We have patched a security issue affecting API tokens created between February 1 and February 17, 2026. This post describes what happened, what we did, and what action you need to take.
What happened
A read-scoped API token — one issued with the specs:read scope only — could, under specific query conditions, enumerate the names of projects in workspaces the token did not belong to. No spec content, comments, or file data was exposed. Only project names were accessible.
The vulnerability was introduced in a refactor of our permission middleware in v2.3.0 and discovered by an internal audit on February 17.
What we did
- Patched the permission middleware at 14:07 UTC on February 17.
- Invalidated all API tokens created between February 1–17, 2026.
- Rotated the session signing key for the affected date range.
- Reviewed audit logs for the period — no evidence of exploitation.
Action required
If you created an API token between February 1 and February 17, your token has been invalidated. You must generate a new token in Settings → API → Tokens → New token.
Tokens created before February 1 or after February 17 are not affected.
We take permission boundaries seriously. If you have questions or concerns, contact us at security@inkframe.app.