GHSA-xfx2-prg5-jq3g: INSATutorat has an authorization bypass vulnerability in its /api/admin/* endpoints

March 1, 2026

An authorization bypass vulnerability was discovered in the administration pages of the tutoring application. When a standard user (logged in but without administrator privileges) attempts to access a resource under /api/admin/, the system detects the error but does not block the request.

As a result, sensitive data is still transmitted by the server in the request (GET), and modification actions such as campaign creation (POST) are executed successfully despite the FORBIDDEN error message. All /api/admin/* endpoints are affected.

References

github.com/Romitou/INSATutorat
github.com/Romitou/INSATutorat/commit/15ae47425aed337181f7a6c54a9d199c93b041eb
github.com/Romitou/INSATutorat/security/advisories/GHSA-xfx2-prg5-jq3g
github.com/advisories/GHSA-xfx2-prg5-jq3g

Code Behaviors & Features

Detect and mitigate GHSA-xfx2-prg5-jq3g with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →