Intel

AIKIDO-2026-309251

@workos-inc/authkit-nextjs is vulnerable to Insecure Direct Object Reference (IDOR)

Insecure Direct Object Reference (IDOR) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 25, 2026

75

High Risk

This Affects:

JS@workos-inc/authkit-nextjs
1.0.0 - 4.1.2
Fixed in 4.1.3
Are you affected? Scan for Free

TL;DR

The @workos-inc/authkit-nextjs package exposes a getOrganizationAction server action that resolves a client-supplied organization ID using the application's WorkOS API key. The action returns the full organization object without verifying that the caller is authenticated within that organization, so any caller can read arbitrary organizations by their ID. Under the default lazy middleware even unauthenticated requests can retrieve organization details such as metadata, external IDs, Stripe customer IDs, and domains. The fix scopes the lookup to the caller's own session and returns only the organization id and name.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

@workos-inc/authkit-nextjs is vulnerable to Insecure Direct Object Reference (IDOR) in versions 1.0.0 - 4.1.2.

How to fix this

Upgrade the @workos-inc/authkit-nextjs library to the patch version.