CVE-2021-41111 is an authorization bypass vulnerability affecting the open-source automation platform Rundeck, specifically versions prior to 3.3.15 and versions from 3.4.0 up to but not including 3.4.5. Rundeck provides automation services via a web console, command line tools, and a WebAPI, commonly used to orchestrate tasks and workflows across IT environments. The vulnerability arises because an authenticated user with read permissions on webhooks in one project can exploit a flaw to access webhook definitions and tokens belonging to other projects. This occurs due to improper authorization checks, categorized under CWE-639 (Authorization Bypass Through User-Controlled Key). By crafting a specially formed request, the attacker can retrieve sensitive webhook tokens from projects they should not have access to. These tokens can then be used to trigger webhooks, potentially executing automated actions that may be sensitive or critical. The severity of the impact depends heavily on the trust level of the authenticated user and the nature of the webhooks configured; if webhooks trigger privileged or sensitive operations, the risk escalates. The vulnerability requires the attacker to be authenticated and have at least read access to webhooks in one project, but no further privileges are needed to access other projects’ webhook tokens. There are no known workarounds, but patches have been released in Rundeck versions 3.3.15 and 3.4.5 to address this issue. No known exploits have been observed in the wild to date.

For European organizations using Rundeck, this vulnerability could lead to unauthorized disclosure of webhook tokens across projects, enabling attackers to trigger automated workflows without proper authorization. This can result in unauthorized execution of tasks, potentially leading to data leakage, unauthorized changes to systems, or disruption of services. Organizations with complex multi-project Rundeck deployments are particularly at risk, as the cross-project token exposure undermines project isolation. The impact is amplified if webhooks are configured to perform sensitive operations such as deployment, configuration changes, or access to critical infrastructure. Since the vulnerability requires authenticated access, insider threats or compromised user accounts pose a significant risk vector. Given the widespread adoption of Rundeck in IT automation and DevOps environments across Europe, exploitation could disrupt business-critical processes and compromise the integrity and availability of automated workflows. However, the absence of known active exploits and the medium severity rating suggest that the threat is moderate but should not be underestimated, especially in high-trust environments.

1. Immediate upgrade of Rundeck instances to version 3.3.15 or 3.4.5 (or later) where the vulnerability is patched. 2. Conduct an audit of user permissions to ensure that only trusted users have read access to webhooks, minimizing the risk of misuse. 3. Review and restrict webhook configurations to limit sensitive actions triggered by webhooks, applying the principle of least privilege. 4. Implement monitoring and alerting on webhook usage to detect anomalous triggering patterns that could indicate abuse. 5. Enforce strong authentication mechanisms and consider multi-factor authentication to reduce the risk of compromised accounts. 6. Segregate projects and limit cross-project access where possible to reduce the attack surface. 7. Regularly review Rundeck logs for unauthorized access attempts or unusual activity related to webhook tokens. 8. If immediate patching is not feasible, temporarily restrict webhook read permissions to essential personnel only, though this is not a full workaround. These steps go beyond generic advice by focusing on access control hygiene, monitoring, and configuration review specific to Rundeck’s webhook functionality.