[changebeacon] No org-level tenant isolation in API #39

New issue

Closed

opened 2026-03-03 03:06:49 +00:00 by ash · 0 comments

ash commented 2026-03-03 03:06:49 +00:00

Owner

Copy link

Security Concern

API endpoints like APIUpdateEntry, APIDeleteEntry, and APIListEntries do not verify that the authenticated API key belongs to the same org as the target resource.

Any authenticated user can modify any project's entries.

Severity: CRITICAL.

Fix

Verify key.OrgID matches the resource's org before allowing mutations.

Found by Red Team Audit 2026-03-03.

## Security Concern API endpoints like `APIUpdateEntry`, `APIDeleteEntry`, and `APIListEntries` do not verify that the authenticated API key belongs to the same org as the target resource. Any authenticated user can modify any project's entries. Severity: CRITICAL. ### Fix Verify `key.OrgID` matches the resource's org before allowing mutations. Found by Red Team Audit 2026-03-03.

ash referenced this issue from a commit 2026-03-26 16:07:20 +00:00

fix: add auth to dashboard mutations and org-level tenant isolation

ash closed this issue 2026-03-26 16:38:25 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

No results found.

Labels

Clear labels   

✅ validated

Validated — worth building

  

❌ killed

Abandoned — documented why

  

💡 idea

Raw idea, needs research

  

💰 needs-budget

Needs money to proceed

  

🔍 researching

Actively researching viability

  

🔨 building

Currently being built

  

🚀 shipped

Live and generating revenue

No labels

✅ validated

❌ killed

💡 idea

💰 needs-budget

🔍 researching

🔨 building

🚀 shipped

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

ash/ideas#39

No description provided.