CVE-2026-53536 Activepieces: Cross-tenant file download via missing JWT audience check on step-files signed URL
Activepieces is an open source AI workflow automation platform. Prior to 0.83.0, the /v1/step-files/signed download endpoint verified the supplied JWT against the shared signing secret but did not check the token's audience, and combined with a missing null-check on the decoded fileId, this allow...