@saltcorn/data: Tenant user role is used for tenant creation role check
- Severity:
- High
Description
When a tenant admin is logged out of the root domain (e.g., saltcorn.com) but logged in to their own tenant space as admin, they can simply append /tenant/create to their tenant URL.
Recommendation
Update the @saltcorn/data package to the latest compatible version. Followings are version details:
Affected version(s): **>= 1.6.0-alpha.0, < 1.6.0-beta.2 >= 1.5.0-beta.0, < 1.5.2 < 1.4.4** Patched version(s): **1.6.0-beta.2 1.5.2 1.4.4**
References
Related Issues
- @saltcorn/data vulnerable to SQL Injection via jsexprToSQL Literal Handler - Vulnerability
- Paperclip: Malicious skills able to exfiltrate and destroy all user data - Vulnerability
- @saltcorn/server Remote Code Execution (RCE) / SQL injection via prototype pollution by manipulating `lang` and `defst - Vulnerability
- @saltcorn/server arbitrary file and directory listing when accessing build mobile app results - Vulnerability
You might also like:
- Tags:
- npm
- @saltcorn/data
Anything's wrong? Let us know Last updated on April 22, 2026