Severity: Critical
CVSS Score: 9.1
## Summary Eight independently-filed bug fixes in the v7.1.3 → v7.5.0 release window collectively close a set of multi-tenant isolation, access-control, and policy-enforcement defects in the AxonFlow platform. They are filed as a single consolidated advisory because the recommended remediation is a single platform upgrade. ## Affected versions `< 7.5.0`. Specific items affect different earlier minors; see Impact below. ## Patched versions `>= 7.5.0`. ## Impact | # | Item | Affected | Patched | CWE | |---|---|---|---|---| | 1 | **MAP execution multi-tenant isolation.** A body-supplied `org_id` could override the Basic-auth-derived org for both execution recording and policy evaluation. In multi-tenant deployments with shared agents, this could record one tenant's request under another tenant's audit log and evaluate it under the wrong tenant's policy set. | `< 7.4.5` | `>= 7.4.5` | CWE-863 | | 2 | **Cross-tenant audit-log leak via evidence/explain handlers.** The handlers behind `/api/v1/evidence/*` and `/api/v1/decisions/*/explain` failed open when the tenant context was missing, returning data scoped to a different tenant or returning data without scope. | `< 7.2.0` | `>= 7.2.0` | CWE-200, CWE-863 | | 3 | **License-validation bypass on `onboard-customer`.** The portal customer-onboard endpoint lacked authentication and license-key validation, allowing unauthenticated callers to invoke the onboard flow. | `< 7.2.0` | `>= 7.2.0` | CWE-862 | | 4 | **Tenant-scope fail-open on evidence/explain.** Distinct from item 2: when tenant headers were absent, the handler defaulted to a permissive read scope rather than refusing the request. | `< 7.2.0` | `>= 7.2.0` | CWE-862 | | 5 | **Internal-service auth fallback bypass in non-Community modes.** Evaluation/Enterprise builds carried an auth fallback path that, under specific request shapes, could be exploited to bypass `apiAuthMiddleware`. | `< 7.2.0` | `>= 7.2.0` | CWE-863 | | 6 | **Login timing / org-existence disclosure on the portal.** The login handler returned different timing and response bodies for invalid-org vs invalid-password, allowing org enumeration. | `< 7.1.3` | `>= 7.1.3` | CWE-208 | | 7 | **Portal DoS via unbounded request body.** The portal accepted unbounded request bodies, allowing memory-exhaustion attacks. Capped at 1 MiB. | `< 7.1.5` | `>= 7.1.5` | CWE-770 | | 8 | **SQL-injection enforcement regression on `try.getaxonflow.com`.** The Community SaaS hosted endpoint inherited the `warn` SQLi default introduced in v6.2.0, allowing SQL-injection-shaped requests to pass governance to the LLM. Self-hosted deployments were unaffected unless they manually changed the default. | `< 7.5.0` (try.getaxonflow.com only) | `>= 7.5.0` | CWE-89 | ## Remediation Upgrade to AxonFlow platform **v7.5.0** or later. No configuration changes required — the platform is purely additive and existing API/SDK callers continue to work. For users who can't upgrade immediately, item-specific mitigations: - **Items 1–5:** ensure the agent middleware sets `X-Org-ID` / `X-Tenant-ID` from authenticated identity at the ingress, never accepting body-supplied identity. - **Item 8 (Community SaaS):** `SQLI_ACTION=block` can be set explicitly via the agent task definition; v7.5.0 makes this the default. ## Resources - AxonFlow v7.5.0 CHANGELOG entry: https://github.com/getaxonflow/axonflow/blob/main/CHANGELOG.md - AxonFlow v7.5.0 GitHub Release: https://github.com/getaxonflow/axonflow/releases/tag/v7.5.0 ## Credit Identified by AxonFlow internal security review during the April 2026 quality-freeze epic.