HackerOne Disclosed Reports - 2026-02-28

HackerOne Disclosed Reports - 2026-02-28 - Printable Version

+- Dark C0d3rs (https://darkcoders.wiki)
+-- Forum: Exploit Log (https://darkcoders.wiki/Forum-Exploit-Log)
+--- Forum: Research Papers/Vulnerability reports (https://darkcoders.wiki/Forum-Research-Papers-Vulnerability-reports)
+--- Thread: HackerOne Disclosed Reports - 2026-02-28 (/Thread-HackerOne-Disclosed-Reports-2026-02-28)

HackerOne disclosed reports - 2026-02-28 - hashXploiter - 03-01-2026

Medium
resolved

2FA requirement bypass when inviting team members

Bug reported by Youssef AboHashish was disclosed at February 28, 2026, 8:55 pm | Improper Access Control - Generic

The application's requirement for users to enable 2FA before sending team invitations was bypassed by modifying client-side responses. This allowed invitations to be sent without enabling 2FA, defeating the security requirement.