While testing the FinManageHub platform, I discovered a critical Broken Access Control vulnerability. An accountant role, which is restricted in the UI from managing pension schemes, was still able to remove all private pension schemes directly through an API call.
This bypassed role-based access control and could lead to severe compliance failures, financial misconfigurations, and legal liabilities. For this discovery, I was awarded a $300 bounty plus a $200 bonus.
Understanding the Target
FinManageHub is a payroll and HR management SaaS platform that handles sensitive employee data such as salary, benefits, and pensions.
- Different roles (Admin, HR, Accountant, Employee) are assigned varying access levels.
- Accountants are usually restricted from directly modifying benefits like pensions.
- Pension Scheme settings are critical, as removing them could disrupt contributions, violate labor laws, and cause compliance issues.
While reviewing the platform’s flows, I noticed that pension management options were greyed out or inaccessible for accountants in the UI. This sparked my curiosity — what if the API endpoints behind these features weren’t enforcing the same restrictions?
The Flaw: API Authorization Bypass
The platform’s API layer did not enforce backend authorization checks consistently.
Even though the UI blocked accountants from removing pensions, sending a crafted POST request to the pension configuration endpoint worked successfully.
This revealed a classic Insecure Direct API Call (IDAC):
POST /payroll-v2/v1/public/jetlang/commands/save-company-action/915
Host: api.finmanagehub.com
Authorization: Bearer <accountant-token>
Content-Type: application/json
{
“companyId”: “ — — your-companyid — — — — “,
“absoluteMonth”: 104,
“updates”: {
“variables”: {
“06.735”: { “104”: 0 }
}
},
“updateInPastEnabled”: false
}Result: All private pension schemes were removed, despite the user lacking UI-level permissions.
Impact
- Unauthorized Data Modification: Accountants could modify high-risk pension data.
- Compliance Risks: Removal of pension schemes could violate statutory obligations.
- Business Integrity: Employees may lose pension benefits unexpectedly.
- Audit Failures: Since changes bypass the UI, they may escape audit logs.
This could have severe legal, financial, and trust implications for any organization using the platform.
Timeline
- April 19, 2025 - Report submitted.
- May 7, 2025 - Triaged, severity adjusted (7.1 → 6.9).
- May 7, 2025 - Rewarded $300 + $200 bonus.
Key Takeaways
- Always test API endpoints directly. The UI may block actions, but the backend might still accept them.
- Role-based authorization must be enforced server-side. Relying only on front-end restrictions is dangerous.
- Compliance-related features require extra care. Financial and pension data must be protected with strict RBAC and audit logging.
- Revisit assumptions. Just because a role “shouldn’t” have access in the UI doesn’t mean the API agrees.
Follow me on Twitter: @a13h1_
