GHSA-382c-vx95-w3p5: Gittensory: Missing contributor-scoped access control on profile endpoint and MCP tool leaks miner financial data
Summary
Two endpoints in Gittensory are missing access control checks that should restrict who can view contributor profiles. This means any user with a valid authentication token (a login credential) can view any miner's financial data, including their daily earnings in TAO (a cryptocurrency), alpha points, and USD value, plus their hotkey (a unique identifier). This is a type of IDOR vulnerability (insecure direct object reference, where attackers bypass permission checks to access resources they shouldn't see).
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-382c-vx95-w3p5
First tracked: July 9, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 85%