Machine Spirits Logo
All Advisories

mercure

Privilege Escalation via Missing Authorization on User Edit

mercure's user-management pages are admin-only, except for the endpoint that saves a user edit: it requires only a logged-in session, with no admin check and no ownership check. Any authenticated user can therefore POST a new password for any other account, including the administrator, and then log in as that user. A single request turns a low-privilege login into full admin control.

Authored byVolker Schönefeld, Simon Weber2026-05-30
SeverityHighCVSS 8.8CVSS 3.1 VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HCWECWE-862 (Missing Authorization)ProductmercureAffected VersionsAll releases from 0.2.0-beta.1 through 0.4.0-beta.9.Fixed In0.4.1. The user-edit POST endpoint now requires an administrator session, non-admins can edit only their own account, and changing a password requires the current password.CVEPendingGHSAPending

Description

mercure is an open-source DICOM orchestration platform; we appreciate the maintainers' prompt, constructive response to this report. mercure has a small set of user-management endpoints, all of which require an administrator session, with one exception.

The endpoint that saves a user edit is decorated to require only an authenticated session, not admin:

app/webinterface/users.py:242-243

@router.post("/edit/{user}")
@requires(["authenticated"], redirect="login")          # missing "admin"
async def users_edit_post(request) -> Response:

View source →

Every other user-management endpoint requires admin. The save path is the outlier:

EndpointMethodRequires
/users/ (list)GETauthenticated, admin
/users/ (create)POSTauthenticated, admin
/users/edit/{user} (form)GETauthenticated, admin
/users/edit/{user} (save)POSTauthenticated
/users/delete/{user}POSTauthenticated, admin

The target user is taken from the URL path, not the session, and there is no ownership check and no current-password check. The is_admin flag is separately guarded, but the attacker does not need it: they set a new password on the admin account and log in as admin.

app/webinterface/users.py:251, 259-261

edituser = request.path_params["user"]  # from URL path, not session
# ...
if form["password"]:
    to_edit["password"] = hash_password(form["password"])
    to_edit["change_password"] = "False"

View source →

A single POST to the admin user's edit endpoint with a new password is enough; the attacker then logs in as admin and reaches every admin-only function, including the routing-rule and notification-template code-execution paths.

Impact

  • Any authenticated user, including a low-privilege one, can reset any other user's password without knowing the current one. This includes the administrator account.
  • After changing the admin password, the attacker logs in as admin and gains full control: routing rules, processing modules, and system configuration. This is the step that unlocks the admin-gated code-execution findings.
  • The same capability can lock out every user, including admins, disabling the routing system.

Mitigation

Upgrade to mercure 0.4.1, where the user-edit POST endpoint requires an administrator session, non-admins can edit only their own account, and a password change requires the current password. In general, a write endpoint must carry at least the authorization of its read counterpart, and self-service edits must bind the target to the session rather than the URL.

Defender's Checklist

  • Upgrade to 0.4.1 or later

    Deploy the patched release, which requires admin for user edits and verifies the current password.

  • Rotate credentials

    After upgrading, reset the admin password and review the user list for unexpected accounts or changes.

  • Change default credentials

    Confirm the default admin:router password has been changed.

Severity Reasoning

AV:NThe endpoint is reached over the network through the web interface.AC:LA single POST request performs the takeover.PR:LAny authenticated account suffices; admin is not required.UI:NNo user interaction.S:UThe impact stays within the application's own authentication scope.C/I/A:HAdmin takeover exposes and lets the attacker modify all configuration and data the application manages, and can deny service to all users.

References

How We Can Help

Who We Are

The security researchers behind this advisory.

Dr. Simon Weber Profile

Dr. rer. nat. Simon Weber

Senior Pentester & MedSec Researcher

I evaluate your SaMD with the same industry-defining security insight I contributed to the BAK MV for the revision of the B3S standard.

  • PhD on Hospital Cybersecurity
  • Critical vulnerabilities found in hospital systems
  • Alumni of THB MedSec Research Group
  • gematik Security Hero
Volker Schönefeld Profile

Dipl.-Inf. Volker Schönefeld

Senior Application Security Expert

As a former CTO and developer turned pentester, I work alongside your team to uncover vulnerabilities and find solutions that fit your architecture.

  • 20+ years as CTO, 50M+ app downloads
  • Architected and secured large-scale IoT fleets
  • Certified Web Exploitation Specialist
  • gematik Security Hero
View Full Team Profiles

Looking for a Penetration Test?

Machine Spirits specializes in security assessments for medical devices and healthcare IT. From MDR penetration testing to C5 cloud compliance, we help MedTech companies meet regulatory requirements.

Get in TouchLearn More About Our Services