@beerboy_ankit discovered an IDOR in the user invite link in Taxjar. This could have allowed an attacker to take over a userโs account. The vulnerability was caused by a leaked token in the delete invitation request feature and resolved by using the invitation ID instead of the token to look up the userโs invite when deleting an invitation. Validation was added to ensure the ID belongs to the userโs organization.