Summary
A flaw in TSPortal allowed attackers to create arbitrary user records in the database by abusing validation logic. While validation correctly rejected invalid usernames, a side effect within a validation rule caused user records to be created regardless of whether the request succeeded. This could be exploited to cause uncontrolled database growth, leading to a potential denial of service (DoS).
Details
When submitting a Data Processing Agreement (DPA) request in TSPortal, the DPAAlreadyLive validation rule previously called User::findOrCreate().
This method created a user record if one did not already exist.
Although username validation (via MirahezeUsernameRule) correctly rejected invalid usernames, the DPAAlreadyLive rule was still executed during validation. Because it performed a state-changing operation, it created user records even when the overall validation failed and no DPA was created.
As a result:
- Validation correctly rejected invalid input
- However, user records were still inserted into the database as a side effect
These records were created:
- Without a successful DPA request
- Without audit logging tied to a completed action
- Without visibility into their origin
Proof of Concept
- Submit a DPA request using an invalid username
- Ensure the request fails validation due to
MirahezeUsernameRule - Observe that a corresponding user record is still created in the database
This behavior was confirmed prior to remediation.
Root Cause
The issue stemmed from:
- Performing state-changing operations (
findOrCreate) inside validation logic - Validation rules executing regardless of overall validation success
- Lack of separation between validation and persistence layers
Mitigation
The issue has been fixed by removing database write operations from validation logic.
Specifically:
- Replaced
User::findOrCreate()with a non-mutating lookup (User::firstWhere(...)) - Ensured validation rules only perform read operations
- Prevented user creation unless all validation passes
Impact
An attacker could exploit this behavior by automating requests with invalid usernames, resulting in:
- Mass creation of arbitrary user records
- Unbounded database growth
- Increased storage and indexing overhead
- Potential degradation of application performance
At scale, this could lead to a denial of service condition due to resource exhaustion.
Crafted input forces the application to consume excessive CPU, memory, or other resources, degrading or denying service. Typical impact: denial of service.
CVE-2026-33541 has a CVSS score of 6.5 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (34); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-33541? CVE-2026-33541 is a medium-severity uncontrolled resource consumption vulnerability in miraheze/ts-portal (composer), affecting versions <= 33. It is fixed in 34. Crafted input forces the application to consume excessive CPU, memory, or other resources, degrading or denying service.
- How severe is CVE-2026-33541? CVE-2026-33541 has a CVSS score of 6.5 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of miraheze/ts-portal are affected by CVE-2026-33541? miraheze/ts-portal (composer) versions <= 33 is affected.
- Is there a fix for CVE-2026-33541? Yes. CVE-2026-33541 is fixed in 34. Upgrade to this version or later.
- Is CVE-2026-33541 exploitable, and should I be worried? Whether CVE-2026-33541 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-33541 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-33541? Upgrade
miraheze/ts-portalto 34 or later.