<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"><channel><title>Cipher Research</title><description>Attack chain anatomy, methodology deep dives, and security research from the team building Cipher.</description><link>https://causalsecurity.com/</link><language>en-us</language><item><title>Filtered on every path but one: a row-permission bypass in Hasura&apos;s computed fields</title><link>https://causalsecurity.com/research/hasura-computed-field-authz-bypass/</link><guid isPermaLink="true">https://causalsecurity.com/research/hasura-computed-field-authz-bypass/</guid><description>A Hasura computed field returning SETOF a table inherits that table&apos;s row permissions on selection, relationships, and aggregations. On one path, a where-clause over the field, the filter is dropped, turning it into a boolean oracle for hidden rows.</description><pubDate>Mon, 29 Jun 2026 00:00:00 GMT</pubDate><category>disclosure</category><category>open-source</category><category>business-logic</category></item><item><title>Privileged and unqualified: a tenant-to-pod RCE in StackGres&apos;s metrics exporter</title><link>https://causalsecurity.com/research/stackgres-metrics-exporter-rce/</link><guid isPermaLink="true">https://causalsecurity.com/research/stackgres-metrics-exporter-rce/</guid><description>StackGres&apos;s bundled metrics exporter opens superuser sessions into every tenant database and runs unqualified catalog SQL with no search_path pinning, so a tenant database owner can shadow a function and reach OS command execution in the primary Postgres pod.</description><pubDate>Fri, 26 Jun 2026 00:00:00 GMT</pubDate><category>disclosure</category><category>open-source</category><category>business-logic</category></item><item><title>Checked on state, skipped on diff: a presence authorization gap in Supabase Realtime</title><link>https://causalsecurity.com/research/supabase-realtime-presence-leak/</link><guid isPermaLink="true">https://causalsecurity.com/research/supabase-realtime-presence-leak/</guid><description>Supabase Realtime enforces a presence.read policy on the initial presence snapshot but not on the ongoing presence_diff fan-out, so a member allowed to broadcast but denied presence can still read every other member&apos;s presence metadata on a private channel.</description><pubDate>Thu, 25 Jun 2026 00:00:00 GMT</pubDate><category>disclosure</category><category>open-source</category><category>business-logic</category></item><item><title>Bounded against the wrong buffer: a heap over-read in 7-Zip&apos;s ext handler</title><link>https://causalsecurity.com/research/sevenzip-ext-oob-read/</link><guid isPermaLink="true">https://causalsecurity.com/research/sevenzip-ext-oob-read/</guid><description>7-Zip parses ext2/3/4 disk images by content. One attacker-controlled superblock field drives the inode-bitmap scan past a fixed-size buffer: a heap out-of-bounds read that crashes the process the moment an untrusted image is listed or extracted.</description><pubDate>Thu, 25 Jun 2026 00:00:00 GMT</pubDate><category>disclosure</category><category>open-source</category><category>memory-safety</category></item><item><title>Guarded on read, unguarded on write: an attacker-controlled heap overflow in GraphicsMagick&apos;s PCD decoder</title><link>https://causalsecurity.com/research/graphicsmagick-pcd-write-overflow/</link><guid isPermaLink="true">https://causalsecurity.com/research/graphicsmagick-pcd-write-overflow/</guid><description>GraphicsMagick ported ImageMagick&apos;s out-of-bounds read fix for the PCD decoder but not the write-side bound that shipped alongside it, leaving an attacker-controlled heap overflow in DecodeImage: the un-ported other half of the same hardening.</description><pubDate>Wed, 24 Jun 2026 00:00:00 GMT</pubDate><category>disclosure</category><category>open-source</category><category>memory-safety</category></item><item><title>Minting wallet money from the open internet</title><link>https://causalsecurity.com/research/wallet-mint-open-internet/</link><guid isPermaLink="true">https://causalsecurity.com/research/wallet-mint-open-internet/</guid><description>A consumer fintech asked Cipher to extend a review into its infrastructure. Modeling the wallet&apos;s request flow end to end surfaced an internal money-crediting endpoint reachable, unauthenticated, from the open internet (proven with a reverted credit).</description><pubDate>Mon, 22 Jun 2026 00:00:00 GMT</pubDate><category>case-study</category><category>business-logic</category><category>payment-flows</category></item><item><title>Bound on revoke, unbound on redemption: an OAuth client-binding flaw in ZITADEL</title><link>https://causalsecurity.com/research/zitadel-oauth-client-binding/</link><guid isPermaLink="true">https://causalsecurity.com/research/zitadel-oauth-client-binding/</guid><description>ZITADEL&apos;s OAuth token endpoint authenticated the calling client but never checked that the grant it was redeeming had been issued to that client. The same binding check already existed on the revoke path. One missing invariant, spanning three grant types and token exchange.</description><pubDate>Wed, 17 Jun 2026 00:00:00 GMT</pubDate><category>disclosure</category><category>open-source</category><category>business-logic</category></item><item><title>Vim security research: memory-safety and command-injection findings</title><link>https://causalsecurity.com/research/vim-security-research/</link><guid isPermaLink="true">https://causalsecurity.com/research/vim-security-research/</guid><description>Cipher&apos;s ongoing security research into Vim: memory-safety bugs in spell-file, soundfolding, text-property, and libsodium-decryption handling, plus command-injection and code-execution flaws in netrw and C omni-completion, all reported upstream and fixed.</description><pubDate>Tue, 16 Jun 2026 00:00:00 GMT</pubDate><category>disclosure</category><category>open-source</category><category>memory-safety</category></item><item><title>A pre-auth crash in the 5G core: out-of-bounds read in Open5GS</title><link>https://causalsecurity.com/research/open5gs-amf-nas-oob-read/</link><guid isPermaLink="true">https://causalsecurity.com/research/open5gs-amf-nas-oob-read/</guid><description>Cipher reported a pre-authentication out-of-bounds read in Open5GS, the open-source 5G core. One malformed NAS message reaches the AMF before authentication and crashes it, taking service down for every connected subscriber.</description><pubDate>Fri, 05 Jun 2026 00:00:00 GMT</pubDate><category>disclosure</category><category>memory-safety</category><category>open-source</category></item><item><title>One auth flaw to full payout control: chaining five bugs in a payments platform</title><link>https://causalsecurity.com/research/payments-platform-takeover-chain/</link><guid isPermaLink="true">https://causalsecurity.com/research/payments-platform-takeover-chain/</guid><description>A field report from a cross-border payments engagement. Five findings, each a routine medium on its own, chain from an anonymous Internet request to direct money movement. The work was reading them together.</description><pubDate>Fri, 08 May 2026 00:00:00 GMT</pubDate><category>case-study</category><category>payment-flows</category><category>business-logic</category></item></channel></rss>