the wildcard
Access-Control-Allow-Origin: * header.
Source: deep team-reviewer pass 2026-05-27
Severity: HIGH
Location:
lib/Controller/SettingsController.phplines 1237–1330 (streamProgress)Description:
The
streamProgressSSE endpoint is missing the user-null check present in its siblinggetProgress. It also setsAccess-Control-Allow-Origin: *, making it subscribable from any cross-origin page. Any unauthenticated or cross-origin request can subscribe to anyoperationIdand receive real-time progress updates for another user's import/sync operation.Scenario:
Suggested fix:
operationIdto the authenticated user so that cross-user subscriptions are rejected.Access-Control-Allow-Origin: *header.Source: deep team-reviewer pass 2026-05-27