## Shesha Framework Exposes Critical Privilege Escalation Flaw: Any Authenticated User Can Rewrite Security Policies
A severe authorization flaw in the Shesha application framework grants any authenticated user—including those with minimal privileges—the ability to view and modify all endpoint security policies. The vulnerability resides in the `PermissionedObjectAppService`, the core API responsible for managing endpoint permissions, which is incorrectly secured with an `AnyAuthenticated` access requirement. This misconfiguration effectively hands over administrative control of the application's security model to any logged-in user.

The critical file is `shesha-core/src/Shesha.Application/Permissions/PermissionedObjectAppService.cs`. At line 13, the service class is decorated with `[SheshaAuthorize(Domain.Enums.RefListPermissionedAccess.AnyAuthenticated)]`, a directive that fails to enforce proper role-based checks. This exposes all standard CRUD operations inherited from `SheshaCrudServiceBase`, as well as custom permission management methods like `GetApiPermissionsAsync` and `SetApiPermissionsAsync`, to unauthorized manipulation.

The impact is a direct and complete privilege escalation path. An attacker with a standard user account can use these exposed endpoints to reconfigure permissions on any API endpoint, potentially granting themselves or others administrative rights, disabling security controls, or exfiltrating sensitive configuration data. This flaw represents a foundational breakdown in the authorization layer, putting the entire application's security posture at immediate risk.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security, vulnerability, authorization, privilege-escalation, api
- **Credibility**: unverified
- **Published**: 2026-03-26 09:27:13
- **ID**: 35064
- **URL**: https://whisperx.ai/en/intel/35064