Midday – Authorization Bypass

27/03/2026

On midday, the ‘updateMember’ tRPC mutation allows any authenticated team member to modify the role of any other member within the same team, including promoting themselves to ‘owner’ or demoting existing owners to ‘member’.

This is due to missing authorization checks that should verify the caller has sufficient privileges (i.e., is an `owner`) before allowing role modifications.

At the time of discovery, owner and member roles did not enforce materially different permissions within Midday, limiting the practical exploitability of this vulnerability.

Joshua Martinelle Fri, 03/27/2026 – 08:53
– Read more

Monday	08:00 - 17:00
Tuesday	08:00 - 17:00
Wednesday	08:00 - 17:00
Thursday	08:00 - 17:00
Friday	08:00 - 17:00

Midday – Authorization Bypass

Latest article

Security posture improvement in the AI era

Metasploit Wrap-Up 05/01/2026

Windows shell spoofing vulnerability puts sensitive data at risk

Criminal IP and Securonix ThreatQ Collaborate to Enhance Threat Intelligence Operations

EDITOR PICKS

Security posture improvement in the AI era

Metasploit Wrap-Up 05/01/2026

Windows shell spoofing vulnerability puts sensitive data at risk

POPULAR POSTS

Threats to users of adult websites in 2018

The World’s Most Popular Coding Language Happens to be Most Hackers’...

IT threat evolution Q2 2019

POPULAR CATEGORY

Security posture improvement in the AI era

Metasploit Wrap-Up 05/01/2026

Windows shell spoofing vulnerability puts sensitive data at risk