Skip to content

[BugFix] Unauthenticated POST /api/update_config can mutate live BE configuration #70946

Open
Open
[BugFix] Unauthenticated POST /api/update_config can mutate live BE configuration#70946
Assignees
alvin-celerdata
Labels
source:ai-detected
@andyziye

Description

@andyziye
andyziye
opened on Mar 30, 2026

Bug Description

Severity: CRITICAL
Component: BE HTTP Service
Source file: be/src/service/service_be/http_service.cpp (line 254)

Root cause: UpdateConfigAction is registered via register_handler() directly with no authentication middleware. Any caller can POST arbitrary key-value pairs to mutate live runtime configuration without supplying any credentials.

Concrete failure scenario: A remote attacker can flip runtime knobs (e.g., disable compression, change storage format, alter memory limits) on a live BE node without authentication.

Steps to Reproduce

# Step 1: Read current value
curl -s 'http://<BE_HOST>:<BE_HTTP_PORT>/varz' | grep storage_format
# => storage_format_version=2

# Step 2: POST without any credentials to change config
curl -v -X POST 'http://<BE_HOST>:<BE_HTTP_PORT>/api/update_config?storage_format_version=1'
# => HTTP/1.1 200 OK  {"status":"OK","msg":""}

# Step 3: Verify the value changed
curl -s 'http://<BE_HOST>:<BE_HTTP_PORT>/varz' | grep storage_format
# => storage_format_version=1

Actual Behavior

HTTP 200 OK with body {"status":"OK","msg":""}. Config value storage_format_version changed from 2 to 1 in the live BE process. Confirmed via /varz. No credentials were supplied.

Expected Behavior

Should return HTTP 401 or 403 without valid credentials. This endpoint mutates live runtime configuration and must require authentication.

Verification

POST /api/update_config successfully mutated storage_format_version from 2 to 1 (and back to 2) with zero credentials — no Authorization header, no token, no session cookie. The /varz endpoint confirmed the live value changed. Source at http_service.cpp:255–257 registers UpdateConfigAction directly with register_handler() with no auth middleware.

This bug was identified and reproduced by AI-assisted code review.

What type of issue is this:

  • BugFix

Does this entail a change in behavior?

  • Yes, this issue will result in a change in behavior.

Type of change:

  • Interface/UI changes

Checklist

  • Fix needs a regression test
  • Fix may need user documentation update

Test Environment
Tested Version main-4d6435b (MySQL protocol 8.0.33)
Cluster 3 BE nodes at 172.26.95.230-232:8040, FE at 172.26.95.233:9030

Metadata

Metadata

Assignees

Labels

source:ai-detected

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions