Security research
Sectum AI source-reviews self-hostable AI and SaaS products for cross-tenant isolation failures — the class of bug where one customer, workspace, or department can read, modify, or delete another tenant's data. We report every finding privately to the maintainer and publish it here once a fix ships.
40+
cross-tenant findings
30+
products source-reviewed
20+
security advisories filed
4+
fixes merged upstream
Disclosed & fixed
Findings where the maintainer has shipped a public fix. Advisories still under coordinated disclosure are aggregated in the next section and named here as each patch lands.
| Product | Finding | Reference |
|---|---|---|
| AnythingLLM Mintplex-Labs | Cross-workspace exposure via the public embed widget | CVE-2025-63390 · PR #5759 (merged) |
| SurfSense MODSetter | Connector-index cross-tenant authorization bypass (stored OAuth / PAT exfiltration) | PR #1503 (merged & deployed) |
| Baserow baserow | Cross-workspace field-data disclosure (IDOR) | PR #5613 (fixed & deployed) · CVE pending |
| aideepin moyangzhan | Cross-user knowledge-base embedding read (RAG chunk disclosure) | PR #105 (merged) · issue #104 |
Under coordinated disclosure
Alongside the fixed findings above, Sectum AI has filed 20+ GitHub Security Advisories (credited to our team) and emailed maintainers directly for a further set of unpatched cross-tenant issues — including several Critical-severity account-takeover and unauthenticated data-exposure flaws. Each stays private until the vendor ships a fix, at which point we add it here with its CVE / advisory link. Check back as fixes land, or get in touch for current status.
How we find them
The recurring pattern is the un-retrofitted sibling: a by-id read, write, or agent-tool call that's missing the tenant / owner scope its neighbouring endpoint already enforces. Teams retrofit their read paths first after an IDOR wave — so the write, delete, and LLM-tool siblings are where cross-tenant access survives. Every finding is source-confirmed at a specific commit, adversarially re-verified, and shipped with a one-to-two-line fix.
This is the same isolation testing we run for customers — see how Sectum AI works, the threat model, and the engagement options.
Found a cross-tenant bug in your product?
We disclose responsibly and include the fix.