CVE-2025-63783

Name of the Vulnerable Software and Affected Versions Onlook web application version 0.2.32

Description A Broken Object Level Authorization (BOLA) issue exists in the tRPC project mutation APIs (update, delete, add/remove tag) of the Onlook web application. The API does not properly validate if the authenticated user owns or has membership for the provided project ID. An attacker can send a request with another user’s project ID to modify, delete, or manipulate tags, potentially compromising data integrity and availability. The vulnerable API endpoints include mutation APIs such as update, delete, and add/remove tag. The project ID variable is used in requests to these endpoints and is not sufficiently validated.

Recommendations Update to a newer version that contains a fix for this vulnerability.