Midday - Authorization Bypass

A significant authorization bypass vulnerability has been identified in the Midday platform, specifically within the 'updateMember' tRPC mutation. This security flaw allows any authenticated team member to modify the roles of other members within the same team without proper privilege verification. Consequently, attackers could potentially promote themselves to 'owner' status or demote existing owners. However, the disclosure notes that at the time of discovery, the permission differences between owner and member roles were minimal, which limits the immediate practical exploitability of this issue. Despite the limited impact, this represents a critical broken access control risk that requires immediate remediation. Organizations utilizing Midday should ensure authorization checks are implemented to verify caller privileges before allowing role modifications to prevent unauthorized privilege escalation and maintain proper access governance within team environments.

Midday - Authorization Bypass On midday, the 'updateMember' tRPC mutation allows any authenticated team member to modify the role of any other member within the same team, including promoting themselves to 'owner' or demoting existing owners to 'member'. This is due to missing authorization checks that should verify the caller has sufficient privileges (i.e., is an `owner`) before allowing role modifications. At the time of discovery, owner and member roles did not enforce materially different permissions within Midday, limiting the practical exploitability of this vulnerability. Joshua Martinelle Fri, 03/27/2026 - 08:53

A significant authorization bypass vulnerability has been identified in the Midday platform, specifically within the 'updateMember' tRPC mutation. This security flaw allows any authenticated team member to modify the roles of other members within the same team without proper privilege verification. Consequently, attackers could potentially promote themselves to 'owner' status or demote existing owners. However, the disclosure notes that at the time of discovery, the permission differences between owner and member roles were minimal, which limits the immediate practical exploitability of this issue. Despite the limited impact, this represents a critical broken access control risk that requires immediate remediation. Organizations utilizing Midday should ensure authorization checks are implemented to verify caller privileges before allowing role modifications to prevent unauthorized privilege escalation and maintain proper access governance within team environments. Midday - Authorization Bypass On midday, the 'updateMember' tRPC mutation allows any authenticated team member to modify the role of any other member within the same team, including promoting themselves to 'owner' or demoting existing owners to 'member'. This is due to missing authorization checks that should verify the caller has sufficient privileges (i.e., is an `owner`) before allowing role modifications. At the time of discovery, owner and member roles did not enforce materially different permissions within Midday, limiting the practical exploitability of this vulnerability. Joshua Martinelle Fri, 03/27/2026 - 08:53 Midday - Authorization Bypass On midday, the 'updateMember' tRPC mutation allows any authenticated team member to modify the role of any other member within the same team, including promoting themselves to 'owner' or demoting existing owners to 'member'. This is due to missing authorization checks that should verify the caller has sufficient privileges (i.e., is an `owner`) before allowing role modifications. At the time of discovery, owner and member roles did not enforce materially different permissions within Midday, limiting the practical exploitability of this vulnerability. Joshua Martinelle Fri, 03/27/2026 - 08:53