## Security Flaw in MosaicController: Bare Forbid() Leaks Data Existence to Anonymous Users
A critical data enumeration vulnerability has been identified in the `MosaicController.SaveMosaic` method. The flaw, located at line 192 of `Controllers/MosaicController.cs`, returns a bare `Forbid()` response when an `UnauthorizedAccessException` is thrown. This response is issued regardless of whether the caller is authenticated, creating a dangerous information leak. Anonymous users can exploit this behavior to distinguish between a "data exists but is forbidden" scenario (which returns a 403 Forbidden) and a "data does not exist" scenario (which should return a 404 Not Found). This effectively allows attackers to probe for the existence of specific data without proper authorization.

The vulnerability is a repeat of a class of security issue previously identified in ticket #1092, which affected the `AnalysisController` and `CompositeController`. While those instances are being fixed, this new finding in `MosaicController` highlights a persistent pattern. Notably, the same controller already uses the correct authentication-checking pattern on lines 103 and 262, where it returns `Forbid()` only for authenticated users and `NotFound()` for anonymous ones. This inconsistency makes line 192 a clear outlier and a high-priority security patch.

The recommended fix is to implement the same conditional logic used elsewhere in the class. The code should first check the `User.Identity?.IsAuthenticated` property, then return `Forbid()` only if the user is authenticated; otherwise, it must return a `NotFound` response, potentially with a generic error message like "Data not found" to avoid leaking any further information. This fix aligns with broader efforts, such as those referenced in ticket #1071, to centralize access control logic and prevent such vulnerabilities from recurring across the codebase.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security, vulnerability, data-leak, authentication, C#
- **Credibility**: unverified
- **Published**: 2026-04-13 17:22:54
- **ID**: 62362
- **URL**: https://whisperx.ai/en/intel/62362