Security Fix: Team Invite Accept Flow Does Not Validate Invite Email
Security Fix: Team Invite Accept Flow Email Validation (v1.0.458)
Release: v1.0.458
Severity: High
Type: Security bug fix
Summary
A security vulnerability was identified and patched in the team invite acceptance flow. Prior to this fix, any authenticated user who possessed a valid invite link could accept the invite and be added to the target organisation — even if the invite was addressed to a completely different email address.
What Was the Problem?
When an organisation admin sends a team invite, the invite is tied to a specific email address (invite.email). The intent is that only the person who received that invite — i.e. the user signing in with the matching email — should be able to accept it.
However, the accept procedure in src/lib/routers/team-invite.ts performed no such check. It only validated that:
- The invite token exists and has not expired.
- The user calling the procedure is authenticated.
It did not check that session.user.email === invite.email.
The getByToken query — which powers the invite page rendered at /invite/[token] — had the same omission. As a result, a user signed in with a different account would land on a normal-looking accept screen with no indication that the invite was not meant for them.
Attack Scenario
- An org admin sends an invite to
user-a@example.com. user-b@example.comobtains the invite link (e.g. a forwarded email, a shared link).user-bsigns in to the platform and navigates to the invite URL.user-bsees a normal accept screen and clicks Accept.user-bis added to the organisation with the role specified in the invite — no error, no warning.
What Changed
src/lib/routers/team-invite.ts
Both the getByToken query and the accept procedure now assert that the current session user's email matches the email address on the invite record. If the check fails, the procedure throws an authorisation error and the request is rejected.
src/app/invite/[token]/invite-accept-client.tsx
The invite acceptance client page now correctly handles the case where the signed-in user's email does not match the invite, displaying an appropriate error message rather than a misleading accept screen.
Affected Route
| Route | Impact |
|---|---|
/invite/[token] | Invite display and acceptance — both now enforce email matching |
Recommended Actions
For Self-Hosted Deployments
- Upgrade to v1.0.458 immediately.
- After upgrading, audit your organisation member lists for any unexpected members.
- Remove any members who may have joined via a misused invite link and re-invite the correct users if necessary.
For All Users
- Treat invite links as sensitive credentials. Avoid forwarding invite emails or sharing invite URLs.
- If you suspect an invite link has been compromised, ask your organisation admin to revoke it and issue a new one.
Timeline
| Event | Detail |
|---|---|
| Vulnerability identified | Internal review |
| Fix implemented | src/lib/routers/team-invite.ts, src/app/invite/[token]/invite-accept-client.tsx |
| Patched release | v1.0.458 |
Questions or Concerns?
If you believe your organisation may have been affected by this vulnerability, please contact support immediately with your organisation ID and a list of current members so we can assist with the investigation.