GHSA-9gjv-jvm7-vv2v: Gramps Web API: Private Sub-Object Data in Non-Private Objects Exposed to Guest Users

April 9, 2026

Users with the Guest role could receive private sub-object data (e.g. private alternate names, private addresses, private note/citation/media handles) through list API endpoints such as GET /api/people/, GET /api/places/, GET /api/events/, and all other object list endpoints.

This does not expose objects (people, places, events, …) that are themselves marked private. Top-level private objects are correctly excluded from all responses. Only sub-object data attached to otherwise-public objects is affected.

References

github.com/advisories/GHSA-9gjv-jvm7-vv2v
github.com/gramps-project/gramps-web-api
github.com/gramps-project/gramps-web-api/releases/tag/v3.11.0
github.com/gramps-project/gramps-web-api/security/advisories/GHSA-9gjv-jvm7-vv2v

Code Behaviors & Features

Detect and mitigate GHSA-9gjv-jvm7-vv2v with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →