Security advisory: IBEXA-SA-2024-001

Taxonomy Tree Controller fails to check permissions
Publication date:
05/02/2024, 14:05


Affected versions: Ibexa DXP v4.5.* (ibexa/taxonomy)
Resolving versions: Ibexa DXP v4.5.5 (ibexa/taxonomy)

The Taxonomy tree controller fails to apply permission checks in one case. This means someone who already has backend access but no access to taxonomy tags, can still see taxonomy tags and identifiers by crafting a manual request. Installations that use taxonomy tags and have backend users without taxonomy access may be affected.

This vulnerability was reported to us by Matthias Schmidt from adesso SE at
We thank them for their research, and responsibly disclosing the issue to us.

Have you found a security bug in Ibexa DXP? See how to report it responsibly here:

All security advisories