GHSA-382C-VX95-W3P5

Vulnerability from github – Published: 2026-07-09 13:44 – Updated: 2026-07-09 13:44
VLAI
Summary
Gittensory: Missing contributor-scoped access control on profile endpoint and MCP tool leaks miner financial data
Details

Summary

GET /v1/contributors/:login/profile and the gittensory_get_contributor_profile MCP tool skip the contributor-scoped access check that every sibling endpoint enforces. Any authenticated session/API/MCP token holder can read any contributor's profile; for confirmed Gittensor miners that exposes alphaPerDay, taoPerDay, usdPerDay (and the hotkey on the REST path). Authenticated cross-contributor disclosure, CWE-284 / IDOR.

Details

In src/api/routes.ts the profile handler returns buildContributorProfile(...) with no requireContributorAccess call. Every sibling (/decision-pack, /repos/:owner/:repo/decision, etc.) gates and 403s on a cross-contributor request — the profile route is the only omission. buildContributorProfile (src/signals/engine.ts) embeds hotkey and the three *PerDay fields for any confirmed miner.

The MCP tool getContributorProfile (src/mcp/server.ts) also omits requireContributorAccess. Its redactSensitiveForMcp filter only strips keys matching hotkey|coldkey|wallet|private_key|privateKey|mnemonic, so the hotkey is dropped but alphaPerDay/taoPerDay/usdPerDay pass through.

The codebase treats these as secret everywhere else — decision-pack.ts destructures the hotkey out before serving, and three sanitizers scrub hotkey/wallet from AI/comment output — which is why this is an oversight, not by-design.

Exposure: REST → hotkey + 3 financial fields; MCP → 3 financial fields (hotkey redacted).

PoC

  1. Get any valid session/API/MCP token.
  2. Pick a target login that is a confirmed miner.
  3. GET /v1/contributors/{target}/profile → 200 with gittensor.hotkey, alphaPerDay, taoPerDay, usdPerDay.
  4. GET /v1/contributors/{target}/decision-pack (same token) → 403, proving the missing gate.
  5. MCP gittensory_get_contributor_profile with {target} → result includes the three *PerDay fields.

Impact

Any token holder can enumerate other miners' daily TAO/alpha/USD revenue (plus hotkey via REST) without authorization. All miners with snapshot data are affected.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@jsonbored/gittensory-mcp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-284"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-09T13:44:51Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n \n`GET /v1/contributors/:login/profile` and the `gittensory_get_contributor_profile` MCP tool skip the contributor-scoped access check that every sibling endpoint enforces. Any authenticated session/API/MCP token holder can read any contributor\u0027s profile; for confirmed Gittensor miners that exposes `alphaPerDay`, `taoPerDay`, `usdPerDay` (and the `hotkey` on the REST path). Authenticated cross-contributor disclosure, CWE-284 / IDOR.\n \n### Details\n \nIn `src/api/routes.ts` the profile handler returns `buildContributorProfile(...)` with no `requireContributorAccess` call. Every sibling (`/decision-pack`, `/repos/:owner/:repo/decision`, etc.) gates and 403s on a cross-contributor request \u2014 the profile route is the only omission. `buildContributorProfile` (`src/signals/engine.ts`) embeds `hotkey` and the three `*PerDay` fields for any confirmed miner.\n \nThe MCP tool `getContributorProfile` (`src/mcp/server.ts`) also omits `requireContributorAccess`. Its `redactSensitiveForMcp` filter only strips keys matching `hotkey|coldkey|wallet|private_key|privateKey|mnemonic`, so the hotkey is dropped but `alphaPerDay`/`taoPerDay`/`usdPerDay` pass through.\n \nThe codebase treats these as secret everywhere else \u2014 `decision-pack.ts` destructures the hotkey out before serving, and three sanitizers scrub hotkey/wallet from AI/comment output \u2014 which is why this is an oversight, not by-design.\n \nExposure: REST \u2192 hotkey + 3 financial fields; MCP \u2192 3 financial fields (hotkey redacted).\n \n### PoC\n \n1. Get any valid session/API/MCP token.\n2. Pick a target `login` that is a confirmed miner.\n3. `GET /v1/contributors/{target}/profile` \u2192 200 with `gittensor.hotkey`, `alphaPerDay`, `taoPerDay`, `usdPerDay`.\n4. `GET /v1/contributors/{target}/decision-pack` (same token) \u2192 403, proving the missing gate.\n5. MCP `gittensory_get_contributor_profile` with `{target}` \u2192 result includes the three `*PerDay` fields.\n### Impact\n \nAny token holder can enumerate other miners\u0027 daily TAO/alpha/USD revenue (plus hotkey via REST) without authorization. All miners with snapshot data are affected.",
  "id": "GHSA-382c-vx95-w3p5",
  "modified": "2026-07-09T13:44:51Z",
  "published": "2026-07-09T13:44:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/JSONbored/gittensory/security/advisories/GHSA-382c-vx95-w3p5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/JSONbored/gittensory/commit/811ef5fb9d748170011f8854d88c64627ad666a0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/JSONbored/gittensory"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Gittensory: Missing contributor-scoped access control on profile endpoint and MCP tool leaks miner financial data"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…