Improper Access Control in chocobozzz/peertube


Reported on

Jan 8th 2022


Unauthenticated users can obtain comments on private videos

Proof of Concept

Vísit the following API link where 123 is the ID of the private video:


Response contains all the comments on that private video.


This vulnerability disclosure comments on private videos to unauthenticated users.

We are processing your report and will contact the chocobozzz/peertube team within 24 hours. 20 days ago
We have contacted a member of the chocobozzz/peertube team and are waiting to hear back 19 days ago
duongdpt modified their report
18 days ago
chocobozzz validated this vulnerability 18 days ago
duongdpt has been awarded the disclosure bounty
The fix bounty is now up for grabs
chocobozzz confirmed that a fix has been merged on 84c8d9 18 days ago
chocobozzz has been awarded the fix bounty