[GH-ISSUE #8349] [Security] Privilege Escalation Vulnerability – Request for Private Disclosure Channel #3752

New issue

Closed

opened 2026-03-23 21:32:54 +00:00 by mirror · 1 comment

mirror commented 2026-03-23 21:32:54 +00:00

Owner

Copy link

Originally created by @A8r00t on GitHub (Nov 19, 2025).
Original GitHub issue: https://github.com/AppFlowy-IO/AppFlowy/issues/8349

Hello AppFlowy Security Team,

I hope you are doing well.

I discovered a serious security vulnerability in AppFlowy involving broken access control and unintended privilege escalation.
The issue allows a regular member to escalate their role to “owner” by modifying the role value in the request, leading to full workspace takeover privileges (including destructive actions such as workspace deletion).

To follow responsible disclosure best practices, I would like to share the technical details, reproduction steps, and proof of exploitation privately.

Please provide a secure communication channel (such as a security email or a private issue thread) so I can submit the full report safely.

Thank you for your time, and I look forward to your response.

Originally created by @A8r00t on GitHub (Nov 19, 2025). Original GitHub issue: https://github.com/AppFlowy-IO/AppFlowy/issues/8349 Hello AppFlowy Security Team, I hope you are doing well. I discovered a serious security vulnerability in AppFlowy involving broken access control and unintended privilege escalation. The issue allows a regular member to escalate their role to “owner” by modifying the role value in the request, leading to full workspace takeover privileges (including destructive actions such as workspace deletion). To follow responsible disclosure best practices, I would like to share the technical details, reproduction steps, and proof of exploitation privately. Please provide a secure communication channel (such as a security email or a private issue thread) so I can submit the full report safely. Thank you for your time, and I look forward to your response.

mirror closed this issue 2026-03-23 21:32:55 +00:00

mirror commented 2026-03-23 21:32:55 +00:00

Author

Owner

Copy link

@Vivian-appflowy commented on GitHub (Nov 20, 2025):

Hi, thanks for letting us know! You can contact the email: support@appflowy.io

<!-- gh-comment-id:3555505019 --> @Vivian-appflowy commented on GitHub (Nov 20, 2025): Hi, thanks for letting us know! You can contact the email: [support@appflowy.io](mailto:support@appflowy.io)

mirror referenced this issue 2026-03-23 22:20:38 +00:00

[PR #3752] [MERGED] feat: allow hiding ungrouped stack #5862

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

copilot/fix-date-format-issue

feat/mention_a_person

merge_upstream_v6

mobile/release/0.9.3

release/0.9.3

release/0.9.2

select_source

release/0.9.1

refactor_import_data

release/0.8.9.1

release/0.8.9

anon_user_mode

release/0.8.8

fix_windows_selection

release/0.8.7

annieappflowy-patch-1

windows_local_ai

release/0.8.6

release/0.8.5

release/0.8.4

chore/optional-response-format

release/0.8.3

release/0.8.2

release/0.8.1

release/0.8.0

release/0.7.9

feat/support-rename-workspace

chat_rag_only

calculate_ui_test

release/0.7.8

release/0.7.7

stringfi_cells

hotfix/0.7.5

release/0.7.4

client-api-update

feat/collab-editing

fix_calculation_bug

feat/upload-file-in-document

update-client-api

feat/support-global-comment-on-web

update-client-api-2

feat/support-duplicate-publish-on-web

feat/ai-plan-billing

chore/test-web-deploy

chore/enable-billing-for-testing

build/test

ai_tag_feature

chore/enable-billing-plan

feat/billing-client-windows

chore/support-openai-chat

fix/try-no-media-kit

sign-in-error-format

workspace-invite-ci-test

last-workspace

workspace-invite-wip

feat/date-text-input

appflowy_v1

0.11.1

0.11.0

0.10.9

0.11.2

0.10.7

0.10.6

0.10.5

0.11.3

0.11.4

0.10.8

0.10.4

0.10.3

0.10.2

0.10.0

0.10.1

0.9.9

0.9.8

0.9.7

0.9.5

0.9.6

0.9.4

0.9.3

0.9.2

0.9.1

0.9.0

0.8.9

0.8.8

0.8.7

0.8.6

0.8.5

0.8.4

0.8.3

0.8.2

0.8.1

0.8.0

0.7.9

0.7.8

0.7.7

0.7.6

0.7.5

0.7.4

0.7.3

0.7.2

0.7.1

0.7.0

0.6.9

0.6.8

0.6.7.2

0.6.7.1

0.6.7

0.6.6

0.6.5

0.6.4

0.6.3

0.6.2

0.6.1

v0.6.1

0.6.0

0.5.9

0.5.8

0.5.7

0.5.6

0.5.5

0.5.4

0.5.3

0.5.2

0.5.1

0.5.0

0.4.9

0.4.8

0.4.7

0.4.6

0.4.5

0.4.4

0.4.3

0.4.2

0.4.1

0.4.0

0.3.9.1

0.3.9

0.3.8

0.3.7

0.3.6

0.3.5

0.3.4

0.3.3

0.3.2

0.3.1

0.3.0

0.2.9

0.2.8

0.2.7

0.2.6

0.2.5

0.2.4

0.2.3

0.2.2

0.2.1

0.2.0

0.1.6

0.1.5

0.1.4

0.1.3

0.1.2

0.1.1

0.1.0

0.0.9.1

0.0.9

0.0.8.1

0.0.8

0.0.7.1

0.0.7

0.0.6.2

0.0.6.1

0.0.6

0.0.6_beta.1

0.0.5.3

0.0.5.2

0.0.5.1

0.0.5

0.0.5_beta.2

0.0.5_beta.1

0.0.4

0.0.4_beta.3

0.0.4_beta.2

0.0.4_beta.1

0.0.3

0.0.3_beta.2

0.0.3_beta.1

0.0.2

0.0.1

Labels

Clear labels   

2024

  

2025

  

2026

  

acct mgmt

  

AI

  

automation

  

bug

  

calendar

  

ci

  

CJK

  

cloud

  

code-block

  

collaboration

  

copy-paste

  

database

  

data migration

  

data sync

  

deploy

  

desktop

  

develop

  

develop

  

documentation

  

duplicate

  

editor

  

editor-plugin

  

emoji

  

export

  

files

  

flutter-only

  

follow-up

  

formula

  

good first issue for devs

  

good first issue for experienced devs

  

grid

  

hacktoberfest

  

HACKTOBERFEST-ACCEPTED

  

help wanted

  

i18n

  

icons

  

images

  

importer

  

improvements

  

infra

  

install

  

integrations

  

IR

  

kanban board

  

login

  

look and joy

  

mentorship

  

mobile

  

mobile

  

needs design

  

new feature

  

new feature

  

non-coding

  

notes

  

notifications

  

onboarding

  

organization

  

P0+

  

permission

  

platform-linux

  

platform-mac

  

platform-windows

  

plugins

  

program

  

pull-request

Mirrored from GitHub Pull Request

  

Q1 25

  

Q1 26

  

Q2 24

  

Q2 25

  

Q3 24

  

Q3 25

  

Q4 24

  

Q4 25

  

react

  

regression

  

rust

  

rust

  

Rust-only

  

Rust-only

  

Rust-starter

  

Rust-starter

  

self-hosted

  

shortcuts

  

side panel

  

slash-menu

  

sync v2

  

table

  

tablet

  

task

  

tauri

  

templates

  

tests

  

themes

  

translation

  

v0.5.6

  

v0.5.8

  

v0.5.9

  

v0.6.0

  

v0.6.1

  

v0.6.4

  

v0.6.7

  

v0.6.8

  

v0.7.1

  

v0.7.4

  

v0.7.4

  

v0.7.5

  

v0.7.6

  

v0.7.7

  

v0.7.8

  

v0.8.0

  

v0.8.4

  

v0.8.5

  

v0.8.9

  

web

No labels

2024

2025

2026

acct mgmt

AI

automation

bug

calendar

ci

CJK

cloud

code-block

collaboration

copy-paste

database

data migration

data sync

deploy

desktop

develop

develop

documentation

duplicate

editor

editor-plugin

emoji

export

files

flutter-only

follow-up

formula

good first issue for devs

good first issue for experienced devs

grid

hacktoberfest

HACKTOBERFEST-ACCEPTED

help wanted

i18n

icons

images

importer

improvements

infra

install

integrations

IR

kanban board

login

look and joy

mentorship

mobile

mobile

needs design

new feature

new feature

non-coding

notes

notifications

onboarding

organization

P0+

permission

platform-linux

platform-mac

platform-windows

plugins

program

pull-request

Q1 25

Q1 26

Q2 24

Q2 25

Q3 24

Q3 25

Q4 24

Q4 25

react

regression

rust

rust

Rust-only

Rust-only

Rust-starter

Rust-starter

self-hosted

shortcuts

side panel

slash-menu

sync v2

table

tablet

task

tauri

templates

tests

themes

translation

v0.5.6

v0.5.8

v0.5.9

v0.6.0

v0.6.1

v0.6.4

v0.6.7

v0.6.8

v0.7.1

v0.7.4

v0.7.4

v0.7.5

v0.7.6

v0.7.7

v0.7.8

v0.8.0

v0.8.4

v0.8.5

v0.8.9

web

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

AppFlowy-IO/AppFlowy#3752

No description provided.