GHSA-9h64-2846-7x7f CRITICAL go/github.com/getaxonflow/axonflow

CVE:

Summary

Eight independently-filed bug fixes in the v7.1.3 → v7.5.0 release window collectively close a set of multi-tenant isolation, access-control, and policy-enforcement defects in the AxonFlow platform. They are filed as a single consolidated advisory because the recommended remediation is a single platform upgrade.

Affected versions

< 7.5.0. Specific items affect different earlier minors; see Impact below.

Patched versions

>= 7.5.0.

Impact

#ItemAffectedPatchedCWE 1**MAP execution multi-tenant isolation.** A body-supplied `org_id` could override the Basic-auth-derived org for both execution recording and policy evaluation. In multi-tenant deployments with shared agents, this could record one tenant's request under another tenant's audit log and evaluate it under the wrong tenant's policy set.`< 7.4.5``>= 7.4.5`CWE-863 2**Cross-tenant audit-log leak via evidence/explain handlers.** The handlers behind `/api/v1/evidence/*` and `/api/v1/decisions/*/explain` failed open when the tenant context was missing, returning data scoped to a different tenant or returning data without scope.`< 7.2.0``>= 7.2.0`CWE-200, CWE-863 3**License-validation bypass on `onboard-customer`.** The portal customer-onboard endpoint lacked authentication and license-key validation, allowing unauthenticated callers to invoke the onboard flow.`< 7.2.0``>= 7.2.0`CWE-862 4**Tenant-scope fail-open on evidence/explain.** Distinct from item 2: when tenant headers were absent, the handler defaulted to a permissive read scope rather than refusing the request.`< 7.2.0``>= 7.2.0`CWE-862 5**Internal-service auth fallback bypass in non-Community modes.** Evaluation/Enterprise builds carried an auth fallback path that, under specific request shapes, could be exploited to bypass `apiAuthMiddleware`.`< 7.2.0``>= 7.2.0`CWE-863 6**Login timing / org-existence disclosu

📌 来源: GitHub-Advisory | 📅 2026-05-06