Improper access control in Tolgee - CVE-2023-38510
Published: July 27, 2023 / Updated: June 2, 2026
Tolgee
Detailed vulnerability description
The vulnerability allows a remote user to modify data they have no access to.
The vulnerability exists due to improper access control in some backend endpoints when handling requests authenticated with an API key. A remote user can send requests using an API key to modify data they have no access to.
This issue affects endpoints where the backend does not verify the permission scopes associated with the API key.