Restaurant Brands International Assistant Platform JWT Vulnerability Allowing Unauthorized AWS Upload URL Access

Vulnerability

A vulnerability exists in the Restaurant Brands International (RBI) assistant platform, affecting through September 6, 2025. The issue arises from the platform's functionality of returning a JSON Web Token (JWT) that can be used to request a signed Amazon Web Services (AWS) upload URL for any store's path. This vulnerability could potentially be exploited to access and manipulate store-specific data and systems.

Impact

Exploitation of this vulnerability could lead to unauthorized access to AWS upload URLs, allowing for the upload of files to specified store paths. Additionally, it could enable access to sensitive store data and systems, including voice recordings of drive-thru orders, employee accounts, store analytics, and sales data.

Added: Oct 17, 2025, 9:20 PM

Updated: Oct 18, 2025, 1:20 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.6

exploitability

8.7

remediation

0.0

relevance

0.7

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.6

exploitability

8.7

remediation

0.0

relevance

0.7

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Restaurant Brands International Assistant Platform JWT Vulnerability Allowing Unauthorized AWS Upload URL Access

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating