GHSA-5r3p-6rj5-7937: Bytebase vulnerable to Improper Authentication

March 2, 2026

GitLab login allows login by any user.
JWT auth token can be derived as long as the server isn’t rebooted.
Developers can assign issues to non-admin/DBA users.

References

github.com/advisories/GHSA-5r3p-6rj5-7937
github.com/bytebase/bytebase
github.com/bytebase/bytebase/commit/a578ed58e478ba5c2dadf8d538ec5c3d39c28461
github.com/bytebase/bytebase/security/advisories/GHSA-5r3p-6rj5-7937

Code Behaviors & Features

Detect and mitigate GHSA-5r3p-6rj5-7937 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →