PYSEC-2026-767

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/aleksis-core/PYSEC-2026-767.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-767
Aliases
Published
2026-07-06T08:03:30.504197Z
Modified
2026-07-07T11:45:46.884286142Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Access control issue in AlekSIS-Core
Details

An access control issue in aleksis/core/util/auth_helpers.py: ClientProtectedResourceMixin of AlekSIS-Core v2.8.1 and below allows attackers to access arbitrary scopes if no allowed scopes are specifically set.

References

Affected packages

PyPI / aleksis-core

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.9

Affected versions

2.*
2.0a3.dev0
2.0a3
2.0a4
2.0b0
2.0b1
2.0b2
2.0rc1
2.0rc2
2.0rc3
2.0rc4
2.0rc5
2.0rc6
2.0rc7
2.0
2.1.dev0
2.1
2.1.1
2.2
2.2.1
2.3
2.3.1
2.3.2
2.4
2.5
2.6
2.7
2.7.1
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6
2.8
2.8.1.dev0
2.8.1
2.8.2.dev0
2.8.2.dev1

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/aleksis-core/PYSEC-2026-767.yaml"