Security vulnerabilities

  • Status Closed
  • Assigned To
    cbay
  • Private
Attached to Project: Security vulnerabilities
Opened by nexxp66 - 16.07.2026
Last edited by cbay - 16.07.2026

FS#412 - Direct Organization Access Granted, Leading to Organization Takeover

Description

During testing, I discovered that when an owner creates a new user and assigns permissions, the user is immediately added to the organization without any invitation acceptance or verification step.

As a result, if an owner accidentally enters an attacker's email address and assigns a privileged role, the attacker gains direct access to the organization and its resources immediately after logging in.

This allows the newly created user to perform all actions associated with the assigned role without requiring approval or invitation acceptance.

Steps to Reproduce

Log in to the Owner account.
Navigate to Permissions.
Click Add User.
Enter a user's email address.
Assign all available permissions.
Click Create User.
Log in to the newly created user account.
Observe that the user is automatically added to the owner's organization with all assigned permissions.

Impact

If an owner mistakenly enters an attacker's email address while creating a user, the attacker immediately gains access to the organization with the assigned permissions.

When high-privilege permissions are assigned, the attacker may be able to access sensitive data, manage users, modify organization settings, and potentially delete or take full control of the organization.

Expected Behavior

Newly created users should be required to verify ownership of the invited email address and explicitly accept the invitation before gaining access to the organization.

Actual Behavior

The user is automatically added to the organization with the assigned permissions immediately after account creation, without any invitation acceptance step.

Closed by  cbay
16.07.2026 07:41
Reason for closing:  Invalid
Admin
cbay commented on 16.07.2026 07:41

Hello,

If an owner accidentally enters an attacker's email address, it doesn't matter if the attacker has to accept an invitation or not.

Kind regards,
Cyril

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing