HTTP Verb Tampering Leads to Authorization Bypass on /archive/exist/team/ Directory

Disclosed by

Engagement National Aeronautics and Space Administration (NASA) - Vulnerability Disclosure Program
Disclosed date 17 Jul 2025 6 months ago
Priority P2 Bugcrowd's VRT priority rating
Status Resolved This vulnerability has been accepted and fixed

Summary by Mon3m

This report details a case of HTTP Verb Tampering affecting the /archive/exist/team/ directory on a NASA web application. While a GET request would return a 401 Unauthorized, a POST request granted access to restricted internal documents, including RFI responses, internal team communications, and technical data. The issue has been resolved, and this disclosure aims to raise awareness about Broken Access Control vulnerabilities that result from inconsistent HTTP method validation.

HTTP Verb Tampering Leads to Authorization Bypass on /archive/exist/team/ Directory

Summary by Mon3m

Activity