6.2

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-26hr-q2wp-rvc5

GHSA-26hr-q2wp-rvc5: User with permission to write actions can impersonate another user when auth token is configured in environment variable

Impact

When lakeFS is configured with ALL of the following:

Configuration option auth.encrypt.secret_key passed through environment variable
Actions enabled via configuration option actions.enabled (default enabled)

then a user who can configure an action can impersonate any other user.

Patches

Has the problem been patched? What versions should users upgrade to?

Workarounds

ANY ONE of these is sufficient to prevent the issue:

Do not pass auth.encrypt.secret_key through an environment variable.

For instance, Kubernetes users can generate the entire configuration as a secret and mount that. This is described here.
Disable actions.
Limit users allowed to configure actions.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-26hr-q2wp-rvc5

GHSA-26hr-q2wp-rvc5:

6.2

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/treeverse/lakefs	go	< 1.3.1	1.3.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key points: (1) The secret key is exposed via environment variables, which are accessible in action execution contexts. (2) Token generation relies on this exposed secret. The functions loadSecretKeyFromEnv and GenerateAuthToken directly handle these insecure interactions. The first retrieves the secret from an insecure source (environment variable), and the second uses it to create tokens without adequate validation of caller context when processing user-controlled actions. The workaround to avoid environment variables for the secret key further supports this root cause analysis.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.2

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-26hr-q2wp-rvc5: User with permission to write actions can impersonate another user when auth token is configured in environment variable

Impact

Patches

Workarounds

GHSA-26hr-q2wp-rvc5:

6.2

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

6.2

6.2

Technical Details

GHSA-26hr-q2wp-rvc5: User with permission to write actions can impersonate another user when auth token is configured in environment variable

Impact

Patches

Workarounds

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI