A chain of five vulnerabilities in Zapier's workflow automation platform could have allowed an attacker with a free account to gain access to internal storage and a key for client-side code, enabling them to impersonate legitimate users and perform actions across connected services. The attack vector did not require malware or insider access, only the chaining of these weaknesses to ultimately update code running in users' browsers. Zapier triaged the issues within four days and fully remediated them within three weeks, and there is no evidence of exploitation prior to patching.
Vulnerability Management Zapier security flaws could have exposed millions of user accounts May 29, 2026 Share By SC Staff (Adobe Stock) As reported by CyberScoop, security researchers discovered a chain of five vulnerabilities in the popular workflow automation service Zapier that, if exploited by a malicious actor, could have granted access to millions of user accounts and connected systems. The flaws, disclosed by Token Security, did not require malware or insider access, only a free Zapier account. Researchers chained together weaknesses to gain access to internal storage containing over 1,100 private software images. One image held a publishing key for code that runs in every logged-in Zapier user's browser. An attacker could have updated this code to act as a legitimate user, creating or altering automations and accessing connected services. This could lead to actions like sending emails, moving files, or pulling database records, all appearing legitimate. While attackers couldn't obtain passwords for connected services, the actions would originate from the user's account. Researchers also found a working key tied to an AI company's CTO, allowing them to send an email from the executive's Gmail. Zapier triaged the issues within four days and remediated within three weeks, paying the maximum $3,000 bounty. The company stated there is no evidence the weaknesses were exploited before being patched. Automation platforms and AI tools are increasingly granted authority across multiple services, making such vulnerabilities a significant supply-chain risk. Token Security noted similar mistakes are likely present at other companies. Source: CyberScoop SC Staff Related Vulnerability Management High-severity Starlette vulnerability ‘BadHost’ could expose sensitive data SC Staff May 27, 2026 The flaw, tracked as CVE-2026-48710, arises from the framework's handling of malformed Host headers. Vulnerability Management CISA adds LiteSpeed cPanel plugin bug to exploited vulnerabilities list Steve Zurier May 27, 2026 CISA warns of exploited LiteSpeed flaw putting shared hosting at risk. Vulnerability Management Drupal bug added to CISA list of known exploited vulnerabilities Steve Zurier May 26, 2026 Drupal SQL injection flaw CVE-2026-9082 added to CISA KEV as active attacks target sites. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Bug Buffer Overflow Disassembly You can skip this ad in 5 seconds