From 6dfa3beb2b6ab23438d0f4395b84bf0749eb4820 Mon Sep 17 00:00:00 2001
From: Lauri Ojansivu <x@xet7.org>
Date: Mon, 29 Dec 2025 17:03:02 +0200
Subject: [PATCH] Security Fix 8: Attachments publication leaks metadata
 without auth.

Thanks to Joshua Rogers of joshua.hu, Twitter MegaManSec !
---
 server/publications/attachments.js | 29 ++++++++++++++++++++++++++++-
 1 file changed, 28 insertions(+), 1 deletion(-)

diff --git a/server/publications/attachments.js b/server/publications/attachments.js
index ae421b8c8..d618012f8 100644
--- a/server/publications/attachments.js
+++ b/server/publications/attachments.js
@@ -2,8 +2,35 @@ import Attachments from '/models/attachments';
 import { ObjectID } from 'bson';
 
 Meteor.publish('attachmentsList', function(limit) {
+  const userId = this.userId;
+
+  // Get boards the user has access to
+  const userBoards = ReactiveCache.getBoards({
+    $or: [
+      { permission: 'public' },
+      { members: { $elemMatch: { userId, isActive: true } } }
+    ]
+  }).map(board => board._id);
+
+  if (userBoards.length === 0) {
+    // User has no access to any boards, return empty cursor
+    return this.ready();
+  }
+
+  // Get cards from those boards
+  const userCards = ReactiveCache.getCards({
+    boardId: { $in: userBoards },
+    archived: false
+  }).map(card => card._id);
+
+  if (userCards.length === 0) {
+    // No cards found, return empty cursor
+    return this.ready();
+  }
+
+  // Only return attachments for cards the user has access to
   const ret = ReactiveCache.getAttachments(
-    {},
+    { 'meta.cardId': { $in: userCards } },
     {
       fields: {
         _id: 1,