DIVD-2026-00005 - Salesforce Experience Cloud – Data Exposure via Misconfiguration
| Our reference | DIVD-2026-00005 |
| Case lead | Jeroen Ellermeijer |
| Author | Stan Plasmeijer |
| Researcher(s) |
|
| CVE(s) |
|
| Product | Salesforce Experience Cloud |
| Versions | any |
| Recommendation | Review and correct authorization configuration in Salesforce Experience Cloud applications, including guest user permissions, object access, record access, field-level security and sharing rules. Disable guest user public API access where not strictly required. |
| Workaround | n/a |
| Status | Open |
| Last modified | 21 Apr 2026 20:10 CEST |
Summary
DIVD has started a new research effort into unintended data exposure in applications built on the Salesforce Experience Cloud platform. The issue involves authorization misconfiguration that may allow unauthenticated users or low-privileged users to access data that should not be publicly accessible.
It is important to note that this issue does not represent a vulnerability in the Salesforce platform itself. Salesforce provides mechanisms to restrict access to data through object permissions, field-level security, sharing rules and guest user restrictions. When these controls are not correctly configured by the application owner, unintended data exposure may occur.
Typical causes include overly permissive guest user permissions, incorrect object-level access, missing or incomplete field-level security, overly broad sharing rules, and backend logic that does not properly enforce authorization checks. Publicly accessible endpoints used by the application may expose this data when these controls are not correctly applied.
This type of authorization issue is increasingly observed during security assessments and large-scale internet scans.
Affected scope
This issue is not limited to a specific Salesforce version or product. It may affect public-facing Salesforce Experience Cloud environments, including portals and communities, as well as custom implementations using Aura or Lightning components.
Because the issue originates from configuration rather than a platform vulnerability, it may occur in any Salesforce environment where access controls are not properly implemented.
How attackers can misuse this
No exploit is required to retrieve exposed data.
Salesforce Experience Cloud applications that use Aura commonly expose the /s/sfsites/aura endpoint. In some Salesforce contexts, /aura is also used as part of the Lightning Component framework. Because requests to these endpoints originate from the client and can be inspected in browser network traffic, authorization must always be enforced server-side.
If authorization controls allow access to certain objects or fields, an attacker can retrieve this data by interacting directly with these endpoints. This allows automated extraction of data across multiple applications without authentication.
During security assessments and research activities, exposed data has included personal information, customer records, support cases, internal identifiers and documents. Such exposure may lead to privacy violations, phishing attacks, fraud or regulatory consequences.
Root cause
Salesforce Experience Cloud applications rely on multiple layers of access control, including object-level permissions, record-level access and field-level security.
Data exposure typically occurs when these controls are not correctly implemented. This may be caused by overly permissive guest user permissions, incorrect object-level access, missing or incomplete field-level security, overly broad sharing rules, or custom Apex logic that does not enforce authorization checks.
These issues are related to application configuration and development practices, not to a vulnerability in the Salesforce platform itself.
What you can do
Organizations using Salesforce Experience Cloud are strongly advised to review their authorization configuration.
This includes reviewing guest user permissions, validating object-level access, record access and field-level security, and reviewing sharing rules and data visibility. Unnecessary guest access should be disabled where possible, and public API access for guest users should be restricted.
Organizations should also review Apex controllers and Aura-enabled methods to ensure proper authorization enforcement and consider performing a security review or penetration test focused on data exposure.
If sensitive data is accessible, access should be restricted immediately, logs should be reviewed for signs of misuse and an assessment should be made whether a data breach notification is required.
What we are doing
DIVD is analysing publicly accessible Salesforce Experience Cloud applications to identify instances where authorization misconfiguration may expose data.
The applications included in this research were identified through publicly available sources. Because of this, the dataset used during this research is not exhaustive and may not include all Salesforce deployments.
Organizations whose applications appear to expose data that is likely not intended to be publicly accessible may be notified. Organizations are encouraged to proactively review their Salesforce environments.
Organizations that would like additional information about this research effort can contact the DIVD CSIRT team at DIVD-2026-00005@csirt.divd.nl.
Timeline
| Date | Description |
|---|---|
| 01 Feb 2026 | Initial research into authorization misconfigurations in Salesforce Experience Cloud applications started. |
| 10 Mar 2026 | DIVD performed a large-scale scan to identify publicly accessible Salesforce Experience Cloud applications potentially affected by this misconfiguration. |
| 02 Apr 2026 | Additional DIVD researchers joined the project to assist with reviewing findings and notifying affected organizations. |
| 21 Apr 2026 | Casefile published. Notifications to affected organizations are ongoing. |