Security finding

I have…

  • Checked the logs and have uploaded a log file and provided a link because I found something suspicious there. Please do not post the log file in the topic because very often something important is missing.

I’m submitting a…

  • Regression (a behavior that stopped working in a new release)
  • [ X] Bug report
  • Performance issue
  • Documentation issue or request

Current behavior

Expected behavior

Minimal reproduction of the problem


  1. Navigate to Squidex Headless CMS
  2. Log in with any microsoft or google account
  3. You land on the partially populated cms-sport page, from which you can reach other information

NOTE: the vulnerability seems to affect only the paid production cms (cms-sport) and not the free staging ones (cms-sportvali, cms-sporttest etc.).


  • Self hosted with docker
  • Self hosted with IIS
  • Self hosted with other version
  • [ x] Cloud version

Version: [VERSION]


  • [ x] Chrome (desktop)
  • Chrome (Android)
  • [ x] Chrome (iOS)
  • [ x] Firefox
  • [ x] Safari (desktop)
  • Safari (iOS)
  • [x ] IE
  • [x ] Edge



I cannot reproduce the redirect. But you app has a anonymous client and therefore some access is just publicly available.