Skip to content

Security: Cross-Workspace Invitation Deletion IDOR in WorkspaceInvitationsController #337

New issue
New issue
Open
Open
Security: Cross-Workspace Invitation Deletion IDOR in WorkspaceInvitationsController#337
@lighthousekeeper1212

Description

@lighthousekeeper1212
lighthousekeeper1212
opened on Feb 25, 2026

Summary

The destroy() method in WorkspaceInvitationsController allows any workspace owner to delete invitations belonging to any other workspace (IDOR - CWE-639).

Vulnerability Details

File: app/Http/Controllers/Workspaces/WorkspaceInvitationsController.php, lines 42-47

public function destroy(Invitation $invitation): RedirectResponse
{
    $invitation->delete();  // No workspace ownership check
    return redirect()->route('users.index');
}

The route group at routes/web.php line 59 applies OwnsCurrentWorkspace::class middleware, which verifies the user owns their current workspace — but does NOT verify the {invitation} parameter belongs to that workspace. Laravel route model binding resolves ANY invitation by ID.

Secure pattern comparison:

The store() method in the same controller correctly scopes to the current workspace via $request->user()->currentWorkspace(). The invitations table has a workspace_id foreign key but it is never validated in destroy().

Recommended Fix

public function destroy(Invitation $invitation): RedirectResponse
{
    abort_unless(
        $invitation->workspace_id === auth()->user()->currentWorkspace()->id,
        404
    );
    $invitation->delete();
    return redirect()->route('users.index');
}

Disclosure

Found during security research. Happy to provide additional details.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions