# ADDENDUM: ComfyUI scan
Date: 2026-02-15
Target: comfyanonymous/ComfyUI
Local commit: e1add563f9e89026e8c4e8825a2b279fbd67d23a

## New Candidate Finding

Multi-user mode appears to rely on an attacker-controlled `comfy-user` request header as the sole selector for which user profile to operate on, and it exposes the full user mapping via `GET /users`.

If ComfyUI is reachable by untrusted users in `--multi-user` mode, this is a cross-user authorization bypass (IDOR) affecting:

- `/userdata*` endpoints (read/write/delete/move within per-user storage)
- assets APIs (`/api/assets*`) which take `owner_id` from `get_request_user_id()`

## Artifact

- reports/ComfyUI-MultiUser-HeaderImpersonation-2026-02-15.md

## Validation

- Confirm whether the official deployment guidance treats `--multi-user` as a security boundary (multi-tenant), or as a local convenience feature.
- Confirm whether any auth layer exists elsewhere that binds requests to a user profile (cookie/session), vs relying on the header alone.