Security Advisory: Some users can execute selected operations beyond their authorizations

Last modified 05 Mar 2024 09:52 +01:00

Date: 27. 02. 2024

Severity: 8.2 (High)

Affected versions: All midPoint versions prior to 4.4.8, 4.7.4, 4.8.2

Fixed in versions: 4.4.8, 4.7.4, 4.8.2


Authorized REST users can inject false resource data into midPoint and invoke the import from resources without any further authorizations.

Severity and Impact

This is High Severity Issue.

  1. Invoke "notify change" operation. It allows them to provide false resource data to midPoint.

  2. Invoke "import from resource" operations. They allow them to start the import operations, either for a single shadow, or for the whole object class.

  3. Test the resource.


Users of affected MidPoint versions are advised to upgrade their deployments to the latest maintenance releases.

In the meantime, they are advised to allow REST access only to trusted users.


As an additional security measure, the versions mentioned (4.4.8, 4.7.4, and 4.8.2) provide the ability to restrict REST users only to operations they are expected to invoke.

For example, if a user is expected to call only the "get object" operation via REST, now they can be given the specific authorization, instead of that was needed previously. See also Service Authorizations.

Was this page helpful?
Thanks for your feedback