CVE-2026-4171
Awaiting Analysis Awaiting Analysis - Queue
Authorization Bypass in CodeGenieApp API Endpoint via userId Manipulation

Publication date: 2026-03-16

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security vulnerability has been detected in CodeGenieApp serverless-express up to 4.17.1. Affected by this issue is some unknown functionality of the file examples/lambda-function-url/packages/api/models/TodoList.ts of the component API Endpoint. The manipulation of the argument userId leads to authorization bypass. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4171
EUVD
EUVD-2026-12216
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
codegenie serverless-express to 4.17.1 (inc)
codegenieapp serverless-express to 4.17.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-4171 is a critical Broken Object Level Authorization (BOLA) vulnerability in CodeGenieApp serverless-express versions up to 4.17.1. The root cause is the absence of an ownership model in the TodoList management system's database schema, specifically the lack of a userId field in the TodoList DynamoDB table. This means todo lists are not linked to their creators."}, {'type': 'paragraph', 'content': "Because of this, an attacker who obtains a valid listIdβ€”possibly through leaked URLs, Referer headers, or by exploiting related vulnerabilitiesβ€”can use their own authenticated session to access, modify, or delete any other user's todo lists without proper authorization checks."}, {'type': 'paragraph', 'content': 'The vulnerability arises from improper handling and manipulation of the userId argument in the API endpoint, allowing authorization bypass remotely. This leads to a complete compromise of data confidentiality, integrity, and availability.'}] [1, 2, 4]

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can have severe impacts including unauthorized access to all todo list data, modification or corruption of others' todo lists, and permanent deletion of todo lists belonging to other users."}, {'type': 'list_item', 'content': "Confidentiality: Attackers can read any user's todo list data."}, {'type': 'list_item', 'content': "Integrity: Attackers can modify or corrupt other users' todo lists."}, {'type': 'list_item', 'content': 'Availability: Attackers can delete todo lists of other users, causing data loss.'}, {'type': 'paragraph', 'content': 'The attack can be carried out remotely with low complexity and requires only low privileges, making it relatively easy for attackers to exploit once a valid listId is known.'}] [1, 2, 4]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the API endpoints related to todo lists for improper authorization checks. Specifically, attempts to access, modify, or delete todo lists using valid listId values that belong to other users can reveal the authorization bypass.'}, {'type': 'paragraph', 'content': 'Suggested detection approach includes sending authenticated requests to the following endpoints with listId values not owned by the authenticated user:'}, {'type': 'list_item', 'content': 'GET /todo-lists/:listId'}, {'type': 'list_item', 'content': 'PUT /todo-lists/:listId'}, {'type': 'list_item', 'content': 'DELETE /todo-lists/:listId'}, {'type': 'paragraph', 'content': 'If these requests succeed in accessing or modifying data without ownership verification, the vulnerability is present.'}, {'type': 'paragraph', 'content': 'Example curl commands to test the vulnerability (replace <token> with a valid JWT and <listId> with a list ID not owned by the user):'}, {'type': 'list_item', 'content': 'curl -H "Authorization: Bearer <token>" https://api.example.com/todo-lists/<listId>'}, {'type': 'list_item', 'content': 'curl -X PUT -H "Authorization: Bearer <token>" -d \'{"title":"test"}\' https://api.example.com/todo-lists/<listId>'}, {'type': 'list_item', 'content': 'curl -X DELETE -H "Authorization: Bearer <token>" https://api.example.com/todo-lists/<listId>'}] [2]

Mitigation Strategies

Immediate mitigation steps include:

  • Modify the TodoList database schema to include a required userId attribute to establish ownership of todo lists.
  • Implement strict authorization checks in the API endpoints to verify that the authenticated user owns the todo list identified by listId before allowing access or modification.
  • Use DynamoDB ConditionExpressions or equivalent mechanisms to enforce ownership checks at the data access layer.
  • Create a Global Secondary Index (GSI) on userId to facilitate secure querying of todo lists by their owners.
  • For existing data, perform data migration to assign ownership to todo lists or archive orphaned records.

If immediate code changes are not possible, consider restricting access to the vulnerable API endpoints or replacing the affected component with an alternative product.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4171. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart