Zapier Patched a Five-Flaw Chain That Could Have Compromised Millions of Accounts

Token Security found vulnerabilities in Zapier that could allow account takeover. Zapier quickly patched, with no breaches detected.

By Content Team

May 29, 2026

ON THIS PAGE

Share

---

ON THIS PAGE

Want more insights like this?

Subscribe to our newsletter to get the latest software protection strategies delivered to your inbox.

By submitting your email, you consent to Codekeeper contacting you and agree to our privacy policy.

Security firm Token Security discovered five chained vulnerabilities in Zapier that, together, could have let an attacker take over millions of user accounts — starting with nothing more than a free account.

The attack path ran from a code-writing feature through discarded credentials, into an internal storage system holding over 1,100 private software images. One image contained a publishing key for code running inside every logged-in user's browser — meaning a bad actor could have quietly hijacked automations across Zapier's 8,000+ integrations.

Researchers reported the flaws in February. Zapier triaged within four days, patched within three weeks, and paid the $3,000 maximum bounty. No exploitation was detected.

Source: CyberScoop

Share this article

Have questions about protecting your software?

Our escrow experts are standing by to help.

Book a free demo

YOU MAY ALSO LIKE

Critical Chrome Zero-Day Exploit Code Goes Public After Active Attacks

Mar 3, 2026

Instructure Breach Exposes Schools' Vendor Dependence

May 7, 2026

Fake PoCs and Overlooked Bugs Create Cisco SD-WAN Security Chaos

Apr 1, 2026

Hims Telehealth Breach Exposes Highly Sensitive Patient Data

Apr 11, 2026