A code change temporarily weakened team-level permissions within some workspaces from 12:07 to 1:10 UTC (about one hour) due to a bug that caused a permission filter to be skipped.

Linear

Linear published a post-mortem for a security incident on March 24, 2026, where a deployed code change introduced a variable shadowing bug in the access control layer. For approximately one hour (12:07–1:10 UTC), workspace members including guests could access data from private teams they weren't authorized to see. Exposure vectors included notification digest emails, client data sync (~7,000 bootstraps), mobile app sessions, and API/third-party integrations. No data was exposed outside workspaces and no credentials were leaked. Linear reverted the change within an hour, force-cleared all client caches, logged out mobile sessions, and notified affected workspace admins within 48 hours. Remediation steps include expanded integration test coverage for permission boundaries, tighter pre-deployment security review for auth-related code, and improved monitoring for authorization anomalies.

Post mortem on Linear security incident on March 24th, 2026