Skip to content

Security Vulnerability: Channel invite code leaked via message links (Enables unauthorized channel access) #5408

Description

@pooh-winnie

Thanks for the thorough follow-up testing! The subchannel behavior is a real gap. The original fix only blocked the copy-link action and prevented non-members from auto-joining parent channels via deep links, but subchannels inherit access differently and weren't covered.

I'll do a dedicated pass on subchannel access control. The guest-preview idea is genuinely interesting but it's a much bigger change that'd need its own design pass, so that's more of a longer-term thing. The immediate priority is just making sure non-members can't load subchannel history or post by crafting a link.

Will update here when there's something to test.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions