A critical authorization bypass in Vito allows authenticated users to create and manage websites on servers belonging to other projects, leading to unauthorized infrastructure access.

The application fails to validate if an authenticated user with workflow write access has permission to use a specific server_id. By supplying a foreign server_id during site-creation actions, an attacker can gain unauthorized control over servers linked to different projects within the same Vito instance.

With a CVSS score of 9.9, this vulnerability represents a near-total breakdown of multi-tenant or multi-project isolation. An attacker could deploy malicious applications, modify existing site configurations, or gain shell access to servers they do not own, resulting in massive data breaches and service disruption.

Immediate Action: Update the Vito application to version 3.20.3 or later immediately to enforce proper server-level authorization checks.

Proactive Monitoring: Review workflow logs and site creation history for any instances where sites were created on servers by users not officially assigned to those projects.

Compensating Controls: Restrict the ability to create workflows or sites to a very small number of highly trusted users until the patch can be applied.

Public Exploit Available: false

The severity of this flaw demands immediate remediation. Vito administrators must apply the 3.20.3 update without delay to restore project isolation and prevent unauthorized server manipulation across their deployment environment.