Security advisory: IBEXA-SA-2021-008

GraphQL authentication doesn't respect security config
Publication date:
26/10/2021, 07:40


Affected versions: v2.3.*
Resolving versions: v2.3.3.1

This Security Advisory is about a vulnerability in GraphQL authentication. GraphQL allows you to configure alternative user checkers (login handlers), but these are not recognized on login, the standard handler is always used. This means that for example login by email will not work, even if the handler for this is enabled. It also means that login by username will work, even if this is disabled. This constitutes a risk when this behaviour is unexpected and unwanted. The fix ensures that the configured user checker is used.

Have you found a security bug in Ibexa DXP? See how to report it responsibly here:

All security advisories