PT-2026-33390 — Generation of Error Message Containing Sensitive Information em Go Github.Com/Authorizerdev/Authorizer

PT-2026-33390 · Go · Github.Com/Authorizerdev/Authorizer

Publicado

2026-04-06

Atualizado

2026-04-06

CVSS v3.1

7.3

Alta

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Vulnerability Details

CWE: CWE-943 - Improper Neutralization of Special Elements in Data Query Logic

All 66+ CQL queries in internal/storage/db/cassandradb/ use fmt.Sprintf to interpolate user-controlled values directly into CQL query strings without parameterization.

Unauthenticated endpoints (signup, login, forgot password, magic link login) pass user input directly into CQL query strings.

Note: This advisory covers the Cassandra CQL injection only. The Couchbase N1QL injection is tracked in a separate advisory per CVE rule 4.2.11.

Affected Code Pattern

// Before (VULNERABLE) - e.g. cassandradb/user.go
query := fmt.Sprintf("SELECT ... FROM %s WHERE email = '%s'", table, email)
err := p.db.Query(query).Scan(...)

Steps to Reproduce

Deploy Authorizer <= 2.0.0 with Cassandra backend
Send a signup request with a CQL injection payload in the email field:

bash

curl -X POST http://localhost:8080/graphql 
 -H 'Content-Type: application/json' 
 -d '{"query":"mutation { signup(params: { email: "test'" }) { message } }"}'

The single quote breaks out of the CQL string literal, causing a CQL parse error that leaks internal schema information
Crafted payloads can manipulate query logic to bypass authentication or extract data

Affected Files (10 Cassandra files)

Package	File	Queries Fixed
cassandradb	user.go	7
cassandradb	otp.go	4
cassandradb	session token.go	19
cassandradb	verification requests.go	4
cassandradb	authenticator.go	3
cassandradb	email template.go	5
cassandradb	webhook.go	5
cassandradb	webhook log.go	2
cassandradb	session.go	1
cassandradb	env.go	2

Impact

An unauthenticated attacker can inject arbitrary CQL operators through the email, phone, or token parameters on public-facing endpoints (signup, login, forgot password, magic link login). This enables authentication bypass and data exfiltration from the Cassandra keyspace.

Proposed Fix

Use parameterized queries:

// After (FIXED)
query := fmt.Sprintf("SELECT ... FROM %s WHERE email = ?", table)
err := p.db.Query(query, email).Scan(...)

Fixed in https://github.com/authorizerdev/authorizer/pull/500 (merged 2026-03-27).

Correção

Generation of Error Message Containing Sensitive Information

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-943CWE-209

Identificadores relacionados

GHSA-JFWG-RXF3-P7R9

Produtos afetados

Github.Com/Authorizerdev/Authorizer