In the test environment, it was confirmed that an authenticated regular user can specify another user’s cipher_id and call:
PUT /api/ciphers/{id}/partial
Even though the standard retrieval API correctly denies access to that cipher, the partial update endpoint returns 200 OK and exposes cipherDetails (including name, notes, data, secureNote, etc.).
put_cipher_partial retrieves the target Cipher but does not perform ownership or access control checks before returning to_json.
Authorization checks present in the normal update API are missing here.
src/api/core/ciphers.rs:717
let Some(cipher) = Cipher::find_by_uuid(&cipher_id, &conn).await else {
err!("Cipher doesn't exist")
};
if let Some(ref folder_id) = data.folder_id {
if Folder::find_by_uuid_and_user(folder_id, &headers.user.uuid, &conn).await.is_none() {
err!("Invalid folder", "Folder does not exist or belongs to another user");
}
}
// Move cipher
cipher.move_to_folder(data.folder_id.clone(), &headers.user.uuid, &conn).await?;
// Update favorite
cipher.set_favorite(Some(data.favorite), &headers.user.uuid, &conn).await?;
Ok(Json(cipher.to_json(&headers.host, &headers.user.uuid, None, CipherSyncType::User, &conn).await?))
By comparison, the standard update API includes an explicit authorization check: src/api/core/ciphers.rs:688
if !cipher.is_write_accessible_to_user(&headers.user.uuid, &conn).await {
err!("Cipher is not write accessible")
}
The to_json method does not abort processing when access restrictions are not met; instead, it proceeds to construct and return a detailed response.
src/db/models/cipher.rs:175
let (read_only, hide_passwords, _) = if sync_type == CipherSyncType::User {
match self.get_access_restrictions(user_uuid, cipher_sync_data, conn).await {
Some((ro, hp, mn)) => (ro, hp, mn),
None => {
error!("Cipher ownership assertion...
1.35.4Exploitability
AV:NAC:LPR:LUI:NScope
S:UImpact
C:LI:LA:N5.4/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N