Salesforce OmniStudio Improper Preservation of Permissions Vulnerability in FlexCards Allowing Bypass of Permission Checks
Vulnerability
A client-side enforcement of server-side security vulnerability has been identified in Salesforce OmniStudio (FlexCards) versions prior to Spring 2025. This vulnerability allows for a bypass of required permission checks, specifically field-level security controls for OmniUICard objects. As a result, unauthorized access to certain data may be granted, potentially leading to exposure of sensitive information.
Impact
Exploitation of this vulnerability could result in unauthorized access to data by bypassing field-level security controls for OmniUICard objects, allowing exposed data to be accessed without the necessary permissions.
Remediation
Users should review the affected components, verify that users experiencing data access issues have the required field-level security and permissions, and update user profiles or permission sets accordingly to restore expected data visibility.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.