[GH-ISSUE #838] Security: Tokens get deleted in certain cases. #590

New issue

Closed

opened 2026-05-07 00:25:39 +02:00 by BreizhHardware · 1 comment

BreizhHardware commented

2026-05-07 00:25:39 +02:00

Owner

Originally created by @binwiederhier on GitHub (Aug 17, 2023).
Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/838

The excess query deletion logic is incorrect and can lead to tokens being deleted erroneously.

Issue

ntfy only allows 20 access tokens to be created per user. Since access tokens are also used by the browser session, excess tokens (> 20) are deleted when the 21st token is created. This excess deletion logic is meant to only delete tokens from the user creating the 21st token. Instead, it accidentally deleted all tokens of all other users, thereby logging everyone out of their ntfy web app sessions, and deleting all other access tokens.

This was a denial-of-service-type security issue, since it effectively allowed a single user to deny access to all other users of a ntfy instance. Please note that while tokens were erroneously deleted, nobody but the token owner ever had access to it.

Details

Original delete query:

DELETE FROM user_token
WHERE (user_id, token) NOT IN (
	SELECT user_id, token
	FROM user_token
	WHERE user_id = ?
	ORDER BY expires DESC
	LIMIT ?
)

Fixed query:

DELETE FROM user_token
WHERE user_id = ?
  AND (user_id, token) NOT IN (
	SELECT user_id, token
	FROM user_token
	WHERE user_id = ?
	ORDER BY expires DESC
	LIMIT ?
)

What to do

If you run a multi-user public system, please update your instances to ntfy v2.7.0

Originally created by @binwiederhier on GitHub (Aug 17, 2023). Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/838 The excess query deletion logic is incorrect and can lead to tokens being deleted erroneously. ## Issue ntfy only allows 20 access tokens to be created per user. Since access tokens are also used by the browser session, excess tokens (> 20) are deleted when the 21st token is created. This excess deletion logic is meant to only delete tokens from the user creating the 21st token. Instead, it accidentally deleted _all tokens_ of _all other users_, thereby logging everyone out of their ntfy web app sessions, and deleting all other access tokens. This was a denial-of-service-type security issue, since **it effectively allowed a single user to deny access to all other users of a ntfy instance**. Please note that while tokens were erroneously deleted, **nobody but the token owner ever had access to it.** ## Details Original delete query: ```sql DELETE FROM user_token WHERE (user_id, token) NOT IN ( SELECT user_id, token FROM user_token WHERE user_id = ? ORDER BY expires DESC LIMIT ? ) ``` Fixed query: ```sql DELETE FROM user_token WHERE user_id = ? AND (user_id, token) NOT IN ( SELECT user_id, token FROM user_token WHERE user_id = ? ORDER BY expires DESC LIMIT ? ) ``` ## What to do If you run a multi-user public system, please update your instances to ntfy v2.7.0

BreizhHardware

2026-05-07 00:25:39 +02:00

closed this issue
added the
🔒 security

🪲 bug
labels

BreizhHardware commented

2026-05-07 00:25:40 +02:00

Author

Owner

@binwiederhier commented on GitHub (Aug 17, 2023):

Fixed in github.com/binwiederhier/ntfy@3e3b556108

@binwiederhier commented on GitHub (Aug 17, 2023): Fixed in https://github.com/binwiederhier/ntfy/commit/3e3b556108209eeab3410188e6f6cc14d425a4d8

BreizhHardware referenced this issue

2026-05-07 00:29:53 +02:00

[GH-ISSUE #1492] Allow loading WebPush secrets from private file #1053