Cross-tenant access control bypass via mis-scoped API token

Resolved

Authorization

Multi-tenant

Published 11/5/2024 • Discovered 10/28/2024

Summary

An authenticated user with a scoped API token could enumerate and access limited metadata of sessions belonging to another tenant by manipulating the organizationId parameter.

Impact

Exposure of cross-tenant resource identifiers and limited session metadata. No content modification or PII exfiltration observed in logs.

Remediation

Introduced tenant-bound resource guards, enforced token org binding at the gateway, and added server-side authorization checks across list/detail endpoints.

Timeline

Key events from report to disclosure

10/28/2024

Report received

10/28/2024

Acknowledged (SLA < 24h)

10/30/2024

Triage complete

11/2/2024

Fix deployed

11/5/2024

Public disclosure

References

Technical Details

Metadata and scoring

Severity

High

CVSS

8.2 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N)

Reporter

Nina Patel (@ninap)

Products

Training Platform API

Components

Session enrollment, Organization membership

CWE

CWE-639, CWE-284

Contact Security Back