Customer-facing mortgage origination portal unauthenticated tenant-ID enumeration security flaw
Vulnerability
Summary
Hide ▲
Show ▼
The customer-facing mortgage origination portal exposed an unauthenticated API that let callers enumerate tenant IDs and retrieve cross-tenant organization records. The exposed path returned data for every financial institution on the shared platform, plus the vendor's internal tenant, from a bank-branded subdomain. The same weakness was reachable from a visitor's browser because the platform's CORS policy allowed any third-party site to invoke the request without user interaction. A valid internal attribution code could also support submission forgery in the loan-origination pipeline.
Timeline
-
03.06.2026 17:02 2 articles · 4h ago
Regional bank mortgage portal exposes cross-tenant records
Initial DisclosureSprocket Security testers found that a customer-facing mortgage origination portal fronted at a regional bank subdomain returned organization records when supplied with a tenant ID, required no authentication or session, and allowed cross-origin requests from any third-party site. The exposed endpoint let a caller enumerate other financial institutions on the shared platform, and the returned records included staff names, business email addresses, direct-dial phone numbers, job titles, and an internal attribution code that could be used to submit a prospective borrower application in a named officer's name.
Show sources
- What 345 Days of Untested Exposure Looks Like at a Bank — www.bleepingcomputer.com — 03.06.2026 17:02
- What 345 Days of Untested Exposure Looks Like at a Bank — www.bleepingcomputer.com — 03.06.2026 17:02