SEV-1public access

Permission Filter Bypass from Variable Shadowing Bug

Linear · Source

Started: Mar 24, 2026
Duration: 1h 3m
Users affected: Not disclosed
Revenue impact: Not disclosed
Blast radius: —
Services: auth, api, notifications, background-jobs

api gatewayauthconfiguration errorcredential rotationdata exposuredeployhuman errorpartial outageregression from deployroll forward

Join the waitlist

Aftermath helps you ship structured post-mortems like this one for your own incidents. Encore keeps narrative, timeline, lessons, and action items in one place so the document stays useful after the incident is closed. Join the waitlist on the homepage when you want that workflow for your organization.

Join the waitlist

Summary

A performance optimization deployed to production contained a variable shadowing bug that caused team-level permission filters to be silently skipped. For approximately one hour, workspace members — including guests — could access data belonging to private teams within their own workspace via notification emails, client data sync, mobile sessions, API calls, and background tasks. No data was exposed outside any workspace, and no credentials were compromised. The change was reverted within the hour, all affected client sessions were cleared, and a post-incident audit found no evidence of malicious exploitation.

Impact

Approximately 7,000 full client bootstraps occurred during the window, potentially loading private team data into local client databases (not surfaced in the UI). Digest notification emails sent during the window may have included content from private teams. Mobile sessions active during the window had access to private team data via in-app functionality. OAuth apps and API keys making broad queries may have received cross-boundary data. No data was exposed to users outside the affected workspaces, and no credentials or tokens were leaked.

Root cause

A performance optimization in Linear's sync group permission resolver was gated to run only for a single internal workspace in production. The code path that was meant to disable the optimization for all other workspaces contained a variable shadowing bug: the scoped variable masked the outer resolver context, causing the permission filter to be omitted entirely rather than falling back to the standard unfiltered resolver. Queries executed without team-level filtering and silently returned results across permission boundaries. Test coverage validated the optimization when active but did not cover the disabled-optimization code path, allowing the regression to reach production undetected.

Resolution

The code change was identified and reverted within one hour of deployment. A new deployment with the revert was pushed to production. Server-side caches were invalidated, database version was incremented to force client cache resets, all mobile sessions active during the window were logged out, and all desktop and web clients were force-reloaded. Auto-generated Pulse feed posts produced during the window with cross-boundary content were deleted. A post-incident audit of sensitive mutations across affected workspaces found no evidence of malicious abuse.

Timeline

00:07DETECT
Code change containing the permission optimization — with the variable shadowing bug — deployed to production. Team-level permission filtering silently disabled for all non-target workspaces.
auth
01:10MITIG
Initial exposure scope identified. Code change reverted and rollback deployed to production, restoring correct permission filtering.
auth
01:30MITIG
Server-side cache reset and database version incremented, triggering client-side cache invalidation.
api
01:40DETECT
Customer report received of a digest notification email containing unexpectedly large amounts of content, corroborating the cross-boundary data exposure via the notification system.
notifications
01:45INVEST
Incident channel opened internally to coordinate investigation and remediation scope.
auth
03:13MITIG
All mobile sessions active during the exposure window logged out, forcing cache reset on mobile clients.
auth
03:23MITIG
Web and desktop clients force-reloaded to clear locally cached data that may have included private team data.
api
04:02RESOLV
Status page incident published, publicly disclosing the issue.
05:04RESOLV
Auto-generated Pulse feed posts produced during the window — which may have contained cross-boundary content — deleted as a precaution.
background-jobs
23:45RESOLV
Email notification sent to all affected workspace contacts. Status page incident marked resolved.
21:30RESOLV
Began sending per-workspace exposure summaries to customers who requested additional detail, covering all identified exposure vectors during the window.

Attribution

Linear

By Engineering

Published Mar 24, 2026

View original source

Lessons

Test coverage for a conditional optimization must explicitly cover both the active path and the disabled/fallback path — validating only the happy path leaves the guard code unverified.
Permission and access control code paths require a higher bar of review than general application code, including targeted security review separate from standard peer review.
Silent failure modes — where a missing permission check returns results rather than raising an error — are especially dangerous because they produce no observable signal during normal operation.

Action items

Expand integration test suite to validate permission boundaries across team types, user roles, guest access, and authentication methods in all deployment environments.
Enforce pre-deployment security review (by humans and agents) as a gate for any changes touching authorization code paths.
Add operational monitoring for anomalous authorization layer behavior, such as unusual cross-team query patterns.
Implement limits on the number of notification items rendered in a single digest email to bound blast radius of similar permission failures.
Extend internal logging to provide higher-fidelity visibility into workspace-level access events.
Allow workspace admins and owners to designate dedicated security contacts for future incident notifications.
Document the incident data collection process to enable faster analysis in future incidents.