Salesforce has released an emergency security patch addressing a critical vulnerability in its API gateway that could have allowed authenticated users to access data belonging to other organizations on the same instance. The flaw, discovered by security researchers at Bishop Fox and responsibly disclosed to Salesforce on March 28, affected the platform's REST and SOAP APIs under specific configuration conditions involving guest user permissions and communities.
The vulnerability, assigned a CVSS score of 9.1, exploited a logic error in the API's tenant isolation layer that could be triggered when guest user profiles were granted object-level access to custom objects with lookup relationships to standard objects. While Salesforce has confirmed that no customer data was accessed maliciously before the patch was deployed, the company is urging all customers to review their guest user permission configurations as an additional precaution.
Security experts recommend that Salesforce administrators immediately verify that the auto-deployed patch has been applied to their instances, conduct a comprehensive audit of guest user profiles and permissions, and review API access logs for any unusual cross-tenant query patterns. This incident underscores the importance of following Salesforce's security best practices, including minimizing guest user permissions, implementing field-level security, and regularly running the Salesforce Health Check tool to identify configuration risks.
