Authorization Bypass Through User-Controlled Key

Summary

Khoj is a self-hostable artificial intelligence app. In versions through 1.28.4.dev93, an Insecure Direct Object Reference (IDOR) vulnerability in the "update_subscription" endpoint allows any authenticated user to manipulate other users' Stripe subscriptions by simply modifying the "email" parameter in the request. The vulnerability exists in the subscription endpoint at "/api/subscription". The endpoint uses an "email" parameter as a direct reference to user subscriptions without verifying object ownership. While authentication is required, there is no authorization check to verify if the authenticated user owns the referenced subscription. Support for arbitrarily presenting an "email" for update has been deprecated.