CVE-2026-7142
Improper Authorization in Wooey API Endpoint Allows Remote Exploit
Publication date: 2026-04-27
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wooey | wooey | to 0.13.3 (exc) |
| wooey | wooey | 0.13.3rc1 |
| wooey | wooey | 0.14.0 |
| wooey | wooey | to 0.13.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Wooey allows any authenticated user to upload arbitrary Python scripts, which are then executed by Celery workers, leading to a Remote Code Execution (RCE) risk. This broken access control could potentially lead to unauthorized access or manipulation of sensitive data or system resources.
Such unauthorized access and execution capabilities can impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data. The vulnerability could lead to data breaches or unauthorized data processing, violating these regulatory requirements.
The fix enforces staff-level authorization for script uploads, mitigating the risk by restricting this capability to administrators only, thereby helping to maintain compliance with security and data protection standards.
Can you explain this vulnerability to me?
The vulnerability in Wooey up to version 0.13.2 exists in the API endpoint function add_or_update_script. This function only checked if a user was authenticated but did not verify if the user had staff (administrator) privileges.
Because of this missing authorization check, any authenticated user could upload arbitrary Python scripts. These scripts would then be executed by Celery workers running under the Wooey service user, leading to a Remote Code Execution (RCE) vulnerability.
The vulnerability allows attackers to execute arbitrary code remotely by uploading malicious scripts, which can compromise the system running Wooey.
The issue was fixed by adding an explicit check for the is_staff attribute on the user object, ensuring only staff users can upload scripts. Unauthorized users now receive a 403 Forbidden JSON response.
How can this vulnerability impact me? :
This vulnerability can have critical impacts because it allows any authenticated user to upload and execute arbitrary Python scripts on the server.
Since the scripts are executed by Celery workers running under the Wooey service user, an attacker can gain Remote Code Execution (RCE) with the privileges of that service user.
- Execution of arbitrary commands on the server.
- Potential access to sensitive files and database credentials.
- Ability to establish reverse shells and move laterally within the network.
- Compromise of the entire application environment due to read/write access of the service user.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized users being able to upload arbitrary Python scripts via the API endpoint `/api/scripts/v1/add-or-update/` without proper staff authorization.
To detect exploitation attempts or presence of this vulnerability on your system, you can monitor HTTP POST requests to the vulnerable API endpoint and check for unauthorized script uploads.
Suggested commands include using network monitoring or web server logs to identify POST requests to `/api/scripts/v1/add-or-update/` from non-staff users or unexpected sources.
- Use `grep` on web server logs to find POST requests to the vulnerable endpoint, e.g.: `grep 'POST /api/scripts/v1/add-or-update/' /var/log/nginx/access.log`
- Check for unusual or unexpected script files in the Wooey script storage directories.
- If you have API access logs, filter for authenticated users who are not staff performing POST requests to the endpoint.
- Use network monitoring tools like `tcpdump` or `Wireshark` to capture and analyze traffic targeting the API endpoint.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Wooey to version 0.13.3rc1 or later (including 0.14.0), where the vulnerability has been fixed by adding an authorization check for staff users.
This fix ensures that only users with the `is_staff` attribute set to true can upload scripts via the vulnerable API endpoint, preventing unauthorized script uploads and remote code execution.
If immediate upgrade is not possible, restrict access to the `/api/scripts/v1/add-or-update/` endpoint to trusted staff users only, for example by network-level controls or web server access restrictions.
Additionally, review and revoke API keys or credentials for non-staff users that may have been used to exploit this vulnerability.
Ensure that the configuration option `WOOEY_ALLOW_ANONYMOUS` is set to false to prevent anonymous users from executing scripts.