Vector Store

Vector DB Leak

The frontend ships a Pinecone API key and the search endpoint returns chunks across every tenant namespace because the filter is client-supplied.

Back to hub Reload scenario
Embeddings explorer 

  


      

    


    

      

        
Expected Findings

        
    
          
  • Pinecone API key is bundled into the public JS config.
  • Search endpoint accepts a wildcard namespace and returns rows from every tenant.
  • Returned chunks include raw HR and customer notes.
    • 
        

      


      

      

        
Signals

        
        

          
Key

          
PINECONE_API_KEY = "pk_live_vec_full_access"

        

        
      

    


    

    

      Developed by vibe-eval.com for validation and testing purposes only.