Summary An authorization bypass in the /api/getTagValue endpoint allows unauthenticated access to tag values when the referenced script does not exist. Details The issue is caused by the combination of these code paths: - "server/api/apikeys/verify-api-or-token.js:45" sends requests without "x-api-key" to "authJwt.verifyToken(req, res, next)". - "server/api/jwt-helper.js:46-64" creates a signed guest token when no "x-access-token" is provided: "if (!token) { token = getGuestToken(); }" and then populates "req.userId" / "req.userGroups" from that guest token. - "server/api/command/index.js:76-105" exposes "/api/getTagValue". - "server/runtime/scripts/index.js:106-111" returns "true" when the referenced script does not exist: "if (!script) { return true; }" As a result, an unauthenticated request reaches "/api/getTagValue" as "guest", and the authorization check is bypassed because "isAuthorisedByScriptName()" returns "true" when "sourceScriptName" is omitted or does not match a real script. The endpoint then returns arbitrary tag values by ID. PoC Requests to /api/getTagValue without authentication could succeed when the authorization logic evaluated a non-existent sourceScriptName as authorized.