Improper Access Control - Generic (CWE-284)CVSS 2.5Easy

Easy way to create a new Deck board without permission

hackerone-reports

March 5, 2026

9 views

Save

€94

Vulnerability Summary

HackerOne disclosed report --> https://hackerone.com/reports/2388183 by hakuna

Summary:

Admins can decide which groups are allowed to create boards. But a user who is part of an unauthorized group can easily create a new board by cloning an existing one and renaming it.

Steps To Reproduce:

As an admin, create user1, group1 and group2, then assign group1 to user1
In "Decks" app > "Deck settings", add group2 to the "Limit board creation to some groups" input. It is indicated that

Users outside of those groups will not be able to create their own boards, but will still be able to work on boards that have been shared with them.

As user1, in "Decks" app, see that the button "+ Add board" is not displayed, which is expected. Sending the request directly will also fail with a 403 error and a message ""Creating boards has been disabled for your account.".
Now click on the "Personal" board options, and choose "Clone board". A copy of the board will be created. You can rename it, and you just created a new board with all "classic" options available. You could also directly send the request POST /nextcloud/apps/deck/boards/board_number/clone.

Identification Required

You must be logged in to read this writeup. Join our community of researchers today.

Sign In Register

Related Writeups

pyus3r

Improper Access Control on www.target.example through /services/formcampaign via header "option" leads to unauthenticated read/write on the production marketing-campaign database

An unauthenticated AEM Sling servlet exposes four CRUD operations (getData / getDataById / setData / updateData) on the internal marketing-campaign database via a single option request header. The only access control is a Referer string check that any HTTP client trivially bypasses. Anonymous attackers can read the full 79-campaign dataset (including internal segmentation logic and the names of internal prospect databases), create arbitrary new campaigns in the production backoffice, and overwrite existing real production campaigns.

Read Writeup →

hackerone-reports

POST /api/bitcoinWithdrawalFees returns financial data without authentication despite being documented as a USER OPERATION (private endpoint)

HackerOne disclosed report --> https://hackerone.com/reports/3676308 by glferreira-devsecops

Read Writeup →

gpk21

LogicalBreach Academy