Critical API vulnerabilities in major SaaS platforms expose millions of user records. GraphQL introspection attacks surge as enterprises adopt API-first architectures. A new BOLA vulnerability class affects OAuth 2.0 implementations across 40+ identity providers.
⚡ Bottom line: Your APIs are likely more exposed than you think. Time for a comprehensive API security audit.
☁️
Critical
CVE-2026-25001 — Salesforce API Mass Data Exposure
Why It Matters
A Broken Object Level Authorization (BOLA) vulnerability in Salesforce REST API allows authenticated users to access any record by manipulating object IDs. Researchers estimate 15,000+ Salesforce orgs may be exposing customer data through misconfigured API permissions.
A vulnerability in the OAuth 2.0 authorization code flow affects 40+ identity providers including Okta, Auth0, and custom implementations. Attackers can inject malicious tokens to hijack user sessions across connected applications.
👤
Account Takeover
Across all OAuth-connected applications
🔓
Session Hijacking
Without credential theft
🛡️
MFA Bypass
In downstream applications
🔄
Persistent Access
Through refresh token theft
Action Items
Update OAuth libraries to patched versions
Implement PKCE for all authorization code flows
Enable token binding where supported
Validate redirect_uri strictly on server side
Rotate client secrets for affected applications
📊
Surge
GraphQL API Introspection Attacks
Why It Matters
Attackers are exploiting GraphQL introspection queries to map API schemas and discover sensitive endpoints. 67% of GraphQL APIs in production have introspection enabled, exposing internal data structures and potential vulnerabilities.
Action Items
Disable introspection in production environments
Implement query depth limiting
Enable rate limiting per-user and per-query
Use persisted queries to restrict operations
Deploy GraphQL-aware WAF rules
💳
Exposure
Stripe API Key Exposure via Client-Side Code
Why It Matters
Security researchers found 12,000+ websites accidentally exposing Stripe secret API keys in client-side JavaScript. Attackers can use these keys for refund fraud, customer data theft, and fraudulent transactions.
Critical: If you use Stripe, scan your frontend code immediately. Exposed secret keys can drain your merchant account.
Action Items
Scan frontend code for exposed API keys
Use Stripe restricted keys with minimal permissions
Enable Stripe Radar for fraud detection
Implement server-side Stripe integration only
Use secret scanning in CI/CD pipelines
🚦
Research
REST API Rate Limiting Bypass Techniques
Why It Matters
New research demonstrates techniques to bypass common API rate limiting implementations using HTTP/2 multiplexing, header manipulation, and distributed attacks. Many APIs are more vulnerable to abuse than operators realize.
Action Items
Implement multi-factor rate limiting (IP + user + endpoint)
Use API gateways with advanced rate limiting
Enable anomaly detection for API traffic
Test rate limiting with modern bypass techniques
Consider implementing API quotas and billing
🎟️
Ongoing
JWT Algorithm Confusion Attacks
Why It Matters
Attackers continue to exploit JWT implementations vulnerable to algorithm confusion (alg:none, RS256→HS256). Many custom JWT libraries and older frameworks remain vulnerable.