Expected Findings
- Cross-tenant user data is exposed by changing org identifiers.
Tenant Switcher
Multi Tenant SaaS
Changing the tenant selector triggers a fresh request for another org, with no server-side check that the current user belongs to it.
Primary Flows
- Acme users Default tenant
- Rival users Cross-org data leak
Signals
Tenant Fetch
fetch("/api/orgs/" + currentOrg + "/users")