Summary
All PocketBase data collections have empty access rules, allowing unauthenticated users to read, create, update, and delete all monitoring data. The users auth collection correctly has per-user rules, but this is not applied to any data collections.
Details
File: application/public/upload/data/pb_schema_latest.json
All 24+ data collections have:
{
"listRule": "",
"viewRule": "",
"createRule": "",
"updateRule": "",
"deleteRule": ""
}In PocketBase, empty string means "allow anyone, including unauthenticated users". This is different from null which means "superusers only".
Affected collections include: services, servers, server_metrics, incidents, maintenance, ssl_certificates, ssl_history, alert_configurations, webhook, dns_data, docker_metrics, uptime_data, ping_data, tcp_data, operational_page, status_page_components, and more.
Compare with the users auth collection which correctly has per-user rules:
{
"name": "users",
"listRule": "id = @request.auth.id",
"viewRule": "id = @request.auth.id",
"updateRule": "id = @request.auth.id",
"deleteRule": "id = @request.auth.id"
}The Go service operator confirms this design at server/service-operation/pocketbase/services.go line 19-20: "No authentication header needed for public access".
Impact
Any unauthenticated user who can reach the PocketBase instance can:
- Read all monitored service URLs, server IP addresses, and hostnames
- Access SSL certificate details and history
- Read and delete incident reports
- Modify alert configurations (disable monitoring alerts)
- Delete all services and monitoring data
- Access webhook configurations
Recommended Fix
Add authentication requirements to all data collections:
{
"listRule": "@request.auth.id != ''",
"viewRule": "@request.auth.id != ''",
"createRule": "@request.auth.id != ''",
"updateRule": "@request.auth.id != ''",
"deleteRule": "@request.auth.id != ''"
}CWE-862 (Missing Authorization)
Summary
All PocketBase data collections have empty access rules, allowing unauthenticated users to read, create, update, and delete all monitoring data. The
usersauth collection correctly has per-user rules, but this is not applied to any data collections.Details
File:
application/public/upload/data/pb_schema_latest.jsonAll 24+ data collections have:
{ "listRule": "", "viewRule": "", "createRule": "", "updateRule": "", "deleteRule": "" }In PocketBase, empty string means "allow anyone, including unauthenticated users". This is different from
nullwhich means "superusers only".Affected collections include:
services,servers,server_metrics,incidents,maintenance,ssl_certificates,ssl_history,alert_configurations,webhook,dns_data,docker_metrics,uptime_data,ping_data,tcp_data,operational_page,status_page_components, and more.Compare with the
usersauth collection which correctly has per-user rules:{ "name": "users", "listRule": "id = @request.auth.id", "viewRule": "id = @request.auth.id", "updateRule": "id = @request.auth.id", "deleteRule": "id = @request.auth.id" }The Go service operator confirms this design at
server/service-operation/pocketbase/services.goline 19-20: "No authentication header needed for public access".Impact
Any unauthenticated user who can reach the PocketBase instance can:
Recommended Fix
Add authentication requirements to all data collections:
{ "listRule": "@request.auth.id != ''", "viewRule": "@request.auth.id != ''", "createRule": "@request.auth.id != ''", "updateRule": "@request.auth.id != ''", "deleteRule": "@request.auth.id != ''" }CWE-862 (Missing Authorization)