@workos-inc/authkit-nextjs is vulnerable to Insecure Direct Object Reference (IDOR)
75
High Risk
The @workos-inc/authkit-nextjs package exposes a getOrganizationAction server action that resolves a client-supplied organization ID using the application's WorkOS API key. The action returns the full organization object without verifying that the caller is authenticated within that organization, so any caller can read arbitrary organizations by their ID. Under the default lazy middleware even unauthenticated requests can retrieve organization details such as metadata, external IDs, Stripe customer IDs, and domains. The fix scopes the lookup to the caller's own session and returns only the organization id and name.
You are affected if you are using a version that falls within the vulnerable range.
@workos-inc/authkit-nextjs is vulnerable to Insecure Direct Object Reference (IDOR) in versions 1.0.0 - 4.1.2.
Upgrade the @workos-inc/authkit-nextjs library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant