Security Advisory: Less privileged user able to execute custom Groovy scripts via Bulk Tasks

Last modified 09 Feb 2024 14:12 +01:00

Date: 20. 9. 2023

Severity: High (CVSS 8.5)

Affected versions: all midPoint versions

Fixed in versions: 4.4.6, 4.8, 4.7.2


Non-admin users which are authorized to execute bulk actions (using model-3#executeScript authorization) are able to execute arbitrary Groovy code, if they have authorization to submit custom bulk actions using rest (authorization rest#all) or have access to Bulk Actions page (authorization ui-3#pageBulkAction).

Authorization model-3#executeScript sounds like it should allow Groovy script execution, but was intended only to enable access to bulk actions.

Severity and Impact

This is high-severity issue.

The affected feature is not enabled by default to end-users. MidPoint deployment is only affected if non-administrator users have authorization for: #executeScript and rest#all or #executeScript and ui-3#pageBulkAction.


  • Update to latest maintenance midPoint release which contains fix.

  • Remove authorizations for rest#all or ui-3#pageBulkAction for those users, which have model-3#executeScript authorization.

Was this page helpful?
Thanks for your feedback