Trust

Security Advisories

Coordinated disclosures and hardening notes. We publish when fixes are available or by mutual agreement.

4 advisories
ADV-2025-0004High

Auth bypass via misconfigured OIDC trust

Jul 18, 2025 • CVE-2025-12345 • Multiple SaaS with bring-your-own IdP

Improper audience checks allowed forged tokens to be accepted across tenants. Rotate secrets, enforce audience, and re-issue sessions.

Disclosure policy
ADV-2025-0003Critical

RCE chain in legacy file converter

May 02, 2025 • CVE-2025-10422, CVE-2025-10423 • On-prem converter 3.x

Chained deserialization and path traversal enabled code execution under service account. Patch 3.4.2 or disable converter.

Disclosure policy
ADV-2024-0011High

Privilege escalation via setuid helper

Nov 10, 2024 • CVE-2024-9876 • Linux agent ≤ 2.9

Untrusted env passed to setuid helper. Remove setuid bit or upgrade to 2.10.1 where helper drops unsafe env.

Disclosure policy
ADV-2024-0007Medium

Excessive S3 permissions in backup pipeline

Jun 28, 2024 • Backup runner role

Wildcard actions allowed cross-account writes. Scope actions, apply bucket policies, and rotate credentials.

Disclosure policy