Security: Unauthenticated Access to All Monitoring Data via Empty PocketBase Rules

[lighthousekeeper1212]

Summary

All PocketBase data collections have empty access rules, allowing unauthenticated users to read, create, update, and delete all monitoring data. The users auth collection correctly has per-user rules, but this is not applied to any data collections.

Details

File: application/public/upload/data/pb_schema_latest.json

All 24+ data collections have:

{
  "listRule": "",
  "viewRule": "",
  "createRule": "",
  "updateRule": "",
  "deleteRule": ""
}

In PocketBase, empty string means "allow anyone, including unauthenticated users". This is different from null which means "superusers only".

Affected collections include: services, servers, server_metrics, incidents, maintenance, ssl_certificates, ssl_history, alert_configurations, webhook, dns_data, docker_metrics, uptime_data, ping_data, tcp_data, operational_page, status_page_components, and more.

Compare with the users auth collection which correctly has per-user rules:

{
  "name": "users",
  "listRule": "id = @request.auth.id",
  "viewRule": "id = @request.auth.id",
  "updateRule": "id = @request.auth.id",
  "deleteRule": "id = @request.auth.id"
}

The Go service operator confirms this design at server/service-operation/pocketbase/services.go line 19-20: "No authentication header needed for public access".

Impact

Any unauthenticated user who can reach the PocketBase instance can:

• Read all monitored service URLs, server IP addresses, and hostnames
• Access SSL certificate details and history
• Read and delete incident reports
• Modify alert configurations (disable monitoring alerts)
• Delete all services and monitoring data
• Access webhook configurations

Recommended Fix

Add authentication requirements to all data collections:

{
  "listRule": "@request.auth.id != ''",
  "viewRule": "@request.auth.id != ''",
  "createRule": "@request.auth.id != ''",
  "updateRule": "@request.auth.id != ''",
  "deleteRule": "@request.auth.id != ''"
}

CWE-862 (Missing Authorization)

[tolaleng]

Thank you for reporting this. The API authentication rules have been added to the collection to ensure proper access control.

This has been fixed in the following commit: f2c338c

[tolaleng]

And the service operations will be consolidated and refactored to run directly within the PocketBase backend, replacing the previous separate service architecture.