Unknown organization
Mar 24, 2026
SEV-1Permission Filter Bypass from Variable Shadowing Bug
A performance optimization deployed to production contained a variable shadowing bug that caused team-level permission filters to be silently skipped. For approximately one hour, workspace members — including guests — could access data belonging to private teams within their own workspace via notification emails, client data sync, mobile sessions, API calls, and background tasks. No data was exposed outside any workspace, and no credentials were compromised. The change was reverted within the hour, all affected client sessions were cleared, and a post-incident audit found no evidence of malicious exploitation.
1h 3mNot disclosed affected—
api gatewayauthconfiguration errorcredential rotation