Web & Cloud Platform | Zion Boggan

Web & Cloud Platform

2 writeups

Web & Cloud Platform

Missing Channel-Level Authorization in Shared Channel Invite/Uninvite API Allows Private Channel Data Exfiltration

April 18, 2026Authz bypass

Mattermost shared-channel invite endpoint enforces system-level perms but not channel-level. Same bug class as CVE-2025-11777.

Read the writeup →

Web & Cloud Platform

How I Found Two SSRF Vulnerabilities in a Major Cloud Platform's Image Pipeline

April 9, 2026SSRF

Two SSRFs in the same platform via different code paths (webhook callbacks + image processor). The systemic pattern matters more than either finding.

Read the writeup →