Security Advisory: Hidden panels on detail page are accessible by URL

Last modified 27 Feb 2024 18:19 +01:00

Date: 27. 02. 2024

Severity: 6.4 (Medium)

Affected versions: All midPoint versions from 4.7 prior to 4.7.4, 4.8.2

Fixed in versions: 4.7.4, 4.8.2


Panels that contain a configuration for visibility as 'hidden' are not displayed in the menu, but they can be displayed by changing the identifier in the 'panelId' URL parameter.

Severity and Impact

This is Medium Severity Issue.

MidPoint contains a configuration for the visibility of the panel as 'hidden' (for example, a panel for organization assignments with the identifier 'orgAssignments').

Users with GUI authorization for the details page (for example, and model authorizations for the objects displayed in the hidden panel (for example, read/write for the OrgType) can do the following:

The user opens a details page with panels (for example, a profile page) and changes the 'panelId' parameter in the URL to the hidden panel identifier (for example, 'orgAssignments'). The content of the hidden panel is displayed.


Users of affected MidPoint versions are advised to upgrade their deployments to the latest maintenance releases.

In the meantime, users are advised to limit model authorizations to only necessary objects and object items.

Was this page helpful?
Thanks for your feedback