HackerOne Disclosed Reports - 2025-07-23

High
resolved

Mint Oauth2 access token for targeted user

Bug reported by Timothy Leung was disclosed at July 23, 2025, 12:06 am   |   Improper Authentication - Generic

The vulnerability allowed a group owner to create an application that was trusted by default, bypassing CSRF controls for the authorization flow. This enabled the minting of access tokens for targeted users without their consent.