CVE (reserved): CVE-2023-37749
Reported via: Bugcrowd (submission ID: a6cbaf98-990e-4905-af9f-18487104d02b)
Reporter: Décio Brandão Junior
Discovery date: 04 Jul 2023
Status: Public disclosure (sanitized)
Vendor: HubSpot
Affected component: REST API endpoints used by the Users UI (internal options / pagedFetch endpoints)
Observed version / flow: APP HubSpot (UI versions observed in traffic)
An Incorrect Access Control vulnerability exists in HubSpot APP that may allow an authenticated, low-privileged user to retrieve organization user data (names, emails) by modifying intercepted UI requests. The issue is caused by inadequate server-side authorization on certain internal API endpoints.
This advisory is sanitized: tenant identifiers, session tokens and any customer-identifying values have been redacted. Full technical artifacts (Burp project, raw requests/responses, timing evidence, Bugcrowd thread and payout confirmation) are available to HubSpot/MITRE/CERT under NDA.
-
UI listing request (observed): GET /api/app-users/v1/seat-purchase/downgrade-state?portalId=&…
-
Internal endpoint abused (observed): GET /api/external-options/v2/pagedFetch/0-1/OWNER?useIndexOffset=true&portalId=&…&includeDeleted=true
- Confidentiality: disclosure of registered user data for an organization (name, email).
- Operational: increases risk of targeted phishing and user enumeration.
- Scope: if present in product code (rather than instance config), other deployments may be affected.
- Authenticate with a non-privileged account.
- Intercept a legitimate Users UI request (example:
/api/app-users/v1/seat-purchase/downgrade-state?...). - Replace the request path with the internal options endpoint
/api/external-options/v2/pagedFetch/.../OWNER?...&includeDeleted=true. - Reuse the legitimate session cookie and resend the request.
- The server responds with JSON containing user entries (fields such as
id,name,email) that the caller should not be authorized to view.
Note: examples above have
portalIdredacted as<REDACTED>. Do not attempt exploitation on production systems without explicit authorization.
Server-side endpoints returning owner/admin data do not consistently enforce role/permission checks; access control is effectively enforced only on the client side for certain UI flows.
- Enforce strict server-side authorization checks on
/api/external-options/*and related internal endpoints. - Limit response fields for non-privileged callers (do not return full user lists to basic users).
- Apply principle of least privilege for API sessions/tokens.
- Log and alert on unexpected enumeration requests to internal endpoints.
- If the vendor issues a patch or config change, publish an official vendor advisory and reference it here.
- 2023-07-04 — Bug reported via Bugcrowd (submission ID
a6cbaf98-990e-4905-af9f-18487104d02b). - 2023-07-17 — Bugcrowd triaged and validated the submission.
- 2023-07-21 — HubSpot (representative) acknowledged and forwarded to dev team.
- 2025-10-21 — Public sanitized advisory published (this document).
- Bugcrowd submission (private):
a6cbaf98-990e-4905-af9f-18487104d02b - Researcher contact:
https://www.linkedin.com/in/d%C3%A9cio-brand%C3%A3o-792321116/
HubSpot triaged and validated this issue via Bugcrowd, and confirmed remediation on their side.
The issue was marked as Resolved (Fixed) in the Bugcrowd platform after internal review.
No customer action was required — the fix was applied server-side.
This advisory is published only for transparency and historical tracking under CVE-2023-37749. Full technical artifacts available on request to HubSpot/MITRE under NDA (Burp project, raw requests/responses, timing evidence, Bugcrowd thread and payout confirmation).