Medium

lunary

Account Takeover via Invite Functionality Exploit

An attacker can exploit the invite functionality to obtain valid JWT tokens, allowing them to take over accounts of newly registered users. This affects the latest commit on the main branch (a761d83) and has not yet been patched.

6.5

CVSS:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Credit:

patrik-ha
Threat Overview

The vulnerability arises from the invite functionality, which issues a one-time use token to invited users. An attacker can invite a target email, obtain the token, and then retract the invite. When the target later registers independently, the attacker can use the previously obtained token to reset the target's password and take over their account. The core issue is that the one-time token is not invalidated when the invite is retracted, and the reset-password endpoint does not verify that the email in the token matches the email in the authorization header.

Attack Scenario

An attacker invites a non-registered email (e.g., target@a.com) to their organization and obtains a one-time use token. They then retract the invite. When the target registers independently, the attacker uses the one-time token to reset the target's password, thereby gaining access to the target's account.

Who is affected

Any users who are invited to the platform but have not yet registered, as well as any new users who register independently after an attacker has pre-created and stored tokens for their email addresses.

Technical Report
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.