CVE-2023-50974

In Appwrite CLI before 3.0.0, when using the login command, the credentials of the Appwrite user are stored in a ~/.appwrite/prefs.json file with 0644 as UNIX permissions. Any user of the local system can access those credentials.

Published: Jan 9, 2024
Updated: May 4, 2025
CVE: CVE-2023-50974
GHSA: GHSA-g777-crp9-m27g
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.5
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWEs:

CWE-798

Affected Software
References

Software	From	Fixed in
appwrite / command_line_interface	-	3.0.0
appwrite-cli	-	3.0.0
appwrite	-	3.0.0

https://appwrite.io/docs/tooling/command-line/installation
https://gist.github.com/SkypLabs/72ee00ecfa7d1a3494e2d69a24279c1d
https://github.com/pypa/advisory-database/tree/main/vulns/appwrite/PYSEC-2024-2.yaml

Vulnerability Database

289,697

CVE-2023-50974