Shopify: Limited Privilege User Can Create Unauthorized Referrals on partners.shopify.com

A privilege escalation vulnerability was discovered in Shopify's Partner Portal that allowed users without "View referrals" permission to create POS leads by directly accessing the lead creation URL. The backend API lacked proper authorization checks, enabling users to bypass the implemented...