CVE-2022-28802 is a high-severity vulnerability affecting the Code by Zapier platform prior to August 17, 2022. The vulnerability arises from an intra-account privilege escalation flaw that allowed users within the same company account to execute arbitrary Python or JavaScript code beyond their intended permissions. Code by Zapier provides a virtual machine environment for customers to run custom code as part of their automation workflows. However, due to improper enforcement of role-based access control (RBAC), the virtual machine environment was effectively shared across all users within a company's account. This meant that any user with access to Code by Zapier could potentially execute code with elevated privileges, gaining unauthorized access to sensitive credentials, secrets, or other confidential data belonging to other users within the same account. The vulnerability is classified under CWE-732 (Incorrect Permission Assignment for Critical Resource) and has a CVSS 3.1 base score of 8.8, indicating a high level of severity. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects that the vulnerability can be exploited remotely over the network with low attack complexity, requires low privileges but no user interaction, and impacts confidentiality, integrity, and availability to a high degree. Although no known exploits are reported in the wild, the potential for damage is significant. Prior to the patch, mitigation involved isolating sensitive credentials or secrets by using separate accounts or virtual machines, which was operationally cumbersome. The vulnerability was addressed by Zapier on or after August 17, 2022, presumably by enforcing proper RBAC and isolating virtual machine environments per user or application context.

For European organizations using Code by Zapier, this vulnerability poses a substantial risk to the confidentiality and integrity of sensitive business data and credentials. Exploitation could lead to unauthorized access to critical secrets such as API keys, authentication tokens, or internal configuration data, potentially enabling further lateral movement or data exfiltration within the organization. The availability of automation workflows could also be disrupted by malicious code execution. Given the collaborative nature of many European enterprises and the increasing reliance on automation platforms like Zapier, the risk of insider threats or compromised user accounts being leveraged to escalate privileges is significant. This could result in regulatory compliance violations under GDPR due to unauthorized data access, leading to reputational damage and financial penalties. Additionally, organizations in sectors with high automation adoption such as finance, manufacturing, and technology could face operational disruptions impacting business continuity.

European organizations should ensure that all Code by Zapier instances are updated to versions released after August 17, 2022, where the vulnerability is patched. They should audit existing automation workflows to identify any that handle sensitive credentials or secrets and verify that these are properly isolated. Implement strict access controls and monitor user activities within Zapier accounts to detect anomalous behavior indicative of privilege escalation attempts. Where possible, segregate duties by limiting the number of users with access to Code by Zapier and enforce the principle of least privilege. Employ multi-factor authentication (MFA) on Zapier accounts to reduce the risk of account compromise. Additionally, organizations should consider encrypting sensitive data at rest and in transit within automation workflows and regularly review logs for suspicious code execution patterns. If feasible, sensitive credentials should be stored in dedicated secret management tools rather than directly in Zapier workflows. Finally, conduct security awareness training to inform users about the risks of privilege escalation and the importance of secure coding practices within automation platforms.