Security vulnerabilities

  • Status Closed
  • Assigned To
    cbay
  • Private
Attached to Project: Security vulnerabilities
Opened by ciphernest7 - 01.07.2026
Last edited by cbay - 02.07.2026

FS#361 - Broken Access Control / Improper Authorization

Dear Security Team, I hope you are doing well. I would like to responsibly disclose a potential access control issue identified during testing of the user role and permission management functionality. Category: Broken Access Control / Improper Authorization Severity: High Description During testing, I observed that a user assigned only the Billing Contact role is able to invite additional users to the organization. Based on the role description, the Billing Contact permission is intended to provide access to billing-related functionality. However, the ability to invite new users appears to extend beyond the expected responsibilities of a billing-only role. This behavior may violate the Principle of Least Privilege by allowing a non-administrative user to perform account management actions. Steps to Reproduce

Log in as an account administrator.
Invite a new user with only the Billing Contact permission.
Log in using the Billing Contact account.
Navigate to the user or team management section.
Observe that the Billing Contact user is able to access the Invite User functionality.
Successfully initiate an invitation for another user. Expected Behavior A user assigned only the Billing Contact role should be restricted to billing-related operations and should not be able to invite or manage additional users unless explicitly intended by the role design. Actual Behavior The Billing Contact role is able to invite new users despite being intended for billing-related access. Security Impact If this behavior is not intended, it may allow: • Unauthorized user invitations. • Expansion of account access without administrator approval. • Circumvention of role separation. • Violation of the Principle of Least Privilege. • Increased risk of unauthorized account access. The overall impact depends on the permissions that can be granted to invited users. If elevated roles can be assigned, the security impact could be significantly higher. Recommendation To mitigate this issue, I recommend: • Restricting the Invite User functionality to administrative or dedicated user-management roles. • Reviewing role-based access control (RBAC) permissions to ensure Billing Contact users are limited to billing operations only. • Enforcing server-side authorization checks for all user management actions. • Verifying that non-administrative roles cannot perform account management functions unless explicitly intended. Conclusion The observed behavior suggests that the Billing Contact role may have broader privileges than expected by allowing user invitations. If this is not intended behavior, restricting user management capabilities to authorized administrative roles would improve the application’s access control model and better align with the Principle of Least Privilege. This report is submitted under responsible disclosure. I would be happy to provide additional information or assist with validation if required. Kind regards, Cyber_Subhash Security Researcher

Closed by  cbay
02.07.2026 07:17
Reason for closing:  Invalid
Admin
cbay commented on 02.07.2026 07:17

Hello,

There is no "Invite User functionality".

Kind regards,
Cyril

There is an option to add users on your platform.

Admin
cbay commented on 02.07.2026 07:31

Please be specific and give me the exact name of the button/section you're referring to.

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing