Attackers are exploiting misconfigured Salesforce Experience Cloud guest user permissions via a modified version of AuraInspector to query and extract data through Salesforce's GraphQL interface at scale. This is not a new platform vulnerability but a more sophisticated exploitation of long-known overly permissive guest user configurations. Harvested data (names, contact details) is used to fuel vishing campaigns that can escalate into full SaaS compromise. Key remediation steps include auditing guest user profiles, setting org-wide sharing defaults to Private for external users, disabling public API access for guest users, and disabling self-registration where not needed. AppOmni has deployed new threat detection rules targeting this GraphQL attack variant and is notifying affected customers.
Table of contents
What happened?Is my company at risk?What can attackers do with harvested data?What AppOmni is doing about the Salesforce GraphQL exploitWhat Salesforce customers need to doSort: