Engineering notes from the trenches.
Reverse-engineering APIs, automation that survives production, security research, and honest takes on the tools I ship with.
Reverse-engineering APIs, automation that survives production, security research, and honest takes on the tools I ship with.
2 posts ← reset filters
A comment in nebula-mesh's code confesses the design flaw: API trusts the bearer token for authorization. Here's why that breaks multi-tenant isolation, how to spot the pattern, and how to fix it before it becomes an incident.
CVE GHSA-jpjh-jm2p-39hh: Arcane's PUT endpoint for global environment variables has no authorization check, letting any authenticated user overwrite .env.global and inject variables into every project's compose file.