You like that, huh?

Would you like some help on this one?
  1. Home
  3. Blog
  5. Linear Permanent State Corruption But The Name Is Longer Than Regular

CVSS 8.1 Permanent State Corruption in Linear.app

1000 rvfet
Hero image for CVSS 8.1 Permanent State Corruption in Linear.app
8.1 High

CVSS Analysis

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Vector
Network
Complexity
Low
Privileges
Low
Scope
Unchanged
Confidentiality
None
Integrity
High

Executive Summary

In September 2025, I identified a critical logic vulnerability in Linear.app. This platform is the industry standard for project management. It is trusted by AI giants like OpenAI, Scale, Perplexity, payment processors like Coinbase, Cash App, and even SaaS leaders like Vercel and Netlify.

The flaw existed in the core data model. By abusing the API during content creation, I demonstrated how a malicious actor could force a UserID collision. This state corruption permanently ‘bricked’ the web application for target users. No cache clearing, logout, or standard admin intervention could restore access.

Technical Breakdown

The vulnerability was not a standard permission bypass. It was a fundamental architectural flaw in the handling of generic entities. Issues, Documents, and Users share a namespace or are treated as colliding types if IDs are manually forced.

The Root Cause

The API endpoints for creating content failed to validate IDs against existing User IDs. This allowed an attacker to create objects that ‘impersonated’ a User ID in the backend graph. The frontend crashed immediately when attempting to resolve these conflicting entity relationships.

The Exploit Chain

  1. Target Selection: The attacker obtains the UserID of the victim. Targeting a workspace administrator or engineering lead maximizes the disruption.
  2. Entity Collision: The attacker sends a request to the issue/document creation API.
    • The attacker sets issueCreateInput.id to the target UserID.
    • The attacker sets documentContentCreateInput.id to the target UserID.
    • The attacker sets documentContentCreateInput.issueId to the target UserID.
  3. Trigger: The attacker adds the victim as a subscriber to this malformed entity.
  4. Denial of Service: The victim logs in. The application attempts to load the corrupted state. The session crashes permanently.

Proof of Concept

I created a video POC to demonstrate the attack in a controlled environment. The steps were trivial for any authenticated user to execute.

Impact Analysis

The Linear security team initially scored this as low risk. I successfully argued for a CVSS 8.1 classification based on the permanent nature of the damage.

  • Availability (High): This results in a permanent Denial of Service (DoS) for affected accounts.
  • Integrity (High): The workspace state becomes irreversibly corrupted.
  • Insider Threat: A disgruntled employee could automate this. A malicious insider could brick an entire workspace before offboarding.
  • Corporate Espionage: Competitors could plant insiders to sabotage product development at critical moments.

Disclosure Timeline & Vendor Response

Persistence was key in this disclosure process.

  • Aug 25, 2025: Vulnerability Discovered.
  • Sep 09, 2025: Full report and POC submitted to Linear Security.
  • Sep 10, 2025: Initial Rejection. The team dismissed the report. The response stated: ‘I believe this is a known issue that we are okay with at present.’
  • Sep 10, 2025: The Pushback. I responded immediately. I challenged the ‘known issue’ classification. I detailed the insider threat scenario and the reputational risk of destroying enterprise workspaces.
  • Sep 11, 2025: Re-evaluation. The security lead acknowledged the severity. The team committed to investigating the issue.
  • Sep 12, 2025: The Fix. Linear deployed a client-side patch to prevent the behavior.
  • Sep 23, 2025: Bounty Awarded. Linear offered a $XXX reward.

The “PayPal in Azerbaijan” Hurdle

The payout process presented a logistical challenge. PayPal does not support receiving payments in Azerbaijan.

I requested payment via Crypto (USDT/LTC). Linear declined due to accounting policies. I ultimately routed the payment through a trusted colleague to receive the bounty. This highlights the extra hurdles researchers in the region face.

Conclusion

This finding reinforces two key lessons:

  1. Architecture Matters: Allowing client-side ID generation without strict namespacing creates dangerous logic bombs.
  2. Push Back (Respectfully): Vendors may dismiss critical bugs as ‘known’ or ‘low risk.’ It is the responsibility of the researcher to articulate the business risk.

Linear handled the escalation professionally. The team deployed a fix within 48 hours of my pushback. The collaboration resulted in a more secure platform for millions of users.