Security research

Sectum AI source-reviews self-hostable AI and SaaS products for cross-tenant isolation failures — the class of bug where one customer, workspace, or department can read, modify, or delete another tenant's data. We report every finding privately to the maintainer and publish it here once a fix ships.

40+

cross-tenant findings

30+

products source-reviewed

20+

security advisories filed

4+

fixes merged upstream

Disclosed & fixed

Findings where the maintainer has shipped a public fix. Advisories still under coordinated disclosure are aggregated in the next section and named here as each patch lands.

ProductFindingReference
AnythingLLM
Mintplex-Labs
Cross-workspace exposure via the public embed widget CVE-2025-63390 · PR #5759 (merged)
SurfSense
MODSetter
Connector-index cross-tenant authorization bypass (stored OAuth / PAT exfiltration) PR #1503 (merged & deployed)
Baserow
baserow
Cross-workspace field-data disclosure (IDOR) PR #5613 (fixed & deployed) · CVE pending
aideepin
moyangzhan
Cross-user knowledge-base embedding read (RAG chunk disclosure) PR #105 (merged) · issue #104

Under coordinated disclosure

Alongside the fixed findings above, Sectum AI has filed 20+ GitHub Security Advisories (credited to our team) and emailed maintainers directly for a further set of unpatched cross-tenant issues — including several Critical-severity account-takeover and unauthenticated data-exposure flaws. Each stays private until the vendor ships a fix, at which point we add it here with its CVE / advisory link. Check back as fixes land, or get in touch for current status.

How we find them

The recurring pattern is the un-retrofitted sibling: a by-id read, write, or agent-tool call that's missing the tenant / owner scope its neighbouring endpoint already enforces. Teams retrofit their read paths first after an IDOR wave — so the write, delete, and LLM-tool siblings are where cross-tenant access survives. Every finding is source-confirmed at a specific commit, adversarially re-verified, and shipped with a one-to-two-line fix.

This is the same isolation testing we run for customers — see how Sectum AI works, the threat model, and the engagement options.

Found a cross-tenant bug in your product?

We disclose responsibly and include the fix.

Contact us Sectum AI on GitHub