>samit_hota
Back to advisories
SH-2025-014HighResolved

IDOR in Parcelhive File-Sharing Endpoint Exposes Private Documents

Samit Hota··Updated November 20, 2025
CVE ID
N/A
CVSS Score
7.5
Affected Products
Parcelhive Web App (all plans, pre-2025.11 release)
#idor#access-control#saas

Overview

Parcelhive’s “share this file” feature generated share links using a sequential, base62-encoded integer rather than a cryptographically random identifier. An authenticated user on any tenant could enumerate nearby IDs and access documents belonging to other, unrelated organizations.

Impact

Any authenticated Parcelhive user could view, and in some cases download, private files belonging to other tenants simply by incrementing a value in the share URL — no additional authorization check was performed beyond confirming the requester held some valid session.

Affected Products

  • Parcelhive Web App, all releases prior to the 2025.11 patch cycle

Technical Details

Share links followed the pattern /share/{id}, where {id} was a base62 encoding of an auto-incrementing database primary key. The share-retrieval endpoint verified that a session cookie was present and valid, but did not verify that the requesting user’s tenant matched the tenant that owned the requested file. Sequential IDs made enumeration of the full range of existing share links trivial from a single low-privilege account.

Remediation

Parcelhive’s 2025.11 release replaced sequential share IDs with 128-bit random tokens and added an explicit tenant-ownership check on the retrieval endpoint, closing both the enumeration vector and the underlying missing authorization check. Customers on the current release are not affected; no customer action is required.

Disclosure Timeline

  • 2025-10-14 — Issue identified and reported to Parcelhive’s security team
  • 2025-10-16 — Vendor acknowledged and began remediation
  • 2025-11-04 — Fix deployed to all environments
  • 2025-11-20 — Public advisory published following vendor sign-off

Found something similar in your stack?

Let's find out before it becomes an incident.

Book an advisory call