GHSA-382C-VX95-W3P5
Vulnerability from github – Published: 2026-07-09 13:44 – Updated: 2026-07-09 13:44Summary
GET /v1/contributors/:login/profile and the gittensory_get_contributor_profile MCP tool skip the contributor-scoped access check that every sibling endpoint enforces. Any authenticated session/API/MCP token holder can read any contributor's profile; for confirmed Gittensor miners that exposes alphaPerDay, taoPerDay, usdPerDay (and the hotkey on the REST path). Authenticated cross-contributor disclosure, CWE-284 / IDOR.
Details
In src/api/routes.ts the profile handler returns buildContributorProfile(...) with no requireContributorAccess call. Every sibling (/decision-pack, /repos/:owner/:repo/decision, etc.) gates and 403s on a cross-contributor request — the profile route is the only omission. buildContributorProfile (src/signals/engine.ts) embeds hotkey and the three *PerDay fields for any confirmed miner.
The MCP tool getContributorProfile (src/mcp/server.ts) also omits requireContributorAccess. Its redactSensitiveForMcp filter only strips keys matching hotkey|coldkey|wallet|private_key|privateKey|mnemonic, so the hotkey is dropped but alphaPerDay/taoPerDay/usdPerDay pass through.
The codebase treats these as secret everywhere else — decision-pack.ts destructures the hotkey out before serving, and three sanitizers scrub hotkey/wallet from AI/comment output — which is why this is an oversight, not by-design.
Exposure: REST → hotkey + 3 financial fields; MCP → 3 financial fields (hotkey redacted).
PoC
- Get any valid session/API/MCP token.
- Pick a target
loginthat is a confirmed miner. GET /v1/contributors/{target}/profile→ 200 withgittensor.hotkey,alphaPerDay,taoPerDay,usdPerDay.GET /v1/contributors/{target}/decision-pack(same token) → 403, proving the missing gate.- MCP
gittensory_get_contributor_profilewith{target}→ result includes the three*PerDayfields.
Impact
Any token holder can enumerate other miners' daily TAO/alpha/USD revenue (plus hotkey via REST) without authorization. All miners with snapshot data are affected.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@jsonbored/gittensory-mcp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-284"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-09T13:44:51Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n \n`GET /v1/contributors/:login/profile` and the `gittensory_get_contributor_profile` MCP tool skip the contributor-scoped access check that every sibling endpoint enforces. Any authenticated session/API/MCP token holder can read any contributor\u0027s profile; for confirmed Gittensor miners that exposes `alphaPerDay`, `taoPerDay`, `usdPerDay` (and the `hotkey` on the REST path). Authenticated cross-contributor disclosure, CWE-284 / IDOR.\n \n### Details\n \nIn `src/api/routes.ts` the profile handler returns `buildContributorProfile(...)` with no `requireContributorAccess` call. Every sibling (`/decision-pack`, `/repos/:owner/:repo/decision`, etc.) gates and 403s on a cross-contributor request \u2014 the profile route is the only omission. `buildContributorProfile` (`src/signals/engine.ts`) embeds `hotkey` and the three `*PerDay` fields for any confirmed miner.\n \nThe MCP tool `getContributorProfile` (`src/mcp/server.ts`) also omits `requireContributorAccess`. Its `redactSensitiveForMcp` filter only strips keys matching `hotkey|coldkey|wallet|private_key|privateKey|mnemonic`, so the hotkey is dropped but `alphaPerDay`/`taoPerDay`/`usdPerDay` pass through.\n \nThe codebase treats these as secret everywhere else \u2014 `decision-pack.ts` destructures the hotkey out before serving, and three sanitizers scrub hotkey/wallet from AI/comment output \u2014 which is why this is an oversight, not by-design.\n \nExposure: REST \u2192 hotkey + 3 financial fields; MCP \u2192 3 financial fields (hotkey redacted).\n \n### PoC\n \n1. Get any valid session/API/MCP token.\n2. Pick a target `login` that is a confirmed miner.\n3. `GET /v1/contributors/{target}/profile` \u2192 200 with `gittensor.hotkey`, `alphaPerDay`, `taoPerDay`, `usdPerDay`.\n4. `GET /v1/contributors/{target}/decision-pack` (same token) \u2192 403, proving the missing gate.\n5. MCP `gittensory_get_contributor_profile` with `{target}` \u2192 result includes the three `*PerDay` fields.\n### Impact\n \nAny token holder can enumerate other miners\u0027 daily TAO/alpha/USD revenue (plus hotkey via REST) without authorization. All miners with snapshot data are affected.",
"id": "GHSA-382c-vx95-w3p5",
"modified": "2026-07-09T13:44:51Z",
"published": "2026-07-09T13:44:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/JSONbored/gittensory/security/advisories/GHSA-382c-vx95-w3p5"
},
{
"type": "WEB",
"url": "https://github.com/JSONbored/gittensory/commit/811ef5fb9d748170011f8854d88c64627ad666a0"
},
{
"type": "PACKAGE",
"url": "https://github.com/JSONbored/gittensory"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Gittensory: Missing contributor-scoped access control on profile endpoint and MCP tool leaks miner financial data"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.