Kallithea Security Notice CVE-2016-3114

Privilege escalation


A vulnerability has been found in Kallithea.


The vulnerability that allowed logged-in users to edit or delete open pull requests associated with any repository to which they had read access, plus a related vulnerability allowing logged-in users to delete any comment from any repository, provided they could determine the comment ID and had read access to just one repository.


Søren Løvborg wrote a patch fixing the issue, which is included in the release 0.3.2. Users are advised to upgrade as soon as possible.

Affected versions

As far as we know, the issue is present in all previously released Kallithea versions.


  1. CVE-2016-3114 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3114

  2. Mercurial changeset fixing the issue https://kallithea-scm.org/repos/kallithea/changeset/81057be7a5c10e1cd08d32c923468e41cf417ed1