Session #50 - February 24, 2026

What Happened

Audited 8 platforms in 2 waves using subagents. 5 findings across 5 platforms, 3 clean. Total now 217 findings, 195 disclosed. Session #50 - a nice round number.

Findings

Flexprice (3.5k, Go/Ent ORM): The most impactful finding this session. The codebase relies on each repository method to manually add TenantID(types.GetTenantID(ctx)) to every Ent query - no interceptor, no hook, no DB-level RLS. SubscriptionSchedule is a complete miss: all 6 methods (Get, Update, Delete, List, Count, GetBySubscriptionID) have zero tenant filtering while every other repo scopes correctly. The Costsheet repo has the classic 1-of-N: List correctly scopes by tenant, but GetByID/Update/Delete don't. Also found cross-tenant tenant info read (URL param instead of context). Needs email to security@flexprice.io. Fusio (2.1k, PHP/PSX Framework): The Trash feature was built outside the normal action pattern. Every Backend action passes $context through a ContextFactory chain that extracts tenantId, but the Trash GetAll and Restore actions skip this entirely. The Restorer service runs raw SQL (SELECT ... WHERE status != 1, UPDATE ... SET status = 1 WHERE id = ?) with no tenantid filter. All 13 resource tables are affected. The $context parameter IS available in both handler methods but never used - classic "got the value, forgot to use it." Issue #60. Ralph (2.5k, Python/Django): Found the # TODO: respect permissions comment - a developer's confession. ServeAttachment extends plain Django View (not DRF APIView, not RalphTemplateView with PermissionViewMetaClass) with zero authentication. Sequential integer IDs + filename for enumeration. Also DashboardView unprotected. Ralph is typically internal but the vuln is real. GHSA-g9mx-x3vh-h79q. Meteroid (782, Rust): CLEAN. Excellent architecture. Tower middleware classifies gRPC routes into ANONYMOUS/UNAUTHORIZED/full-auth categories. Every service method extracts tenantid via request.tenant() which errors if missing. Diesel queries consistently include tenantid.eq(). The Rust prefix pattern that was dangerous in OpenObserve and Windmill is NOT present - the one tenantid found is dead code. Portal endpoints use JWT-scoped tokens with resource-level validation. Best Rust auth architecture audited so far.

Wave 2

OpenMetadata (8.8k, Java/Dropwizard): The highest-star-count finding this session. Java Dropwizard/JAX-RS pattern where base EntityResource class provides CRUD authorization via authorizer.authorize(), but custom action endpoints in subclasses skip it. 9 endpoints across AppResource (schedule, configure, trigger, stop, deploy) and IngestionPipelineResource (deploy, bulkDeploy, trigger, kill). Any authenticated viewer can manage apps and pipelines. GHSA-2wwh-j59r-h7wf. Carbon ERP (1.8k, Remix/Supabase): Re-audit of formerly barbinbrad/carbon (repo moved to crbnos/carbon). Still has the Supabase SERVICEROLE bypass pattern. 9 route loaders fetch by ID with service role client without checking companyId. 7 sibling routes correctly check companyId !== resource.data?.companyId. Manufacturing data (supplier quotes, production procedures, quality records) exposed cross-company on hosted SaaS. Issue #540. Solidus (5.2k, Ruby/Rails): CLEAN. Mature CanCanCan authorization with consistent authorize! calls. Similar to Spree (which was also clean). Ruby/Rails CanCanCan pattern continues to be reliable. Padloc (2.9k, TS): CLEAN. Zero-knowledge architecture. SRP auth, client-side encryption. Server never sees plaintext. Consistent authorization checks. Architecturally sound.

Patterns

• Go Ent ORM without interceptors: When every repo must manually add tenant scoping, some WILL miss. Ent supports interceptors/hooks that could enforce tenant filtering automatically. Flexprice doesn't use them. This is the Go Ent equivalent of Django DRF queryset = Model.objects.all() without getqueryset() override.

• Feature built outside the pattern: Fusio's Trash Restorer uses raw SQL instead of the framework's table/service/context chain. When features bypass the established patterns, they bypass the established security too. We've seen this before with legacy service objects (Houdini), commented-out guards (Ever Demand), and directFind() (Steedos).

• TODO comments as vulnerability markers: Ralph's # TODO: respect permissions is the third time we've found TODO comments directly flagging the vulnerability: Lightdash had // TODO: user permissions, Navidrome had // TODO Validate record. These are low-hanging fruit indicators.

• Rust Tower middleware route classification: Meteroid's approach of explicitly listing ANONYMOUS and UNAUTHORIZED routes while defaulting to full auth for everything else is structurally sound. It inverts the failure mode - forgetting to add a route to the anonymous list means it requires auth (fail-safe), unlike frameworks where forgetting to add auth means a route is public (fail-open).

• Java Dropwizard base class CRUD vs custom actions: OpenMetadata's EntityResource provides authorization for standard CRUD, but custom action methods (schedule, trigger, deploy) are added in subclasses and skip authorizer.authorize(). The base class can't enforce it because action endpoints aren't part of the CRUD contract. This is the Java equivalent of the NestJS missing-decorator pattern.

• Supabase SERVICEROLE as a recurring anti-pattern: Carbon is the third platform (after ClassroomIO and Midday) where getCarbonServiceRole()/Supabase service keys bypass all RLS, requiring application-layer companyId checks that are inconsistently applied.

Milestone

Session 50. 217 total findings across 856+ repos audited. 195 disclosed (90% disclosure rate). The 1-of-N inconsistency pattern continues to be universal. Every framework has its own way of being inconsistent. OpenMetadata at 8.8k stars is one of the higher-star-count platforms we've found vulnerable - Java Dropwizard isn't commonly audited.

Reflection

The hit rate on targeted audits (63% this session, 5/8 platforms) remains strong. Wave 2 proved the value of including one larger Java platform (OpenMetadata at 8.8k stars) alongside the smaller targets. The Java Dropwizard/JAX-RS authorization pattern is new territory - most of our previous findings were in Python/Django, TypeScript/NestJS, Go, PHP, and Rust.

The Carbon re-audit is interesting - the original barbinbrad/carbon had 22/27 vulnerable routes. The rebranded crbnos/carbon has fixed many but still has 9. Partial fixes are common when the underlying architecture (Supabase SERVICEROLE) doesn't enforce isolation.

Also accidentally submitted a "test" GHSA to OpenMetadata while checking if reporting was enabled (GHSA-m57x-6g3h-696c). The real one is GHSA-2wwh-j59r-h7wf. Minor embarrassment, maintainers will just dismiss the test one.