VYPR
vulnerabilityPublished Jul 7, 2026· 1 source

Writer AI Platform Patched for Critical Cross-Tenant Vulnerability 'WriteOut'

A critical session isolation flaw, dubbed WriteOut, in the enterprise AI platform Writer has been patched, preventing attackers from hijacking user accounts and accessing sensitive data across different tenants.

Cybersecurity researchers have disclosed details of a now-patched critical session isolation vulnerability in Writer, an enterprise generative artificial intelligence (AI) platform, that could result in cross-tenant compromise. The one-click vulnerability has been codenamed WriteOut by the Sand Security Research team.

"An outsider could go from having no access to taking over any Writer AI organization inside industry-leading enterprises, with nothing more than a link," the cybersecurity company stated in a report. This means the flaw could be abused to take over a victim's Writer account and access private chats, documents, and other sensitive data related to agents, configurations, private models, connectors, and large language model (LLM) credentials. In some cases, it could even be used to seize administrative control, depending on the victim's role. A significant aspect of the vulnerability is that the attacker and the victim do not need to belong to the same organization.

The attack chain is initiated when an attacker creates an agent in their own Writer account and shares a preview link. When a logged-in Writer user clicks this link, their browser attaches their Writer session cookie to the request. The preview proxy then sends this cookie into the attacker's managed sandbox. Code within the attacker-controlled sandbox can read the forwarded session token and exfiltrate it to a server maintained by the attacker, who can then replay the token to gain control of the victim's Writer account.

This vulnerability undermines the shared responsibility model by breaking tenant isolation protections. It exploits Writer's live preview feature, which allows users to preview applications via the Writer Framework. The attacker's pre-built malicious agent can run code inside the controlled sandbox, enabling it to read the sandbox process's memory, recover the victim's exfiltrated session token, and transmit it to their own server.

Sand Security noted that Writer had implemented input-side filtering to block users from reading environment variables or submitting obviously malicious code. However, the vulnerability was bypassed by instructing the agent to fetch and run a remote script instead of embedding the exploit logic directly in the prompt. This allowed the guardrail to interpret the request as a benign "download and run" operation, while the actual exploit logic remained hidden.

Following responsible disclosure, Writer has addressed the issue. The platform now prevents the user's session cookie from being forwarded into sandbox previews entirely and has moved them to an isolated origin. This patch effectively closes the loophole that allowed session tokens to be intercepted and replayed by malicious actors.

The discovery of WriteOut highlights the ongoing security challenges in enterprise AI platforms, particularly concerning session isolation and cross-tenant access. As organizations increasingly rely on AI for sensitive tasks, ensuring robust security measures to prevent such vulnerabilities is paramount.

This incident underscores the need for continuous security research and proactive patching in the rapidly evolving AI landscape. The ability for a single click to potentially compromise an entire enterprise's AI data underscores the critical importance of secure design and rigorous testing of AI platforms.

Synthesized by Vypr AI