PT-2026-36630 · Npm · @Saltcorn/Data
Published
2026-04-22
·
Updated
2026-04-22
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N |
Summary
When a tenant admin is logged out of the root domain (e.g., saltcorn.com) but logged in to their own tenant space as admin, they can simply append
/tenant/create to their tenant URL. The system reads the role from the tenant context (admin), and a new tenant is created on the root domain (in PUBLIC SCHEMA > sc tenants), rather than in the tenant's own sc tenants table.If the same logic applies to other routes, a tenant admin effectively gains admin rights on the root domain.
PoC
A tenant-created subtenant appears under the Saltcorn public schema instead of the tenant's own schema.
- Even when
role id=1is required for tenant creation on saltcorn.com (only admin can create tenants), existing tenant admins can still create new tenants because their localrole id:1is evaluated against the root domain. - Even when
role to create tenantis set to0in the tenant'ssc configschema, or removed entirely, the tenant admin can still create sub-tenants on the root domain — suggestingrole to create tenantis not being read at all.
Impact
Tenant admins gain unauthorized admin-level access to the root domain. Any authenticated tenant admin can perform privileged operations (e.g., creating tenants) on the root domain by exploiting the role context mismatch.
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
@Saltcorn/Data