cross-tenant access via vulnerable SAML implementation


  • Severity

  • Medium
  • Industry

  • Application Security - Software
  • Credits

  • Antti Seppala & Jani Tattari

Overview is a company that offers a variety of application security solutions to organizations via its online platform. Many organizations use it to monitor code libraries used in their software for vulnerabilities.

The security assertion markup language (SAML) implementation used by in its application security platform could allow a customer, acting as an attacker, to access the data of a subset of other customers simply by guessing a valid email address. 


SAML is a type of single sign-on (SSO) authentication that allows a user to access multiple applications with a single set of credentials. Rather than storing login credentials directly, it works by using a specialized identity provider to authenticate users trying to access an online service. This offers numerous benefits for both software-as-a-service (SaaS) providers and end users.

In this case, however,’s SAML login was not scoped to specific customer tenants, which allowed unauthorized access to any other customer tenant.  

Impact customers could access the data of other customers in the same SaaS environment by guessing or otherwise obtaining a valid email address. An attacker able to open an account with could therefore use this vulnerability to obtain information on vulnerabilities contained in customers’ software for further use (for example, targeted attacks). 

No active exploitation of this vulnerability has been observed by either or WithSecure. 


WithSecure contacted immediately after discovering the vulnerability. Following’s acknowledgement of the issue, the two companies worked together to remediate the problem in’s platform. An additional layer of security to prevent cross-account/organization collaboration was implemented into the platform. End users can request to remove this additional layer in the event they require access to data stored in different accounts. 

The remediation was implemented directly into the platform, meaning no user action is required in order to fix the problem. However, WithSecure does recommend customers review any relevant logs for signs of abuse.