PT-2025-45728 — Missing Authorization in Go Github.Com/Treeverse/Lakefs

PT-2025-45728 · Go · Github.Com/Treeverse/Lakefs

Published

2025-11-03

Updated

2025-11-03

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Impact

Missing authentication in the /api/v1/usage-report/summary endpoint allows anyone to retrieve aggregate API usage counts. While no sensitive data is disclosed, the endpoint may reveal information about service activity or uptime.

Patches

Upgrade to >v1.70.1

Workarounds

Any ONE of these is sufficient to block this reporting:

Disable usage reporting by setting configuration option usage report.enabled or environment variable LAKEFS USAGE REPORT ENABLED to false.
Using load-balancer or application level firewall - blocking the request route /api/v1/usage-report/summary.

Fix

Missing Authorization

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862CWE-200

Related Identifiers

GHSA-H238-5MWF-8XW8

Affected Products

Github.Com/Treeverse/Lakefs