CVE-2026-39386: Mass Assignment Privilege Escalation in Neko WebRTC Browser

Neko is a self-hosted virtual browser deployment application relying on Docker and WebRTC technologies. It exposes a web-based API to manage user sessions, room configurations, and stream controls. The system relies on this API to handle all state changes and user interactions.

The core vulnerability resides in this API, specifically within the user profile management endpoints. The system implements an endpoint intended to allow users to update benign profile attributes such as their display name. Due to improper input validation, this endpoint processes structural modifications to the underlying user data model.

The resulting mass assignment vulnerability allows any authenticated user to elevate their own privileges. The vulnerability does not require complex memory corruption or race conditions. It relies entirely on the predictable mapping between user-supplied JSON keys and backend data structures.

The vulnerability exists within the UpdateProfile function located in server/internal/api/session.go. When a user submits an HTTP request to modify their profile, the application retrieves the current MemberProfile structure from the active session. The application then passes this structure directly to a JSON unmarshalling utility function named utils.HttpJsonRequest.

Go's encoding/json package, which underlies this utility, automatically maps keys from the incoming JSON payload to exported fields in the target struct. The MemberProfile struct defines several fields that dictate user permissions and administrative status. The unmarshalling process does not differentiate between fields intended for user modification and fields reserved for system authorization.

Because the application uses the primary data model directly as a Data Transfer Object (DTO) for the incoming request, it fails to enforce an explicit boundary. The application lacks struct tags or intermediate validation steps to filter restricted parameters. This architectural design directly results in CWE-269 (Improper Privilege Management).

The vulnerable implementation demonstrates a critical flaw in data binding. The application defines the profile variable using the current session state and immediately passes a pointer to this data into the unmarshalling function.

// Vulnerable implementation (Pre-patch)
func (api *ApiManagerCtx) UpdateProfile(w http.ResponseWriter, r *http.Request) error {
    session, _ := auth.GetSession(r)
    data := session.Profile()
    if err := utils.HttpJsonRequest(w, r, &data); err != nil {
        return err
    }
    err := api.sessions.Update(session.ID(), data)
    // ...
}

This implementation allows any provided JSON key to overwrite the corresponding struct field if the types match. The patched implementation introduces a strict allow-list approach for non-administrative users.

// Patched implementation
func (api *ApiManagerCtx) UpdateProfile(w http.ResponseWriter, r *http.Request) error {
    session, _ := auth.GetSession(r)
    profile := session.Profile()
 
    if !profile.IsAdmin {
        var payload types.MemberProfile
        if err := utils.HttpJsonRequest(w, r, &payload); err != nil {
            return err
        }
        profile.Name = payload.Name
    } else {
        if err := utils.HttpJsonRequest(w, r, &profile); err != nil {
            return err
        }
    }
    err := api.sessions.Update(session.ID(), profile)
    // ...
}

The patch checks the user's current administrative status before processing the request. Non-administrative users now have their input unmarshalled into a separate, temporary payload structure. The application then explicitly copies only the Name field from the temporary structure into the actual session profile. This remediation eliminates the mass assignment vector by breaking the direct binding between the HTTP request and the persistent session state model.

The exploitation methodology requires an attacker to possess valid authentication credentials for a low-privileged account on the target Neko instance. The attacker must also have network routing access to the API endpoints. No administrative intervention or social engineering is required to execute the attack.

The attack involves intercepting or constructing an HTTP request directed at the profile update endpoint. The attacker formats the request body as JSON and includes the specific field required to modify the administrative state.

{
  "is_admin": true,
  "name": "ElevatedUser"
}

The attacker transmits this payload via a POST or PUT request to the /api/profile endpoint. The application processes the request, unmarshals the is_admin key, and updates the session data store.

The system grants the attacker full administrative permissions immediately upon the subsequent request or session refresh. The attacker maintains this elevated access for the duration of the session.

Exploitation results in a complete compromise of the application's authorization framework. The attacker obtains identical capabilities to a legitimate system administrator. The attacker can execute administrative actions such as creating new user accounts, deleting existing users, and modifying access policies.

The attacker also gains complete control over the virtual browser environment. This control includes modifying room configurations, changing system passwords, altering browser settings, and managing active broadcasts. The attacker can interact with any data processed within the virtual browser sessions.

The attacker can terminate active sessions and forcibly disconnect legitimate users. This broad access model directly affects the confidentiality, integrity, and availability of the system. The CVSS 3.1 score of 8.8 accurately reflects the high severity and low complexity of this uncontrolled privilege escalation.

The primary remediation strategy requires upgrading the Neko application to a patched version. Administrators operating the 3.0 release branch must deploy version 3.0.11 or later. Administrators operating the 3.1 release branch must deploy version 3.1.2 or later.

Organizations unable to apply the software updates immediately must implement temporary technical controls. Administrators can restrict network access to the API using a reverse proxy configuration. A reverse proxy or web application firewall can block requests targeting the /api/profile endpoint using methods other than GET, effectively preventing exploitation while disabling profile modification functionality.

Security teams must monitor application logs for unexpected access patterns targeting the profile endpoint. Auditing the administrative user list is necessary to detect successful exploitation attempts that occurred prior to patch application. All unauthorized administrative accounts discovered during this audit must be revoked immediately.