A bug bounty hunter discovered a high-severity business logic vulnerability in a self-hosted program where a Moderator role could permanently delete an entire organizational group — an action restricted to Admins and Owners. The flaw stemmed from two subdomains (account.redacted.com and todo.redacted.com) sharing the same database without consistent authorization enforcement. While the account subdomain correctly restricted the delete action, the todo subdomain exposed a functional Delete Group button to Moderators with no server-side validation. Clicking it triggered a cascade deletion that wiped the group from both subdomains. The finding required no advanced tools — just subdomain enumeration, careful reading of developer documentation, and curiosity about cross-subdomain data synchronization.
Nguồn: https://infosecwriteups.com/how-i-found-a-data-deletion-bypass-via-subdomain-synchronization-7f5a43079983. 8sync News chỉ tóm tắt và dẫn link; bản quyền nội dung thuộc tác giả và nguồn gốc.
A security researcher discovered a mass assignment vulnerability in a platform's profile update API that allowed users to overwrite sensitive identity fields (legal name, date of birth, government ID number) while retaining their eKYC-verified status. The backend accepted extra fields beyond the intended phone number update, enabling 'identity drift' — rewriting a verified account's identity without re-verification. This was further escalated into an insurance/benefit record takeover by manipulating the date of birth field used in the platform's policy-linking matching logic. The writeup explains the full attack chain, why self-profile bugs can have high impact, and recommends server-side field allowlisting with trust-level separation as the fix.

GitLab released patch versions 19.1.1, 19.0.3, and 18.11.6 for CE and EE on June 24, 2026. The release addresses 13 CVEs including two high-severity XSS vulnerabilities (CVSS 8.7 and 8.0) in the Analytics Dashboard and Web IDE, an information disclosure issue in Duo Workflows (CVSS 7.7), and multiple authorization bypass and access control issues across CI/CD, DAST, Maven Package Registry, and other components. Self-managed GitLab installations are strongly urged to upgrade immediately. The patch also includes bug fixes across all three versions and includes database migrations that may cause downtime on single-node instances.
jCasbin is the Java port of the Apache Casbin authorization library, enabling flexible access control in Java applications. The tutorial covers setting up the Enforcer with model configuration files and policy data (via files, JDBC, Hibernate, MongoDB adapters), enforcing permissions using ACL and RBAC models, configuring super users, nesting roles in hierarchies, and using the management API to query and modify subjects, objects, actions, and roles at runtime.
A step-by-step guide to extending Spring Authorization Server to support dynamic OAuth 2.0 scopes — scopes not known in advance by the authorization server. Covers when dynamic scopes are useful (e.g., single-operation tokens for transfers or sensitive updates), and walks through the required customizations: scope validation logic via a custom AuthenticationValidator, consent validation using a Predicate, a custom consent page with Thymeleaf, and end-to-end integration testing with WebEnvironment.RANDOM_PORT and RestTestClient. Code separates Spring-specific adapter code from business logic via a DynamicScopeService.
Atlassian tích hợp cơ chế ủy quyền doanh nghiệp cho Rovo MCP thông qua XAA và ID-JAG, cho phép quản trị viên doanh nghiệp ủy quyền tập trung cho client MCP (như Claude) mà không cần người dùng xác nhận OAuth riêng lẻ. Hệ thống hoạt động bằng cách IdP doanh nghiệp phát hành ID-JAG assertion đã ký, sau đó Atlassian OAuth xác thực và đổi lấy token truy cập native, giải quyết thách thức về xác thực, nhận diện người dùng cross-domain và quản lý chính sách. Tính năng này đang trong giai đoạn beta riêng tư và mở rộng triển vọng cho các sản phẩm AI agent vượt qua ranh giới tin cậy ở quy mô lớn.
Lập trình viên phát triển ứng dụng AI hoặc tích hợp hệ thống cần hiểu cách triển khai các cơ chế xác thực và ủy quyền enterprise để xây dựng giải pháp an toàn, hiệu quả khi kết nối với các dịch vụ bên ngoài mà không cần yêu cầu đồng ý OAuth mỗi lần sử dụng.
AI agents require more robust auth infrastructure than traditional microservices because they act on behalf of users. Using a lawyer-in-court analogy, the post explains the key components of agent auth: agent identity (who the agent is), principal identity (who the agent represents), delegation tokens like On-Behalf-Of (OBO) tokens, and policy enforcement scoped to specific actions. An AI-native gateway can centralize these concerns — identity propagation, delegation verification, policy enforcement, and auditing — so agents can focus on business logic. Technologies like SPIFFE, cert-manager, Istio, and agentgateway are cited as building blocks for such a platform.
Enterprise AI agent frameworks excel at coordinating tasks but lack built-in governance for production environments. A missing orchestration layer is needed to evaluate every agent action against policies covering data locality, model approval, authorization chains, and audit requirements. Drawing an analogy to Kubernetes, this layer would sit between agent logic and execution, using ontology-aware policy evaluation to reason over entity relationships (datasets, models, regulations, environments) rather than simple ACLs. Decision provenance — traceable records of what ran, under what authorization, and with what effect — is framed as a first-class requirement, especially given the EU AI Act's Article 12/17 mandates. Without this layer, Gartner predicts over 40% of agentic AI projects will be canceled by 2027 due to inadequate risk controls.