Skip to main content
GreenSlope
All changelog entries
2026.03-security-1
  • Security

Security fix: ingest endpoint rejected malformed JWTs with the wrong error class.

A malformed JWT submitted to the ingest endpoint was returning 500 Internal Server Error instead of 401 Unauthorized. No tenant data was exposed — the token still failed to validate and no downstream processing ran — but the response class was incorrect, and the timing difference between the two paths could in principle have been used as a weak oracle to distinguish a live tenant ingest endpoint from a non-existent one.

The ingest handler now returns 401 Unauthorized with a generic body for every malformed, expired, or unknown-key token. Response timing is now independent of which validation step failed.

The fix is live in all regions. Internal advisory ID: GS-ADV-2026-001.

Affects
All tenants. The bug did not expose tenant data — tokens still failed to validate — but the 500-class response obscured the cause and could be used to distinguish live endpoints from non-existent ones.
Action required
None. The fix is server-side and deployed to all regions.
Advisory
GS-ADV-2026-001