Users who joined later can see the data of deleted users in apache/inlong


Reported on

Apr 3rd 2023

Proof of Concept

1 admin create a user, named as user1

2 user1 login and create Inlong Group

3 admin delete user1

4 admin create aonther user, whose name is also user1

5 user1 login and can see the Inlong Group created by old user1


information disaclose

We are processing your report and will contact the apache/inlong team within 24 hours. 2 months ago
We have contacted a member of the apache/inlong team and are waiting to hear back 2 months ago
ASF Security Team validated this vulnerability a month ago

Thank you for your report, we confirm we consider this a security issue. We have a tentative fix at - would you be interested in confirming it indeed fixes the issue?

Following the process at , we are planning to create a release with the fix and then issue a CVE for this issue. We'd be happy to credit you in the CVE - how would you like to be credited?

lujiefsi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
a month ago


would you be interested in confirming it indeed fixes the issue?


how would you like to be credited

credited me as

ASF Security Team marked this as fixed in 1.7.0 with commit 5ad870 3 days ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
ASF Security Team published this vulnerability 3 days ago
3 days ago


CVE-2023-31101 was disclosed for this issue

to join this conversation