Linear published a post-mortem for a security incident on March 24, 2026, where a deployed code change introduced a variable shadowing bug in the access control layer. For approximately one hour (12:07–1:10 UTC), workspace members including guests could access data from private teams they weren't authorized to see. Exposure vectors included notification digest emails, client data sync (~7,000 bootstraps), mobile app sessions, and API/third-party integrations. No data was exposed outside workspaces and no credentials were leaked. Linear reverted the change within an hour, force-cleared all client caches, logged out mobile sessions, and notified affected workspace admins within 48 hours. Remediation steps include expanded integration test coverage for permission boundaries, tighter pre-deployment security review for auth-related code, and improved monitoring for authorization anomalies.
Table of contents
Incident timeline What happened What was affected Our response Next steps and improvements Sort: