Severity
High · CVSS 7.3
Target
Enterprise Consumer Brand
Date
2026-02
Category
Sensitive Configuration Exposure / Potential RCE

Exposed Workflow Automation Engine with Unauthenticated Webhooks

A development instance of a workflow automation platform (capable of executing shell commands, connecting to databases, and calling APIs with stored credentials) was exposed on the public internet. The settings endpoint and webhook engine were unauthenticated.

Attack Chain

    Step 1: Instance discovered via subdomain enumeration

    Health check confirmed the instance was live and operational.

    Step 2: Settings dumped without authentication

    Full configuration including auth methods, SSO status, and plugin settings returned with no auth.

    Step 3: Webhook engine actively processing requests

    The webhook endpoint confirmed it was listening and would execute any workflow with a matching trigger.

What Scanners Would Miss

A port scan finds an open 443. It doesn't understand that a workflow engine with active webhooks is one valid webhook ID away from arbitrary code execution.

By the Pinaka team · Published for educational purposes. All findings were responsibly disclosed.