HomeCVE Intelligence › CVE-2026-45730
CVSS 8.3 HIGH Vulnerability

CVE-2026-45730: Nuclio: Missing authorization on project write paths allows any authenticated user to mod…

This vulnerability exists in Nuclio Dashboard's project management API, allowing any authenticated user (without membership in the target project) to bypass OPA authorization checks on write paths (PUT /api/projects/{id…

8.3CVSS Score
HIGHSeverity
NOCISA KEV
VulnerabilityImpact Type

📋 Vulnerability Details

CVE IDCVE-2026-45730
Vendorgo
Affected Productgithub.com/nuclio/nuclio
Vulnerability TypeVulnerability
CVSS Score8.3 (HIGH)
Actively Exploited❌ No known exploitation
Patch StatusSee Vendor Advisory →
Reported ByCYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

This vulnerability exists in Nuclio Dashboard's project management API, allowing any authenticated user (without membership in the target project) to bypass OPA authorization checks on write paths (PUT /api/projects/{id}, DELETE /api/projects) and modify or delete any project along with all its associated resources (functions, API gateways, etc.). CWE classification: CWE-862 (Missing Authorization). ---

Summary Nuclio Dashboard correctly enforces OPA-based authorization on the project read path (GET /api/projects), populating MemberIds in PermissionOptions so OPA can filter results by user membership. However, the write paths (PUT /api/projects/{id} and DELETE /api/projects) construct PermissionOptions without setting MemberIds. The platform-layer `FilterProjectsByPerm

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-45730 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries
🛡️ Get Detection Pack → 🔌 Access via API →

🔗 Related Intelligence