[Security] Audit summary — 2026-04-23

[bahdcoder]

Security Audit Summary — 2026-04-23

Scope

Full security audit of the HiveLoop Go SaaS backend API — all ~185 endpoints across auth, tenant-scoped CRUD, agent/conversation/sandbox, webhooks/internal, admin, skills/router/marketplace/integrations, and infrastructure.

Results

Metric	Count
Endpoints audited	~185
Issues filed	49
Critical	4
High	14
Medium	21
Low	8
Info	2

Top 5 Most Dangerous Findings

1. [[Security][Critical] Router default_agent_id not validated for org ownership — PUT /v1/router #48] Router default_agent_id not validated for org ownership (Critical) — A user in Tenant A can set the default agent to an agent belonging to Tenant B, causing cross-tenant conversation routing. Persistent IDOR with no fix short of auditing every router configuration.

2. [[Security][Critical] Router CreateRule agent_id not validated for org ownership — POST /v1/router/triggers/{id}/rules #49] Router CreateRule agent_id not validated for org ownership (Critical) — Same cross-tenant routing via rule creation. Attacker can route conversations on their trigger to an agent in another org, exfiltrating data.

3. [[Security][Critical] Spider endpoints completely unauthenticated — POST /spider/* #30] Spider endpoints completely unauthenticated (Critical) — POST /spider/crawl, /search, /links, /screenshot, /transform require zero authentication. Anyone can crawl URLs, take screenshots, and search the web through this server at no cost.

4. [[Security][Critical] Non-admin org members can access all sensitive data (usage, audit, reporting, generations) — GET /v1/usage, GET /v1/audit, GET /v1/reporting, GET /v1/generations #50] Non-admin org members can access all sensitive data (Critical) — Usage, audit, reporting, and generation endpoints lack role checks. Any org member (including viewers) can see billing details, IP addresses, per-user costs, and full audit trails.

5. [[Security][High] Bridge webhook HMAC verification skipped when encryption key is nil — POST /internal/webhooks/bridge/{sandboxID} #32] Bridge webhook HMAC verification skipped when encryption key is nil (High) — If the encryption key is not configured, webhook verification is silently bypassed, allowing unauthenticated replay of bridge webhooks to trigger actions on any sandbox.

Systemic Patterns

1. Missing role-based access control (RBAC) on tenant-scoped endpoints — The dominant vulnerability. RequireOrgAdmin is applied only to invite management. All other /v1 endpoints (credentials, API keys, tokens, billing, usage, audit, reporting, generations, custom domains) verify org membership but never check the member's role. A viewer-role user can perform owner-level actions across 14+ endpoints. Recommendation: Add a RequireRole("admin", "owner") middleware and apply it to all destructive and sensitive-data endpoints within /v1.

2. IDOR via unvalidated cross-tenant UUID references — Multiple endpoints accept UUIDs for agents, skills, connections, and router entities without verifying the referenced resource belongs to the requesting org. This affects router default_agent_id, router rule agent_id, router trigger connection_id, agent skill IDs, in-connection NangoConnectionID, and reconnect-session connection_id. Recommendation: Add a generic BelongsToOrg(resourceID, orgID) query helper and enforce it on every endpoint that takes a UUID path or body parameter referencing another entity.

3. CORS wildcard when allowedOrigins is empty — If CORS_ORIGINS env var is empty or unset, the middleware sets Access-Control-Allow-Origin: *, which combined with Access-Control-Allow-Credentials: true (in the non-wildcard path) and the fact that cookies/bearer tokens are sent, creates a cross-origin data exfiltration risk. Recommendation: Never fall back to *; require explicit origin configuration or deny the request.

4. In-memory rate limiting — Login and OTP rate limits use in-memory maps per instance. In a multi-instance deployment, each instance tracks its own limits, allowing an attacker to multiply their attempts by the number of server instances. Recommendation: Use Redis-backed rate limiting consistent with the existing Redis infrastructure.

5. No request body size limits on webhook receivers and drive upload — Multiple endpoints accept unbounded request bodies, enabling memory exhaustion DoS. Recommendation: Add global http.MaxBytesReader middleware (e.g., 10MB) and per-endpoint overrides for known-large payloads.

All Issues Filed

#	Severity	Title
30	Critical	Spider endpoints completely unauthenticated — POST /spider/*
31	High	Spider API usage not recorded without auth context
32	High	Bridge webhook HMAC verification skipped when encryption key is nil
33	High	Sandbox drive uses timing-unsafe API key comparison
34	High	No file upload size limit on drive endpoints
35	High	Skill IDs not org-scoped during agent update
36	Medium	Stored XSS via text/html uploads served from presigned S3 URLs
37	Medium	Approval request ID not validated against conversation scope
38	Medium	Bridge webhook allows replay attacks — no timestamp freshness check
39	Medium	No input size limits on sandbox exec commands
40	Medium	Sandbox drive accepts any content type without allowlist
41	Medium	System agent type parameter not validated
42	Medium	Incoming webhooks have no signature verification
43	Low	Proxy token minted but not enforced for system agent conversations
44	Medium	No request body size limit on webhook receivers
45	Low	Batch loaders for agent subagents and skills lack org_id filtering
46	Medium	Nango webhook logs raw request body containing sensitive credentials
47	Low	Railway proxy forwards unrestricted GraphQL queries
48	Critical	Router default_agent_id not validated for org ownership
49	Critical	Router CreateRule agent_id not validated for org ownership
50	Critical	Non-admin org members can access all sensitive data
51	High	Non-admin members can revoke credentials, API keys, and tokens
52	High	Reconnect-session endpoint lacks org-scoping
53	High	Non-admin members can create API keys and mint proxy tokens
54	High	Router CreateTrigger connection_id not validated for org ownership
55	Medium	Marketplace self-publish bypasses admin review
56	High	Non-admin members can create credentials and manage billing
57	Medium	Custom domains response leaks acme-dns credentials
58	Critical	Impersonation tokens are indistinguishable from real sessions
59	Medium	No rate limiting on invite token accept/decline
60	High	OTP verify allows brute-force of 6-digit code
61	Medium	In-Connection Create accepts unverified NangoConnectionID
62	Medium	No organization creation limit
63	High	Case-sensitive platform admin email matching
64	High	OTP request lacks per-email rate limiting (email bombing)
65	Medium	CORS wildcard origin misconfiguration
66	Medium	CORS wildcard misconfiguration on admin API routes
67	Low	Marketplace public endpoints expose agent system prompts
68	Medium	Invite acceptance doesn't check for existing membership
69	Medium	Login rate limiting in-memory only, per-email scoping
70	Medium	Logout allows revocation of other users' refresh tokens
71	Medium	LIKE pattern injection in search parameters
72	Medium	Race condition on concurrent invite acceptance
73	Medium	Refresh token rotation vulnerable to race condition
74	Medium	Unbounded list endpoints allow memory-exhaustion DoS
75	Low	Public invite preview leaks org ID, inviter name, and email
76	Medium	OAuth auto-links accounts by email without confirmation
77	Low	Health endpoints leak infrastructure details
78	Low	Credential base_url not validated against allowlist
79	Low	Impersonation doesn't validate target email confirmation
80	Low	API key allows arbitrary scopes without role restriction
81	Low	Invite ID leaks in conflict response
82	Info	Usage endpoint exposes per-user cost data to all members
83	Info	Generations endpoint returns ip_address to all members

Endpoints Not Fully Covered

All endpoint groups were covered by at least one subagent. No gaps detected.

[bahdcoder]

Audit note — verified against main at commit 12f7522

• Verified all referenced issue numbers (30-83) against the GitHub issue list.
• All 54 linked issues remain OPEN and their titles match this summary's table. No renumbering or closures detected.
• No link updates required; summary remains accurate at this SHA. Sub-issue verification is being performed separately by other audit agents.