hzhang
5a5e3fa2eb
The oidc-binding PUT/DELETE endpoints allowed any account.create holder (non-admin role 'account-manager') to bind an attacker-controlled OIDC identity to the admin account (or unbind admin, reopening the OIDC-only bootstrap window) — full admin takeover. Non-admin callers may now only manage bindings of non-privileged accounts: requests targeting an is_admin user, the built-in acc-mgr/deleted-user, or any holder of account.create / user.reset-apikey are rejected with 403. Global admins remain unrestricted, so the intended "account-manager binds normal users" capability is preserved. Found by post-feature security audit. Verified locally. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
18 KiB
18 KiB