CIVI-SA-2022-07: APIv3 Access Bypass

2022-06-01 12:00
Written by
dev-team - member of the CiviCRM community - view blog guidelines

A vulnerability in processing APIv3 AJAX requests could allow a malicious request to bypass permission checks.

Security Risk
Highly Critical
Access Bypass
Affected Versions

5.50.beta1, 5.49.3, and 5.45.5 (and earlier)

Fixed Versions

5.50.0, 5.49.4, and 5.45.6 ESR (and later)

Publication Date

Any ONE of the following:

  • (Recommended) Upgrade to CiviCRM v5.50.0, v5.49.4, or 5.45.6 ESR
  • (Alternative Mitigation) Ensure that permissions access AJAX API and access CiviCRM are only available to trusted, administrative users. (NOTE: This mitigation is only practical on small, simple sites. It may be impractical if the site has semi-trusted, backend users or if it has any extensions that use APIv3 AJAX.)

Artful Robot - Rich Lott; JMA Consulting - Seamus Lee; Wikimedia Foundation - Eileen McNaughton; CiviCRM - Coleman Watts, Tim Otten