Apollo Portal: There is a risk of unauthorized access to the Apollo configuration center
Apollo Portal versions before 2.5.0 do not verify application and namespace permissions when an authenticated user requests a release by ID through GET /envs/{env}/releases/{releaseId}. When configView.memberOnly.envs is enabled for the requested environment, a low-privileged Portal user can supply a valid release ID belonging to an application or namespace they are not authorized to view. The endpoint returns the release data without calling UserPermissionValidator.shouldHideConfigToCurrentUser(…).