Skip to content

Privilege Escalation: Any User Can Self-Appoint as Admin via /api/auth/set-role #3954

Description

@atul-upadhyay-7

Description

The /api/auth/set-role endpoint allows any authenticated user (including newly registered users with no role) to set their own role to admin without any invite code or approval.

The invite code validation (lines 30-46) only covers teacher and institute roles — the admin role has no invite code requirement.

Impact

  • Any user who can authenticate (register/login) can grant themselves full admin privileges
  • Gains access to all admin-only endpoints (data retention, user management, session termination, audit logs)
  • Complete bypass of the RBAC system

Reproduction Steps

  1. Register a new user account
  2. Call POST /api/auth/set-role with { "role": "admin" }
  3. User is now an admin with full system access

Location

app/api/auth/set-role/route.js, Lines 15-74

Suggested Fix

  • Add an invite code check for the admin role (e.g., process.env.ADMIN_INVITE_CODE)
  • Or require that admin role can only be assigned by an existing admin via a separate admin-only endpoint
  • Change requireAuth(request) to requireAdmin(request) for the admin case

Metadata

Metadata

Labels

No labels
No labels

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions