FM-047 — Temporary Diagnostic Route Exposes Org-Scoped Task Data
/api/tasks/cache-test was on public allowlist while returning sampled persisted task rows.
| Field | Value |
|---|---|
| Severity | SEV-1 (security — unauthenticated org data exposure) |
| Category | Security / Multi-Tenancy Data Leaks |
| Date | 2026-05-12 |
| Status | Archived |
Symptom
Section titled “Symptom”Security review found /api/tasks/cache-test on the unauthenticated public allowlist while its handler returned sampled persisted task rows.
Root cause
Section titled “Root cause”A temporary cache-test endpoint was left mounted in two route modules and used hardcoded userId = 8 / orgId = 1, then /tasks/cache-test was added to global auth and organization-context public path allowlists.
Removed both cache-test route handlers and removed /tasks/cache-test from all public path allowlists.
Prevention
Section titled “Prevention”scripts/check-sensitive-public-routes.shblocks reintroducing/tasks/cache-test, temporary cache-test handlers, or diagnostic routes returningtasks.slice(0, 3)- This guard is part of
npm run check:architecture-hard-guards - Never add temporary diagnostic routes with global allowlists; never use hardcoded userId/orgId