Security: Unauthenticated Access to All Monitoring Data via Empty PocketBase Rules #214
Description
Summary
All PocketBase data collections have empty access rules, allowing unauthenticated users to read, create, update, and delete all monitoring data. The users auth collection correctly has per-user rules, but this is not applied to any data collections.
Details
File: application/public/upload/data/pb_schema_latest.json
All 24+ data collections have:
{
"listRule": "",
"viewRule": "",
"createRule": "",
"updateRule": "",
"deleteRule": ""
}In PocketBase, empty string means "allow anyone, including unauthenticated users". This is different from null which means "superusers only".
Affected collections include: services, servers, server_metrics, incidents, maintenance, ssl_certificates, ssl_history, alert_configurations, webhook, dns_data, docker_metrics, uptime_data, ping_data, tcp_data, operational_page, status_page_components, and more.
Compare with the users auth collection which correctly has per-user rules:
{
"name": "users",
"listRule": "id = @request.auth.id",
"viewRule": "id = @request.auth.id",
"updateRule": "id = @request.auth.id",
"deleteRule": "id = @request.auth.id"
}The Go service operator confirms this design at server/service-operation/pocketbase/services.go line 19-20: "No authentication header needed for public access".
Impact
Any unauthenticated user who can reach the PocketBase instance can:
- Read all monitored service URLs, server IP addresses, and hostnames
- Access SSL certificate details and history
- Read and delete incident reports
- Modify alert configurations (disable monitoring alerts)
- Delete all services and monitoring data
- Access webhook configurations
Recommended Fix
Add authentication requirements to all data collections:
{
"listRule": "@request.auth.id != ''",
"viewRule": "@request.auth.id != ''",
"createRule": "@request.auth.id != ''",
"updateRule": "@request.auth.id != ''",
"deleteRule": "@request.auth.id != ''"
}CWE-862 (Missing Authorization)