{"data":{"id":"0010148b-347f-408d-93cb-c3b2998da9fe","title":"GHSA-382c-vx95-w3p5: Gittensory: Missing contributor-scoped access control on profile endpoint and MCP tool leaks miner financial data","summary":"Two endpoints in Gittensory are missing access control checks that should restrict who can view contributor profiles. This means any user with a valid authentication token (a login credential) can view any miner's financial data, including their daily earnings in TAO (a cryptocurrency), alpha points, and USD value, plus their hotkey (a unique identifier). This is a type of IDOR vulnerability (insecure direct object reference, where attackers bypass permission checks to access resources they shouldn't see).","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-382c-vx95-w3p5","publishedAt":"2026-07-09T13:44:51.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["pii_leakage"],"issueType":"vulnerability","affectedPackages":["@jsonbored/gittensory-mcp@<= 0.1.0"],"affectedVendors":[],"affectedVendorsRaw":["Gittensory"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":null,"disclosureDate":"2026-07-09T13:44:51.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}