Members can enumerate and delete organization invites

Disclosed by

_x3ro_

Engagement PostHog Vulnerability Disclosure Engagement
Disclosed date 18 Sep 2025 4 months ago
Priority P4 Bugcrowd's VRT priority rating
Status Resolved This vulnerability has been accepted and fixed

Summary by PostHog Vulnerability Disclosure Engagement

Members always have the ability to list invites. Our backend additionally allowed them to delete invites, but our frontend prevented this. After discussing internally, we decided to honor the frontend logic and have adjusted our backend to disallow Members from deleting invites.

https://github.com/PostHog/posthog/pull/38256

Summary by _x3ro_

A user with the Member role can enumerate and delete organization invites via the invites API. This allows Members to:
View pending invites and inviter details.
Delete invites created by Admins/Owners.
This is a Broken Access Control issue that can lead to information disclosure and disruption of organization onboarding.

Members can enumerate and delete organization invites

Summary by PostHog Vulnerability Disclosure Engagement

Summary by _x3ro_

Activity