{"id":"PYSEC-2026-767","summary":"Access control issue in AlekSIS-Core","details":"An access control issue in aleksis/core/util/auth_helpers.py: ClientProtectedResourceMixin of AlekSIS-Core v2.8.1 and below allows attackers to access arbitrary scopes if no allowed scopes are specifically set.","aliases":["CVE-2022-29773","GHSA-76x2-h8h3-cwjg"],"modified":"2026-07-07T11:45:46.884286142Z","published":"2026-07-06T08:03:30.504197Z","references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-29773"},{"type":"WEB","url":"https://aleksis.org/2022-05-04_advisory.html"},{"type":"PACKAGE","url":"https://edugit.org/AlekSIS/official/AlekSIS-Core"},{"type":"WEB","url":"https://edugit.org/AlekSIS/official/AlekSIS-Core/-/commit/0d39d5f566e1d916e3c8dedd3f5bd62161f30bd8"},{"type":"WEB","url":"https://edugit.org/AlekSIS/official/AlekSIS-Core/-/issues/688"},{"type":"WEB","url":"https://edugit.org/AlekSIS/official/AlekSIS-Core/-/merge_requests/1011"},{"type":"PACKAGE","url":"https://pypi.org/project/aleksis-core"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-76x2-h8h3-cwjg"}],"affected":[{"package":{"name":"aleksis-core","ecosystem":"PyPI","purl":"pkg:pypi/aleksis-core"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.9"}]}],"versions":["2.0","2.0a3","2.0a3.dev0","2.0a4","2.0b0","2.0b1","2.0b2","2.0rc1","2.0rc2","2.0rc3","2.0rc4","2.0rc5","2.0rc6","2.0rc7","2.1","2.1.1","2.1.dev0","2.2","2.2.1","2.3","2.3.1","2.3.2","2.4","2.5","2.6","2.7","2.7.1","2.7.2","2.7.3","2.7.4","2.7.5","2.7.6","2.8","2.8.1","2.8.1.dev0","2.8.2.dev0","2.8.2.dev1"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/aleksis-core/PYSEC-2026-767.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}