Skip to content

FM-047 — Temporary Diagnostic Route Exposes Org-Scoped Task Data

/api/tasks/cache-test was on public allowlist while returning sampled persisted task rows.

FieldValue
SeveritySEV-1 (security — unauthenticated org data exposure)
CategorySecurity / Multi-Tenancy Data Leaks
Date2026-05-12
StatusArchived

Security review found /api/tasks/cache-test on the unauthenticated public allowlist while its handler returned sampled persisted task rows.

A temporary cache-test endpoint was left mounted in two route modules and used hardcoded userId = 8 / orgId = 1, then /tasks/cache-test was added to global auth and organization-context public path allowlists.

Removed both cache-test route handlers and removed /tasks/cache-test from all public path allowlists.

  • scripts/check-sensitive-public-routes.sh blocks reintroducing /tasks/cache-test, temporary cache-test handlers, or diagnostic routes returning tasks.slice(0, 3)
  • This guard is part of npm run check:architecture-hard-guards
  • Never add temporary diagnostic routes with global allowlists; never use hardcoded userId/orgId