CVE-2026-33541
Received Received - Intake
Validation Logic Flaw in TSPortal Causes Database DoS Risk

Publication date: 2026-03-26

Last updated on: 2026-04-03

Assigner: GitHub, Inc.

Description
TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 34, a flaw in TSPortal allowed attackers to create arbitrary user records in the database by abusing validation logic. While validation correctly rejected invalid usernames, a side effect within a validation rule caused user records to be created regardless of whether the request succeeded. This could be exploited to cause uncontrolled database growth, leading to a potential denial of service (DoS). Version 34 contains a fix for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-04-03
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33541
EUVD
EUVD-2026-16398
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wikitide tsportal to 34 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in TSPortal, a platform used by the Trust and Safety team of the WikiTide Foundation. Prior to version 34, a flaw in the validation logic allowed attackers to create arbitrary user records in the database.

Specifically, during validation of Data Processing Agreement (DPA) requests, a validation rule called DPAAlreadyLive invoked a method User::findOrCreate(), which creates a user record if none exists. Although invalid usernames were correctly rejected, this validation rule executed regardless of whether the overall validation succeeded, causing user records to be created even when the request failed.

This improper handling led to uncontrolled database growth because attackers could automate requests with invalid usernames to mass-create user records. The root cause was performing state-changing operations inside validation logic and lack of separation between validation and persistence layers.

Impact Analysis

The vulnerability can lead to uncontrolled growth of the database by allowing attackers to create many arbitrary user records.

This results in increased storage and indexing overhead, which can degrade application performance.

At scale, this resource exhaustion can cause a denial of service (DoS), making the application unavailable to legitimate users.

Additionally, the created user records lack audit logging and traceability, which may complicate incident response.

Detection Guidance

This vulnerability can be detected by monitoring for unusual or excessive creation of user records in the TSPortal database, especially those without corresponding successful Data Processing Agreement (DPA) requests or audit logs.

Since the flaw involves uncontrolled database growth due to user records being created during validation failures, detection methods should focus on identifying abnormal database size increases or spikes in user creation events.

Commands to detect this might include querying the database for recent user records created without successful DPA requests or audit trails. For example, using SQL commands to count new user entries over a short period or to identify users lacking associated audit logs.

  • SELECT COUNT(*) FROM users WHERE created_at > NOW() - INTERVAL '1 HOUR';
  • SELECT * FROM users WHERE audit_log IS NULL AND created_at > NOW() - INTERVAL '1 DAY';

Additionally, monitoring application logs for repeated failed DPA requests that still result in user creation could help detect exploitation attempts.

Mitigation Strategies

The immediate mitigation step is to upgrade TSPortal to version 34 or later, where the vulnerability has been fixed.

The fix involves removing database write operations from validation logic and ensuring that user creation only occurs after all validations pass.

  • Upgrade the miraheze/ts-portal package to version 34 or newer.
  • Ensure that validation rules perform only read operations and do not cause side effects such as creating user records.
  • Replace any use of state-changing methods like User::findOrCreate() in validation with non-mutating lookup methods such as User::firstWhere(...).

If immediate upgrade is not possible, consider implementing rate limiting or request throttling on DPA submissions to reduce the risk of mass user creation and monitor database growth closely.

Compliance Impact

The vulnerability allows attackers to create arbitrary user records without successful validation, leading to uncontrolled database growth and potential denial of service. However, there is no indication from the provided information that this vulnerability impacts confidentiality or integrity of data, nor does it mention exposure of personal or sensitive information.

Since the vulnerability does not affect confidentiality or integrity, and primarily impacts availability through potential resource exhaustion, its direct effect on compliance with standards like GDPR or HIPAA—which focus heavily on data privacy and protection—is likely limited.

That said, the lack of audit logging and traceability for the created user records could pose challenges for compliance requirements related to accountability and monitoring, which are important aspects of many regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33541. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart