SENAITE security fixes (June 2026) — CVE-2026-54569

On behalf of the SENAITE team, we are disclosing two security vulnerabilities in senaite.core and the remediation for each. The first is critical and unauthenticated; please act on it immediately.

1. Critical: unauthenticated remote code execution in the JSON API

GHSA-jrw6-7x4q-w25j / CVE-2026-54569, CVSS 9.8 (Critical).

Two chained weaknesses in the JSON API let an anonymous attacker run arbitrary Python in the Zope worker process and gain full read/write access to the ZODB:

  • CWE-95 (Eval Injection): RecordField / RecordsField values sent to /@@API/update were parsed with eval() on the raw request string.
  • CWE-862 (Missing Authorization): /@@API/update did not enforce the senaite.core: Access JSON API permission before processing the request.

No authentication is required; the flaw is reachable by anonymous callers over ordinary HTTP.

Affected versions: senaite.core >= 2.0.0, <= 2.6.0.

Remediation, apply the hotfix now. It ships the fix as runtime monkey patches (safe ast.literal_eval parsing plus the missing permission checks) and works with senaite.core 2.0.0 to 2.6.0 without a core upgrade. Add the egg to your buildout:

[instance]
eggs +=
    SenaiteHotfix20260602

Re-run buildout and restart the instance. No further configuration is required.

Package: Client Challenge

If you cannot patch right away, restrict access to the JSON API at your reverse proxy (for example, block requests to /@@API/update) until the hotfix is in place.

2. Unauthenticated user enumeration via @@API/getusers

Severity: High. The @@API/getusers endpoint performed no authentication check, so an anonymous client could enumerate all user accounts and their roles by querying the endpoint one role at a time. In a production laboratory this exposes staff accounts and their roles, enabling targeted attacks such as credential stuffing or spear phishing.

Affected versions: 2.6.0 and earlier.
Fixed in: 2.7.0.

Upgrade to 2.7.0 to remediate. This endpoint is separate from the JSON API RCE above and is not covered by the hotfix.

Credits and acknowledgements

We are grateful to the researchers who responsibly disclosed these issues:

  • The unauthenticated RCE (CVE-2026-54569) was discovered and reported by Machine Spirits UG: Dr. Simon Weber, Dipl.-Inf. Volker Schönefeld, and Chiara Fliegner.
  • The unauthenticated user enumeration in @@API/getusers was independently reported by Jérémy Luyé-tanet (Synacktiv). The issue had already been fixed in the development branch (2.7.0) by the time of the report, but we thank him for the analysis and for coordinating disclosure.

The RCE hotfix was prepared by RIDING BYTES & NARALABS.

Reporting security issues

Please report vulnerabilities privately through GitHub security advisories, rather than in public issues.