HiveLoop Go SaaS Audit Flags Critical Cross-Tenant IDOR Flaws in Router Module

A comprehensive security audit of the HiveLoop Go SaaS backend API has identified four critical-severity vulnerabilities, including two persistent IDOR flaws that expose a fundamental tenant isolation failure in the platform's router module. The audit, covering all approximately 185 endpoints across auth, tenant-scoped CRUD, agent and conversation handling, webhooks, admin functions, and infrastructure, filed 49 total issues spanning critical to informational severity. The findings signal serious architectural weaknesses in how tenant boundaries are enforced at the application layer.

The most dangerous discoveries involve the router component. Issue #48 reveals that the `default_agent_id` parameter is not validated for organizational ownership, allowing a user in Tenant A to set their default agent to an agent belonging to Tenant B. This persistent IDOR vulnerability causes cross-tenant conversation routing with no straightforward fix—every existing router configuration would require auditing. Issue #49 documents an identical pattern in the router's CreateRule function, where the `agent_id` parameter similarly lacks ownership validation, enabling attackers to route conversations triggered by their conditions to agents in other tenants. The audit logged 14 additional high-severity issues and 21 medium-severity findings across the examined endpoints.

The implications for multi-tenant security posture are significant. Cross-tenant data exposure through conversation routing could lead to unauthorized access to proprietary agent configurations, conversation histories, and business logic specific to other organizations. With no fix identified beyond comprehensive configuration audits for affected tenants, the remediation trajectory remains unclear. The presence of two separate critical IDOR instances in the same router module suggests systemic gaps in input validation and authorization checks that likely extend beyond these documented instances. Security teams operating HiveLoop deployments should prioritize identifying and isolating any cross-tenant data flows pending formal patch availability.