Improper Access Control - Generic (CWE-284)CVSS 6.4Easy

2FA requirement bypass when inviting team members

hackerone-reports

March 4, 2026

24 views

Save

€0

Vulnerability Summary

HackerOne disclosed report --> https://hackerone.com/reports/3356149 by 0x7ashish

Summary:

The application requires users to enable 2FA before sending team invitations. However, this restriction can be bypassed by modifying client-side responses (match and replace from false to true). This allows invitations to be sent without enabling 2FA, defeating the security requirement.

Steps To Reproduce:

Sign up / log in to the application.
Go to the Team section.
Try to invite a new member → the application blocks the request, requiring 2FA.

Identification Required

You must be logged in to read this writeup. Join our community of researchers today.

Sign In Register

Related Writeups

pyus3r

Improper Access Control on www.target.example through /services/formcampaign via header "option" leads to unauthenticated read/write on the production marketing-campaign database

An unauthenticated AEM Sling servlet exposes four CRUD operations (getData / getDataById / setData / updateData) on the internal marketing-campaign database via a single option request header. The only access control is a Referer string check that any HTTP client trivially bypasses. Anonymous attackers can read the full 79-campaign dataset (including internal segmentation logic and the names of internal prospect databases), create arbitrary new campaigns in the production backoffice, and overwrite existing real production campaigns.

Read Writeup →

hackerone-reports

POST /api/bitcoinWithdrawalFees returns financial data without authentication despite being documented as a USER OPERATION (private endpoint)

HackerOne disclosed report --> https://hackerone.com/reports/3676308 by glferreira-devsecops

Read Writeup →

gpk21

LogicalBreach Academy