Back

Zapier Vulnerabilities Could Have Enabled Widespread Account Takeover

Severity: High (Score: 70.5)

Sources: Cyberscoop, Darkreading

Published: 2026-05-29 · Updated: 2026-05-29

Keywords: researchers, cloud, zapier, chain, popular, automation, service

Severity indicators: rat

Summary

Security researchers from Token Security discovered a chain of five vulnerabilities in Zapier, a widely used automation service, that could have allowed attackers to take over millions of user accounts. The flaws, which required only a free Zapier account to exploit, involved weaknesses in user-defined code and credential management. If exploited, attackers could have manipulated user automations, accessed sensitive data, and sent emails from legitimate accounts. The vulnerabilities were reported in February 2026, and Zapier has since patched the issues. The incident highlights the risks associated with complex cloud integrations and the need for better security practices in SaaS environments. Token Security confirmed they had the capability to exploit these vulnerabilities but chose to report them responsibly. The potential impact of a successful attack could have extended to a wide range of third-party services integrated with Zapier. Key Points: • Token Security identified five vulnerabilities in Zapier that could lead to account takeovers. • The flaws required only a free account and could have affected millions of users. • Zapier has patched the vulnerabilities following responsible disclosure by the researchers.

Detailed Analysis

**Impact** Millions of Zapier users across various sectors relying on workflow automation were at risk of account takeover and unauthorized actions within connected services. The vulnerability could have allowed attackers to act as legitimate users, manipulating automations, sending emails, and accessing data flows without detection. The exposure included over 1,100 private software images and credentials, potentially affecting users globally given Zapier’s extensive integration with more than 8,000 third-party applications. No evidence of exploitation prior to patching was reported. **Technical Details** The attack chain exploited five weaknesses starting from user-written code execution in Zapier’s sandboxed environment, leading to discovery of over-permissioned roles and credentials stored in AWS Lambda containers. Researchers extracted secrets from memory, accessed private repositories containing an NPM publishing token, and could have injected malicious code into packages running in all logged-in users’ browsers. The kill chain stages included sandbox escape, credential discovery, lateral movement, and potential code injection. No specific CVEs or malware names were provided. **Recommended Response** Apply the patches released by Zapier addressing the sandbox permissions, credential handling, and repository access controls immediately. Monitor for unusual automation creation or modification activities within Zapier accounts and audit third-party integrations for suspicious behavior. Harden configurations to restrict code execution privileges and enforce secure secret management in serverless environments. Maintain vigilance for similar multi-stage exploit chains in other low-code or SaaS automation platforms.

Source articles (2)

  • Zapier fixes bug chain that researchers say risked widespread account takeover — Cyberscoop · 2026-05-28
    Security researchers chained together five separate weaknesses in the popular workflow automation service Zapier that, if first discovered by a malicious actor, could have granted access to millions o…
  • With Complex Cloud Integrations, Small Errors Lead to Major Compromises — Darkreading · 2026-05-29
    Researchers discover an exploit chain combining over-permissioned roles, secrets discovery, and non-human identities that could have compromised a popular automation service. Low-code cloud services t…

Timeline

  • 2026-02-01 — Vulnerabilities reported to Zapier: Token Security disclosed five vulnerabilities that could lead to account takeovers, allowing manipulation of user automations.
  • 2026-05-28 — Research findings published: Token Security published an analysis detailing the exploit chain that nearly compromised Zapier's platform.
  • 2026-05-29 — Zapier patches vulnerabilities: Following the disclosure, Zapier implemented patches to address the identified vulnerabilities and secure its platform.

Related entities

  • Unc6395 (Apt Group)
  • Data Breach (Attack Type)
  • Supply Chain Attack (Attack Type)
  • Zapier (Company)
  • Salesforce (Company)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-269 - Improper Privilege Management (Cwe)
  • news.com (Domain)
  • Blaster worm (Malware)
  • T1021 - Remote Services (Mitre Attack)
  • T1059.006 - Python (Mitre Attack)
  • T1059 - Command and Scripting Interpreter (Mitre Attack)
  • AWS Lambda (Platform)
  • Gmail (Tool)
  • Google Drive (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed