CVE-2026-33541
Validation Logic Flaw in TSPortal Causes Database DoS Risk
Publication date: 2026-03-26
Last updated on: 2026-04-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wikitide | tsportal | to 34 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in TSPortal, a platform used by the Trust and Safety team of the WikiTide Foundation. Prior to version 34, a flaw in the validation logic allowed attackers to create arbitrary user records in the database.
Specifically, during validation of Data Processing Agreement (DPA) requests, a validation rule called DPAAlreadyLive invoked a method User::findOrCreate(), which creates a user record if none exists. Although invalid usernames were correctly rejected, this validation rule executed regardless of whether the overall validation succeeded, causing user records to be created even when the request failed.
This improper handling led to uncontrolled database growth because attackers could automate requests with invalid usernames to mass-create user records. The root cause was performing state-changing operations inside validation logic and lack of separation between validation and persistence layers.
How can this vulnerability impact me? :
The vulnerability can lead to uncontrolled growth of the database by allowing attackers to create many arbitrary user records.
This results in increased storage and indexing overhead, which can degrade application performance.
At scale, this resource exhaustion can cause a denial of service (DoS), making the application unavailable to legitimate users.
Additionally, the created user records lack audit logging and traceability, which may complicate incident response.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusual or excessive creation of user records in the TSPortal database, especially those without corresponding successful Data Processing Agreement (DPA) requests or audit logs.
Since the flaw involves uncontrolled database growth due to user records being created during validation failures, detection methods should focus on identifying abnormal database size increases or spikes in user creation events.
Commands to detect this might include querying the database for recent user records created without successful DPA requests or audit trails. For example, using SQL commands to count new user entries over a short period or to identify users lacking associated audit logs.
- SELECT COUNT(*) FROM users WHERE created_at > NOW() - INTERVAL '1 HOUR';
- SELECT * FROM users WHERE audit_log IS NULL AND created_at > NOW() - INTERVAL '1 DAY';
Additionally, monitoring application logs for repeated failed DPA requests that still result in user creation could help detect exploitation attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to create arbitrary user records without successful validation, leading to uncontrolled database growth and potential denial of service. However, there is no indication from the provided information that this vulnerability impacts confidentiality or integrity of data, nor does it mention exposure of personal or sensitive information.
Since the vulnerability does not affect confidentiality or integrity, and primarily impacts availability through potential resource exhaustion, its direct effect on compliance with standards like GDPR or HIPAA—which focus heavily on data privacy and protection—is likely limited.
That said, the lack of audit logging and traceability for the created user records could pose challenges for compliance requirements related to accountability and monitoring, which are important aspects of many regulations.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade TSPortal to version 34 or later, where the vulnerability has been fixed.
The fix involves removing database write operations from validation logic and ensuring that user creation only occurs after all validations pass.
- Upgrade the miraheze/ts-portal package to version 34 or newer.
- Ensure that validation rules perform only read operations and do not cause side effects such as creating user records.
- Replace any use of state-changing methods like User::findOrCreate() in validation with non-mutating lookup methods such as User::firstWhere(...).
If immediate upgrade is not possible, consider implementing rate limiting or request throttling on DPA submissions to reduce the risk of mass user creation and monitor database growth closely.