You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A critical access control vulnerability exists in the Chainlink node codebase because the PATCH /v2/resume/:runID endpoint is registered on the unauthenticated v2 router instead of the authenticated v2 router. In the verified local source tree, core/web/router.go mounts the endpoint as unauthedv2.PATCH("/resume/:runID", prc.Resume), which allows unauthenticated network callers to invoke the resume handler for pipeline runs without API authentication.
This condition can enable arbitrary resumption of suspended runs with attacker-controlled input, which may alter oracle task execution outcomes and affect downstream consumers that trust the resulting job output.
Affected Component
Program: Chainlink
Scope: chainlink-core
File: core/web/router.go
Verified line: 244
Proof of Verification:
The following local PowerShell command was used against the checked-out Chainlink source tree to verify the route registration:
Select-String -Path "core\web\router.go" -Pattern "resume" -Context 5,5
Observed output:
core\web\router.go:239:func v2Routes(app chainlink.Application, r *gin.RouterGroup) {
core\web\router.go:240: unauthedv2 := r.Group("/v2")
core\web\router.go:241:
core\web\router.go:242: prc := PipelineRunsController{app}
core\web\router.go:243: psec := PipelineJobSpecErrorsController{app}
core\web\router.go:244: unauthedv2.PATCH("/resume/:runID", prc.Resume)
core\web\router.go:245:
core\web\router.go:246: authv2 := r.Group("/v2", auth.Authenticate(app.AuthenticationProvider(),
core\web\router.go:247: auth.AuthenticateByToken,
core\web\router.go:248: auth.AuthenticateBySession,
core\web\router.go:249: ))
This confirms that the route is currently mounted on the unauthenticated router group.
Reproduction Steps:
These steps should only be performed against a node you own or an explicitly authorized testing environment.
1.Deploy or run a Chainlink node instance with the vulnerable code.
2.Create or identify a suspended pipeline run.
3.Send an unauthenticated HTTP PATCH request to /v2/resume/:runID.
4.Include attacker-controlled JSON in the request body, for example a forged result value.
5.Observe whether the run resumes successfully without prior authentication.
6.Verify whether the injected result is consumed by the resumed pipeline execution.
Illustrative request:
PATCH /v2/resume/ HTTP/1.1
Host: target-node
Content-Type: application/json
{"result":"1000000"}
Successful unauthenticated resumption demonstrates the access control failure.
Impact
An unauthenticated attacker who can reach the Chainlink node API may be able to:
Resume suspended pipeline runs without valid credentials.
Supply attacker-controlled result values when resuming tasks.
Tamper with data flowing through oracle jobs.
Grief automation or pipeline execution by resuming jobs with malicious or invalid data.
Influence downstream systems that consume the output of resumed runs
A critical access control vulnerability exists in the Chainlink node codebase because the PATCH /v2/resume/:runID endpoint is registered on the unauthenticated v2 router instead of the authenticated v2 router. In the verified local source tree, core/web/router.go mounts the endpoint as unauthedv2.PATCH("/resume/:runID", prc.Resume), which allows unauthenticated network callers to invoke the resume handler for pipeline runs without API authentication.
This condition can enable arbitrary resumption of suspended runs with attacker-controlled input, which may alter oracle task execution outcomes and affect downstream consumers that trust the resulting job output.
Affected Component
Program: Chainlink
Scope: chainlink-core
File: core/web/router.go
Verified line: 244
Proof of Verification:
The following local PowerShell command was used against the checked-out Chainlink source tree to verify the route registration:
Select-String -Path "core\web\router.go" -Pattern "resume" -Context 5,5
Observed output:
core\web\router.go:239:func v2Routes(app chainlink.Application, r *gin.RouterGroup) {
core\web\router.go:240: unauthedv2 := r.Group("/v2")
core\web\router.go:241:
core\web\router.go:242: prc := PipelineRunsController{app}
core\web\router.go:243: psec := PipelineJobSpecErrorsController{app}
core\web\router.go:244: unauthedv2.PATCH("/resume/:runID", prc.Resume)
core\web\router.go:245:
core\web\router.go:246: authv2 := r.Group("/v2", auth.Authenticate(app.AuthenticationProvider(),
core\web\router.go:247: auth.AuthenticateByToken,
core\web\router.go:248: auth.AuthenticateBySession,
core\web\router.go:249: ))
This confirms that the route is currently mounted on the unauthenticated router group.
Reproduction Steps:
These steps should only be performed against a node you own or an explicitly authorized testing environment.
1.Deploy or run a Chainlink node instance with the vulnerable code.
2.Create or identify a suspended pipeline run.
3.Send an unauthenticated HTTP PATCH request to /v2/resume/:runID.
4.Include attacker-controlled JSON in the request body, for example a forged result value.
5.Observe whether the run resumes successfully without prior authentication.
6.Verify whether the injected result is consumed by the resumed pipeline execution.
Illustrative request:
PATCH /v2/resume/ HTTP/1.1
Host: target-node
Content-Type: application/json
{"result":"1000000"}
Successful unauthenticated resumption demonstrates the access control failure.
Impact
An unauthenticated attacker who can reach the Chainlink node API may be able to:
Resume suspended pipeline runs without valid credentials.
Supply attacker-controlled result values when resuming tasks.
Tamper with data flowing through oracle jobs.
Grief automation or pipeline execution by resuming jobs with malicious or invalid data.
Influence downstream systems that consume the output of resumed runs
2026-04-04-09-37-25.mp4