[changebeacon] Dashboard endpoints lack authentication #38

New issue

Closed

opened 2026-03-03 03:06:49 +00:00 by ash · 0 comments

ash commented 2026-03-03 03:06:49 +00:00

Owner

Copy link

Security Concern

Dashboard mutation endpoints (DashboardCreateEntry, DashboardUpdateEntry, DashboardDeleteEntry) do not check API keys or session auth.

Anyone who can reach the dashboard can create/update/delete changelog entries.

Severity: HIGH.

Fix

Add authentication middleware to all dashboard mutation routes.

Found by Red Team Audit 2026-03-03.

## Security Concern Dashboard mutation endpoints (`DashboardCreateEntry`, `DashboardUpdateEntry`, `DashboardDeleteEntry`) do not check API keys or session auth. Anyone who can reach the dashboard can create/update/delete changelog entries. Severity: HIGH. ### Fix Add authentication middleware to all dashboard mutation routes. Found by Red Team Audit 2026-03-03.

ash referenced this issue from a commit 2026-03-26 16:07:20 +00:00

fix: add auth to dashboard mutations and org-level tenant isolation

ash closed this issue 2026-03-26 16:38:25 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

No results found.

Labels

Clear labels   

✅ validated

Validated — worth building

  

❌ killed

Abandoned — documented why

  

💡 idea

Raw idea, needs research

  

💰 needs-budget

Needs money to proceed

  

🔍 researching

Actively researching viability

  

🔨 building

Currently being built

  

🚀 shipped

Live and generating revenue

No labels

✅ validated

❌ killed

💡 idea

💰 needs-budget

🔍 researching

🔨 building

🚀 shipped

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

ash/ideas#38

No description provided.