resolved
Exceed the maximum number of subscribers using Race Condition
Bug reported by Ali Abbas was disclosed at August 12, 2025, 7:52 pm | Business Logic Errors
A race condition vulnerability was discovered in the SingleStore control panel that allowed bypassing the maximum limit of five subscribers for alerts. The issue was patched and deployed to production.
resolved
IDOR - Scheduled data leak to other accounts By "projectID"
Bug reported by Ali Abbas was disclosed at August 12, 2025, 7:47 pm | Business Logic Errors
The Insecure Direct Object Reference (IDOR) vulnerability was discovered in the GetNotebookScheduledPaginatedJobs endpoint on backend.singlestore.com. The API failed to verify the requestor's permission to access the specified project, allowing an authenticated user to access scheduled job information belonging to other users' projects by modifying the projectID parameter. The vulnerability exposed sensitive information such as database names, notebook paths, scheduling details, and infrastructure information.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
