RESEARCH 5 entries · 2026

Writeups.
Field notes from breaking AI-coded SaaS.

Vulnerability research published after coordinated disclosure with the vendor, or after a 7-day non-response window. Paid engagements appear only when the client has approved publication. New writeups roughly twice a month.

  1. 2026-06-01 edgee HIGH EMBARGOED Trust-elevation in an AI gateway: one unanchored regex turned tool output into harness reminders

    edgee is a token-compression gateway for coding agents. Its compressor preserves every `<system-reminder>` block in tool output verbatim while summarising everything around it. The check is unanchored — it does not distinguish reminders the agent harness emits (legitimate) from reminders that happen to appear inside a file the agent was asked to read (attacker-controlled). After compression, the attacker's reminder reaches the upstream model 1:1 with its salience amplified 14× in a representative case, and in the Read-tool path it lands in the exact position where Claude Code's harness emits its own reminders. A live test against `claude-opus-4-7` confirmed compliance with a soft injected instruction. Disclosed privately on 2026-05-25; published under the 7-day non-response policy.

  2. 2026-05-22 postiz CRITHIGHMED CVE-2026-48781 JWT confused-deputy: one Skool cookie became SUPERADMIN on a social-scheduling SaaS →

    A free Skool account was enough to mint a JWT that elevated any user to SUPERADMIN on api.postiz.com and impersonate arbitrary tenants. The same forge primitive separately bypassed billing-enforcement on an unauthenticated public endpoint, and the crypto-payment IPN handler accepted attacker-chosen org_ids to grant lifetime PRO upgrades. Root cause: one JWT secret signed tokens for six distinct purposes with no `aud` claim, and the auth middleware trusted JWT body fields without re-resolving the user from the database. Disclosed via GHSA; fix shipped in 55 minutes; three public advisories — CVE-2026-48781 (Critical), CVE-2026-48783 (Medium), and GHSA-j7rp-5mgj-qgg9 (High) — assigned.

  3. 2026-05-06 clicky CRITHIGH Unauthenticated RCE on an unsandboxed macOS AI assistant via SSE tool-call injection →

    A MITM attacker on the network can silently execute arbitrary shell commands on a Clicky user's machine by forging a single AI tool call in the response stream. No sandbox, no approval prompt, no indication to the user. Plus six more findings, including undisclosed conversation surveillance to a third-party analytics platform.

  4. 2026-05-04 outrank.so HIGH Supabase RLS quota bypass and unauthenticated Notion OAuth state forgery on an SEO SaaS →

    An unauthenticated attacker can hijack a victim's Notion publishing pipeline without ever signing into Outrank. Four findings, two High, sharing one root cause: auth enforced in the app layer but missing from the data tier and several public API routes.

  5. 2026-04-01 parakeetai HIGH EMBARGOED Coordinated disclosure on an AI interview assistant — writeup embargoed until August 2026

    Four findings on an AI assistant for live interviews and meetings — including SSRF via DNS rebinding, CORS null-origin with credentials, and a TOCTOU race on a quota-gated creation flow. Reported privately and fixed under coordinated disclosure. The detailed writeup is embargoed by agreement until approximately August 2026, when it will be republished in full on this site.

Want this for your product?

Same lens, before any attacker finds it.

Price
From $1,500 fixed.
Finding promise
Critical within 3 days or full refund.

See the audit →