Multiple Idor in sissbruecker/linkding


Reported on

Mar 19th 2022


There are multiple idors i found. In bookmarks/<int:bookmark_id>/edit, bookmarks/<int:bookmark_id>/remove, bookmarks/<int:bookmark_id>/archive, bookmarks/<int:bookmark_id>/unarchive. It gets the object provided in the bookmark_id without checking if the owner of the object is the current user.

Proof of Concept

1. Go to
2. The bookmark id 5 will be removed even if you dont own the bookmark. 



We are processing your report and will contact the sissbruecker/linkding team within 24 hours. a year ago
sissbruecker/linkding maintainer has acknowledged this report a year ago
a year ago


Thanks for reporting this @noobexploiterhuntrdev, this is kind of bad. But should be easy to fix. I'll try to get it done this week.

We have contacted a member of the sissbruecker/linkding team and are waiting to hear back a year ago
Sascha Ißbrücker validated this vulnerability a year ago
noobexploiterhuntrdev has been awarded the disclosure bounty
The fix bounty is now up for grabs
Sascha Ißbrücker marked this as fixed in 1.8.6 with commit 1ffc3e a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE has been validated has been validated has been validated has been validated
to join this conversation