From f981839f24ea4fe7e1e38217314d6688be2e2276 Mon Sep 17 00:00:00 2001
From: Andrew Foote <afoote@mitre.org>
Date: Fri, 22 May 2026 11:40:54 -0400
Subject: [PATCH] Prevent attempts to update a user's/org's UUID on an update
 request

---
 .../registry-org.controller.js                   | 16 ++++++++++++++++
 .../registry-user.controller.js                  | 13 +++++++++++++
 2 files changed, 29 insertions(+)

diff --git a/src/controller/registry-org.controller/registry-org.controller.js b/src/controller/registry-org.controller/registry-org.controller.js
index 381ba1fc0..027c20c8e 100644
--- a/src/controller/registry-org.controller/registry-org.controller.js
+++ b/src/controller/registry-org.controller/registry-org.controller.js
@@ -294,6 +294,13 @@ async function updateOrg (req, res, next) {
 
         // Eventually we should validate this, but this is a bit tricky.
         if (reviewOrg) {
+          // For review objects, verify the provided UUID matches the target review object's UUID
+          const providedUUID = body?.UUID || body?.uuid
+          if (providedUUID && providedUUID !== reviewOrg.uuid) {
+            await session.abortTransaction()
+            return res.status(400).json(error.uuidProvided('org'))
+          }
+
           const updateResult = await reviewRepo.updateReviewOrgObject(body, reviewOrg.uuid, { session })
           if (updateResult) {
             updatedOrg = reviewOrg
@@ -307,6 +314,15 @@ async function updateOrg (req, res, next) {
         }
       }
 
+      // Verify that the provided UUID matches the existing organization's immutable database UUID
+      if (org) {
+        const providedUUID = body?.UUID || body?.uuid
+        if (providedUUID && providedUUID !== org.UUID) {
+          await session.abortTransaction()
+          return res.status(400).json(error.uuidProvided('org'))
+        }
+      }
+
       // Validate org
       const result = repo.validateOrg(body, { session })
       if (!result.isValid) {
diff --git a/src/controller/registry-user.controller/registry-user.controller.js b/src/controller/registry-user.controller/registry-user.controller.js
index 63445c2e0..a9f8ce871 100644
--- a/src/controller/registry-user.controller/registry-user.controller.js
+++ b/src/controller/registry-user.controller/registry-user.controller.js
@@ -295,6 +295,19 @@ async function updateUser (req, res, next) {
     }
   }
 
+  // Allow existing UUIDs to be passed, but block any attempts to mutate them
+  if (userToEdit) {
+    if (body?.UUID || body?.uuid) {
+      if (body.UUID) body.UUID = userToEdit.UUID
+      if (body.uuid) body.uuid = userToEdit.UUID
+    }
+
+    if (body?.org_UUID || body?.org_uuid) {
+      if (body.org_UUID) body.org_UUID = userToEdit.org_UUID
+      if (body.org_uuid) body.org_uuid = userToEdit.org_UUID
+    }
+  }
+
   if (body.org_short_name && !isSecretariat) {
     logger.info({ uuid: req.ctx.uuid, message: 'Only Secretariat can reassign user organization.' })
     return res.status(403).json(error.notAllowedToChangeOrganization())