Full Report
Cybersecurity researchers have disclosed details of a now-patched critical session isolation vulnerability in Writer, an enterprise generative artificial intelligence (AI) platform, that could result in cross-tenant compromise. The one-click vulnerability has been codenamed WriteOut by the Sand Security Research team. "An outsider could go from having no access to taking over any Writer AI
Analysis Summary
# Vulnerability: WriteOut - Cross-Tenant Session Isolation Flaw in Writer AI
## CVE Details
- **CVE ID**: Not specified in the article (Research codename: **WriteOut**)
- **CVSS Score**: Not explicitly provided, but classified as **Critical** by researchers.
- **CWE**: CWE-403 (Exposure of Functionality to Improper Affiliate) / CWE-693 (Protection Mechanism Failure)
## Affected Systems
- **Products**: Writer (Enterprise Generative AI Platform)
- **Versions**: All versions prior to the July 2026 patch.
- **Configurations**: Systems utilizing the "Writer Framework" live preview feature.
## Vulnerability Description
The "WriteOut" vulnerability stems from a failure in tenant isolation within Writer’s managed sandbox environment. When a user views a "live preview" of an AI agent, the platform’s preview proxy incorrectly forwarded the user's active session cookies into the sandbox where the agent's code executes.
While Writer implemented input-side filtering to block malicious code or environment variable access, researchers bypassed these guardrails by instructing the agent to fetch and execute a remote script at runtime. This allowed an attacker to execute arbitrary code within the sandbox to read the process memory, capture the forwarded session tokens, and exfiltrate them to an external server.
## Exploitation
- **Status**: PoC available (Developed by Sand Security Research); Patched by vendor.
- **Complexity**: Low (Described as a "one-click" vulnerability).
- **Attack Vector**: Network (Web-based via a malicious link).
## Impact
- **Confidentiality**: **High** (Access to private chats, documents, LLM credentials, and connectors).
- **Integrity**: **High** (Ability to modify configurations, agents, and private models).
- **Availability**: **High** (Potential for administrative takeover and account lockout).
## Remediation
### Patches
- **Writer Platform Update**: The vendor has deployed a server-side fix. The update prevents session cookies from being forwarded into sandbox previews and moves previews to an isolated web origin.
### Workarounds
- No specific workarounds are required as the fix was applied to the hosted enterprise platform; however, users should always ensure they are interacting with trusted AI agent links.
## Detection
- **Indicators of Compromise**:
- Unusual API traffic or session activity originating from unexpected IP addresses (token replay).
- Audit logs showing agent previews fetching external scripts from untrusted domains.
- **Detection Methods**: Monitor for unauthorized access to sensitive documents or LLM configurations immediately following the use of a shared preview link.
## References
- **Vendor Advisory**: hxxps[://]writer[.]com/
- **Research Report**: hxxps[://]www[.]sandsecurity[.]ai/blog/writeout-writer-ai-cross-tenant
- **News Source**: hxxps[://]thehackernews[.]com/2026/07/writer-ai-flaw-could-let-agent-previews.html