Today, I would like to share a logic flaw in the AI agent that enables unauthorized users to create support cases using an organization admin's email, by bypassing email verification

While testing for new vulnerabilities in a previously assessed program, where I had already identified multiple issues related to the support portal

It is important to note that after changing the email address, access to the support portal is restricted until the new email is verified.

I navigated to my account settings and changed my email address to another email.

When attempting to access the support page, the system prompts for email confirmation and validation, preventing further access.

None

I began interacting with the platform's AI agent functionality.

i noticed that this agent is able to execute some requests like invite user …etc

Through the AI agent, I issued a request to create a support case after changing my email to admin email.

The AI agent executed the request successfully without enforcing email verification or validating organization admin privileges.

None

As a result, the support case was created under the admin account using his email rather than my own, leading the support team to believe that it was created by the admin :)

Thank you for your time and review. I hope this report is helpful. Have a great day. -.-