Zbarbutos

**Name of the Vulnerable Software and Affected Versions** IBM LoopBack versions 2018.1, 2018.4.1, 5.0.8.0, and 5.0.8.4 **Description** The issue allows an attacker to bypass authentication if the AccessToken Model is exposed over a REST API. An attacker can create an AccessToken for any user, given they know the `userId`, and thus gain access to the user's data or privileges, including administrative privileges if the targeted user is an admin. **Recommendations** For versions 2018.1, 2018.4.1, 5.0.8.0, and 5.0.8.4, restrict access to the AccessToken Model over REST API to prevent unauthorized access. As a temporary workaround, consider disabling the exposure of the AccessToken Model over REST API until a fix is available. Avoid using the `userId` in the affected API endpoint until the issue is resolved.