## GitHub Security Alert: EditSelf Permission Exposes IDOR Vulnerability in User Management System
A critical security flaw has been exposed in a user management system's `EditSelf` permission, allowing any authenticated user to potentially read any person's record via an API endpoint. The vulnerability, tracked as GHSA-5w59-32c8-933v, stems from the API's failure to enforce proper scoping for the permission, which is intended to let users edit only their own and their family's data. This Insecure Direct Object Reference (IDOR) creates a significant data exposure risk, as the system's access control logic was bypassed at the API layer.

The current implementation is fundamentally broken. Users granted only the `EditSelf` flag are presented with a full administrative interface upon login, but most features return 403 Forbidden errors, providing no functional self-service portal. This confusing user experience is compounded by a deeper architectural flaw: the `canEditPerson()` function is ambiguously used as a gate for both viewing and editing permissions, contributing to the security lapse. As an interim measure, Pull Request #8616 has been deployed to block users with only `EditSelf` permissions, redirecting them to a family verification page instead.

The proposed redesign aims to resolve both the security and usability crises. The core plan involves building a dedicated, secure self-service portal at a path like `/self-service/` or `/my-family/`, which would be the exclusive interface for `EditSelf` users. This portal must be designed with strict scoping from the ground up to prevent future IDOR issues, ensuring the API and UI layers are consistently and correctly gated. The fix requires a clear separation of view and edit permissions to eliminate the current naming confusion and prevent similar access control failures.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: Security Vulnerability, IDOR, Access Control, API Security, GitHub Advisory
- **Credibility**: unverified
- **Published**: 2026-04-11 22:22:24
- **ID**: 60268
- **URL**: https://whisperx.ai/en/intel/60268