Nightly AI Pentest Fails, Exposing Unresolved High-Severity IDOR Flaws in Payment System

A nightly automated security audit has failed, leaving multiple critical access control vulnerabilities unaddressed in a payment processing system. The failure of the 'Pentest' workflow means no new vulnerabilities were discovered, but more critically, it highlights a set of known, high-severity flaws that remain open and unresolved. These are not theoretical risks but confirmed, documented issues that could allow unauthorized access to sensitive financial data.

The core of the exposure lies in two 'High' severity Insecure Direct Object Reference (IDOR) vulnerabilities. Issue #49 allows a payment summary to be accessed using only a merchant ID, with no check for the correct user ID. Issue #48 is even more direct: any merchant user can access another user's payment status. These are compounded by two 'Medium' severity session management flaws (#47 and #46) that could enable cross-user access or bypass session validation entirely. The pentest failure itself may be linked to an SSRF webhook test, indicating potential issues with the security testing pipeline.

While a separate PR review workflow succeeded, its findings were only advisory, such as inefficient logging code. The stark contrast underscores a critical operational risk: the automated guardrails are failing to force action on severe, active security holes. The unresolved IDOR issues represent a direct threat to data integrity and user privacy within the payment ecosystem, creating a window for potential data exfiltration or fraud that the system's own monitoring has flagged but not remediated.