Baserow Meet — Unauthenticated Task Creation + Cross-Tenant Task Result Access + Unauthenticated Room Entry
This report documents multiple vulnerabilities in the main branch of suitenumerique/meet, verified against the current source.
Finding 1 — [CRITICAL] Unauthenticated task creation (impersonation)
Location: src/summary/summary/api/route/tasks.py:39 (create_transcribe_summarize_task)
POST /tasks/ has no authentication or authorization. Any unauthenticated attacker creates tasks by providing arbitrary owner_id, email, sub, and recording_filename — impersonating any user and triggering audio processing under the victim's identity.
curl -X POST "http://<host>/tasks/" -H "Content-Type: application/json" \
-d '{"owner_id":"victim-uuid","email":"victim@example.com","sub":"victim-sub","recording_filename":"x.mp3"}'Finding 2 — [CRITICAL] Cross-tenant task result access (IDOR)
Location: src/summary/summary/api/route/tasks.py:58 (legacy GET /tasks/{task_id})
The legacy task status endpoint has no authentication and no tenant isolation. Any requester retrieves task results (transcription/summary data) for any task ID by enumerating predictable UUIDs. In contrast, the V2 endpoint (/async-jobs/{type}/{job_id}) correctly validates task_tenant_id != request_tenant.id.
curl "http://<host>/tasks/<any_task_uuid>" # returns transcription without auth
Finding 3 — [HIGH] Unauthenticated room entry request (lobby flooding)
Location: src/backend/core/api/viewsets.py:196 (request_entry)
The request_entry action sets permission_classes=[], disabling all permission checks. Any user (authenticated or anonymous) requests entry to any room by slug/ID regardless of role — enabling mass entry requests / lobby flooding / harassment.
curl -X POST "http://<host>/api/v1/rooms/<room_slug>/request-entry" -H "Content-Type: application/json" -d '{"username":"attacker"}'
Suggested fixes
- Require authentication + verify
owner_id matches the authenticated user in POST /tasks/ (Finding 1).
- Add tenant isolation to the legacy
GET /tasks/{task_id} (match V2's check) or deprecate it (Finding 2).
- Restore permission checks on
request_entry; require at least authentication (Finding 3).
All findings verified against the main branch source.
Baserow Meet — Unauthenticated Task Creation + Cross-Tenant Task Result Access + Unauthenticated Room Entry
This report documents multiple vulnerabilities in the
mainbranch of suitenumerique/meet, verified against the current source.Finding 1 — [CRITICAL] Unauthenticated task creation (impersonation)
Location:
src/summary/summary/api/route/tasks.py:39(create_transcribe_summarize_task)POST /tasks/has no authentication or authorization. Any unauthenticated attacker creates tasks by providing arbitraryowner_id,email,sub, andrecording_filename— impersonating any user and triggering audio processing under the victim's identity.Finding 2 — [CRITICAL] Cross-tenant task result access (IDOR)
Location:
src/summary/summary/api/route/tasks.py:58(legacyGET /tasks/{task_id})The legacy task status endpoint has no authentication and no tenant isolation. Any requester retrieves task results (transcription/summary data) for any task ID by enumerating predictable UUIDs. In contrast, the V2 endpoint (
/async-jobs/{type}/{job_id}) correctly validatestask_tenant_id != request_tenant.id.Finding 3 — [HIGH] Unauthenticated room entry request (lobby flooding)
Location:
src/backend/core/api/viewsets.py:196(request_entry)The
request_entryaction setspermission_classes=[], disabling all permission checks. Any user (authenticated or anonymous) requests entry to any room by slug/ID regardless of role — enabling mass entry requests / lobby flooding / harassment.Suggested fixes
owner_idmatches the authenticated user inPOST /tasks/(Finding 1).GET /tasks/{task_id}(match V2's check) or deprecate it (Finding 2).request_entry; require at least authentication (Finding 3).All findings verified against the
mainbranch source.