Skip to content

NL Portal: Missing per-user authorization on document and decision GraphQL queries in nl-portal-backend-libraries

Moderate severity GitHub Reviewed Published Jun 3, 2026 in nl-portal/nl-portal-backend-libraries • Updated Jul 8, 2026

Package

maven nl.nl-portal:besluiten (Maven)

Affected versions

>= 1.5.0, <= 3.0.0

Patched versions

3.0.1
maven nl.nl-portal:documenten-api (Maven)
<= 3.0.0
3.0.1

Description

Impact

In versions up to and including 3.0.0, two parts of the GraphQL API returned data without checking whether the data belonged to the logged-in user:

  • Document content. A logged-in user could download the raw content of any document by its ID, regardless of who owned it. The resolver has lacked an authentication parameter since the initial commit of the project (2022-11-22) — so every version of nl.nl-portal:documenten-api ever published is affected (the earliest one on Maven Central is 0.2.2.RELEASE, published 2023-08-31).
  • Decisions (besluiten). A logged-in user could list, search, and read decision records — including their audit trails and the documents attached to them — for any user. The list query also accepted filters (decision type, identification, responsible organisation, related case), which made it easy to enumerate decisions across the user base. The besluiten module was introduced in the 1.5.x release line (commit 9229460b, 2024-08-19), so versions of nl.nl-portal:besluiten from 1.5.0 through 3.0.0 are affected.

Decisions and their attachments often contain sensitive personal data (decisions on benefits, permits, objections, and similar), so the confidentiality impact is high. The two endpoints also chain naturally: once an attacker has discovered another user's document IDs by enumerating decisions, they can pull those documents' contents through the document endpoint.

Why these two findings are reported together

They share the same root cause and the same shape. Both GraphQL resolvers were declared without an authentication parameter on the method signature, which meant the framework never bound the authenticated user into the resolver and the resolver therefore could not perform per-user authorization checks. The fix pattern is the same — bind the authenticated principal into the resolver, or remove the resolver entirely. And in practice the two endpoints reinforce each other as a chain (enumerate via decisions, exfiltrate via documents), so they describe a single end-to-end weakness in the GraphQL surface.

Patches

Upgrade to 3.0.1 or later.

  • nl.nl-portal:documenten-api — the resolver now declares the authentication parameter, so the framework binds the authenticated user into the call path. Fix commit: 32e0ebdf — "Add auth on DocumentContentQuery.kt".
  • nl.nl-portal:besluiten — the entire besluiten module is removed in 3.0.1. Consumers who rely on the besluiten functionality must implement a replacement at the application layer with explicit per-user authorization on every resolver before upgrading. Fix commit: f592af1b — "Removal of Besluiten API".

Workarounds

For deployments that cannot upgrade immediately:

  • Block the following GraphQL operations at the API gateway: getDocumentContent, getBesluiten, getBesluit, getBesluitAuditTrails, getBesluitAuditTrail, getBesluitDocumenten, getBesluitDocument.
  • If per-operation blocking is not possible, block the besluiten module's GraphQL types entirely and block the document-content query.

Technical details

  • nl.nlportal.documentenapi.graphql.DocumentContentQuery.getDocumentContent(documentApi, id) did not declare a CommonGroundAuthentication parameter on the resolver. The authenticated principal was therefore not bound into the call path and document content could be retrieved without the resolver participating in user-scoped authorization. Patched by adding authentication: CommonGroundAuthentication to the resolver signature, so Spring's argument resolution rejects unauthenticated invocations of the query.
  • nl.nlportal.besluiten.graphql.BesluitenQuery exposed six GraphQL operations — getBesluiten, getBesluit, getBesluitAuditTrails, getBesluitAuditTrail, getBesluitDocumenten, getBesluitDocument — none of which declared a CommonGroundAuthentication parameter. In particular, getBesluiten accepted filter arguments (besluitType, identificatie, verantwoordelijkeOrganisatie, zaak, pageNumber) but performed no user scoping, allowing callers to enumerate besluit records across users. The point-lookup operations (getBesluit, getBesluitAuditTrail, getBesluitDocument) returned data for any UUID without ownership checks. The fix is the removal of BesluitenQuery, BesluitenAutoConfiguration, and the integration test, and the autoconfiguration entry has been unwired from the application defaults.

Credits

Discovered during the nl-portal-backend-libraries penetration testing engagement (phase 1, May 2026). Vendor attribution to be added before publication.

References

Published to the GitHub Advisory Database Jul 8, 2026
Reviewed Jul 8, 2026
Last updated Jul 8, 2026

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS score

Weaknesses

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Learn more on MITRE.

Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. Learn more on MITRE.

CVE ID

CVE-2026-49463

GHSA ID

GHSA-qpm9-h556-mwxm
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.