« All posts

Source review of 200 self-hosted AI tools finds 78 leak tenant data

A source review of 200+ self-hosted multi-tenant AI/SaaS tools found 78 with cross-tenant data leaks via unguarded read endpoints, 31 filed as CVEs.

A security researcher source-reviewed over 200 multi-tenant AI and SaaS products for a single recurring flaw: authorization checks enforced on write endpoints but skipped on the neighboring read endpoints for the same object. The result was 84 confirmed cross-tenant data exposures across 78 products, with 31 already filed as GitHub Security Advisories. Findings were verified on isolated, self-hosted Docker instances using synthetic accounts and canary data, reproduced with an open-source multi-tenant isolation checker (Sectum AI), and confirmed against database ground truth.

The bug pattern was strikingly consistent: a developer adds an ownership check to a delete endpoint but never copies it to the adjacent list/get/search endpoint, which then fetches records by a raw, often-guessable ID with no tenant filter. A nastier variant authorizes the request path rather than the requested object, letting an attacker pair their own valid workspace ID with a victim's object ID — enabling raw RAG-vector reads or connector re-indexing that exfiltrates another tenant's data using their own stored OAuth credentials.

Five products — SurfSense, AnythingLLM, Baserow, aideepin, and Flagsmith — have shipped public fixes and are named; the remaining 79 findings stay under a 90-day coordinated-disclosure hold. Open WebUI, Langfuse, LibreChat, and Outline passed the isolation check on current releases, while Flowise, Mem0, MaxKB, and vLLM turn out not to be multi-tenant at all in their open-source editions. The practical takeaway for engineers: authorize reads as strictly as writes, treat embeddings and cache keys as tenant-scoped data, and verify — rather than assume — the isolation wall in any self-hosted multi-tenant deployment.