AppFlowy icon indicating copy to clipboard operation
AppFlowy copied to clipboard
Published 1 week ago verified publisher icon AppFlowy-IO

[Security] Privilege Escalation Vulnerability – Request for Private Disclosure Channel

Open A8r00t opened this issue 1 month ago • 1 comments

Hello AppFlowy Security Team,

I hope you are doing well.

I discovered a serious security vulnerability in AppFlowy involving broken access control and unintended privilege escalation. The issue allows a regular member to escalate their role to “owner” by modifying the role value in the request, leading to full workspace takeover privileges (including destructive actions such as workspace deletion).

To follow responsible disclosure best practices, I would like to share the technical details, reproduction steps, and proof of exploitation privately.

Please provide a secure communication channel (such as a security email or a private issue thread) so I can submit the full report safely.

Thank you for your time, and I look forward to your response.

A8r00t avatar Nov 19 '25 23:11 A8r00t

Hi, thanks for letting us know! You can contact the email: [email protected]

Vivian-appflowy avatar Nov 20 '25 02:11 Vivian-appflowy