BotBeat
...
← Back

> ▌

Sectum AISectum AI
INDUSTRY REPORTSectum AI2026-07-14

Security Audit: 78 Self-Hosted AI Tools Leak Data Across Tenants

Key Takeaways

  • ▸78 of 200+ multi-tenant AI/SaaS products contain cross-tenant data exposure vulnerabilities affecting read operations
  • ▸84 confirmed findings follow an identical anti-pattern: authorization checks enforced on write paths but missing on neighboring read/list/search endpoints
  • ▸31 advisories already published to GitHub Security Advisories; remaining 53 products under coordinated disclosure with shipping fixes
Source:
Hacker Newshttps://sectum.ai/blog/tenant-isolation-roundup/↗

Summary

A comprehensive security audit by researcher dmitry-maranik reviewed 200+ multi-tenant AI and SaaS products and found critical tenant isolation vulnerabilities in 78 of them—84 confirmed findings total. Each vulnerability follows the same pattern: authorization checks that properly guard write operations but are missing from neighboring read endpoints, allowing one tenant to access, modify, or delete another tenant's data.

The researcher confirmed each vulnerability in isolated test environments using Sectum AI, an open-source multi-tenant isolation verification tool, before reporting findings privately to maintainers under coordinated 90-day disclosure windows. To date, 31 vulnerabilities have been filed as GitHub Security Advisories; the remainder remain undisclosed until fixes ship. The systematic pattern of the same bug across dozens of products reveals a widespread gap in how development teams implement authorization for multi-tenant features.

The core issue is straightforward: developers correctly scope ownership checks to write operations (delete, modify) but overlook them on read operations (view, list, search). Since many product IDs are sequential or guessable, attackers can simply request another tenant's data by ID. This isn't 84 isolated bugs but one architectural mistake, repeated 84 times across the industry.

  • Vulnerabilities confirmed in isolated lab environments using the Sectum AI isolation verification tool; full findings at sectum.ai/research
  • Sequential or guessable object IDs enable trivial exploitation—authenticated users in one tenant can access another's data by simply requesting different IDs

Editorial Opinion

This audit exposes a systemic blind spot in AI/SaaS development: the assumption that authorization logic from write paths will automatically carry over to reads. The 84-fold repetition of the same bug across 78 independent products suggests architectural negligence, not isolated oversights. Every team shipping multi-tenant features should now treat this as a mandatory security check—authorization must be enforced on every data access path, period. The good news: the fix is trivial; the bad news is this pattern was not caught earlier despite being an obvious target for security review.

MLOps & InfrastructureCybersecurityEthics & BiasAI Safety & AlignmentResearch

Comments

Suggested

Tracebit ResearchTracebit Research
RESEARCH

Tracebit Researchers Introduce 'Context Bombs' to Halt Autonomous AI Agent Cyberattacks

2026-07-14
JoyAIJoyAI
OPEN SOURCE

Oya: Open-Source Framework Cuts AI Agent Token Costs by 10x

2026-07-14
OpenAIOpenAI
POLICY & REGULATION

OpenAI Mandates Hardware-Backed Passkeys for Cybersecurity Researchers

2026-07-14
← Back to news
© 2026 BotBeat
AboutPrivacy PolicyTerms of ServiceContact Us