FM-001 — Cross-Organization Cache Pollution
SEV-1 multi-tenancy data leak — React Query cache key missing organizationId allowed cross-tenant data to surface after workspace switch.
| Field | Value |
|---|---|
| Severity | SEV-1 (cross-tenant data exposure) |
| Category | Multi-Tenancy Data Leaks |
| Status | 🟢 Archived (resolved, guards in place) |
Blameless rule applies. This document is about systems.
Symptom
Section titled “Symptom”Users see data from another organization after switching workspaces.
Root cause
Section titled “Root cause”React Query cache key did not include organizationId. Cache from org A persisted when viewing org B.
Always include currentOrganization?.id in query keys. Add enabled: !!currentOrganization?.id to prevent fetches during org switch.
// ❌ BUG PATTERNqueryKey: ['/api/contacts']
// ✅ FIXqueryKey: ['/api/contacts', currentOrganization?.id]Prevention / Guard
Section titled “Prevention / Guard”- The
pattern-registry.mdcReact Query Pattern enforces this. Code review must verify org ID in all query keys. - Query key convention documented in CLAUDE.md rule 5.
Related
Section titled “Related”- Engineering → Incidents
- ADR-0002 — Repository Pattern — broader org-scoping enforcement
- Data Access standard
- FM-002 — Org ID from Request Body — same class
- FM-012 —
|| 1Fallback Leaks Org 1 Data — same class - FM-047 — Diagnostic Route Exposes Task Data — same class