- Severity
- High · CVSS 7.3
- Target
- Enterprise Consumer Brand
- Date
- 2026-02
- Category
- Sensitive Configuration Exposure / Potential RCE
Exposed Workflow Automation Engine with Unauthenticated Webhooks
A development instance of a workflow automation platform (capable of executing shell commands, connecting to databases, and calling APIs with stored credentials) was exposed on the public internet. The settings endpoint and webhook engine were unauthenticated.
Attack Chain
Step 1: Instance discovered via subdomain enumeration
Health check confirmed the instance was live and operational.
Step 2: Settings dumped without authentication
Full configuration including auth methods, SSO status, and plugin settings returned with no auth.
Step 3: Webhook engine actively processing requests
The webhook endpoint confirmed it was listening and would execute any workflow with a matching trigger.
What Scanners Would Miss
A port scan finds an open 443. It doesn't understand that a workflow engine with active webhooks is one valid webhook ID away from arbitrary code execution.
By the Pinaka team · Published for educational purposes. All findings were responsibly disclosed.