AppOmni researchers unveiled 20 industry cloud riddled with risky configurations and behaviours in Salesforce’s low-code app development materials that may result in data vulnerabilities. Salesforce industry cloud consumers can effortlessly misconfigure their implementations to allow hackers to access secured customer data, session data, credentials, and business logic.
The Salesforce Industry Cloud includes a low-code platform offering pre-developed digital transformation tools for sectors such as financial services and manufacturing. The low-code tools, made especially for non-developers, can enable non-technical users to develop logic that covers critical systems and sensitive customer and internal data.
However, this empowerment can include a security concern as industry cloud riddled with vulnerabilitiesies, dramatically increasing the risk of consumer misconfigurations. This blend of flexibility and implicit trust suggests that a customer misconfiguring a component or avoiding a setting can result in system-wide data exposure.
Costello and AppOmni found the industry cloud riddled with:
- Low-code resources that do not include access control checks or regard encrypted data fields by default
- Workflow code executed by external or authorised users
- Caching mechanisms that can result in bypassing access controls
- Improper development of off-platform applications can lead to API token stealing
- Sensitive API keys and other data integrated directly into components can be accessed without permissions
- Unsafe permits on saved workflows
Salesforce has issued CVEs and guidance to avoid five risks out of 20 misconfiguration risks found by AppOmni. The remaining industry cloud riddled with risks, has been left to the consumers to avoid.
Five CVEs by Salesforce
Salesforce has presented five CVEs for an industry-cloud-ridden solution to overcome industry cloud riddled with vulnerabilities. Salesforce informed the consumers about the issues on May 19. Four CVEs are responsible for FlexCards, which obtain data from Salesforce and third-party sources for use in workflows or showcase in customer-facing web views.
- CVE-2025- 43698: The SOQL data source overlooks field-level security, exposing field data for records
- CVE-2025-43699: The ‘Required Permissions’ option can be bypassed because of the examination from the client-side.
- CVE-2025-43700” The ‘View Encrypted Data’ permission is not imposed, converting plaintext values for data that utilises Classic Encryption to unauthorised access.
- CVE-2025-43701: Permits Guest Users to access values for custom settings.
Data Mappers is available for FlexCards data sources or as an action in back-end integration procedures. This feature also reads and transforms data into formats suitable for APIs or Salesforce objects.
Costello discovered that two of the Data Mapper types- Extract and Turbo Extract do not include FLS by default and return plaintext data of encrypted values to users without permissions. Salesforce allocated CVE-2025-43697 to the problem.
More Configuration Risks
Fifteen other configuration patterns can have severe security impacts for Salesforce industry cloud consumers, contributing to an industry cloud riddled with risks. For instance, Data Mappers and IProc metadata are cached using Scale Cache to accelerate their future execution. Although users need Sharing Rules configured to execute Data Mappers or IProcs, Costello discovered that after caching, these elements become executable by any user irrespective of the permissions.
However, no configuration setting enables the use of scale cache while considering Data Mapper security controls. After thorough testing, including enforcing the CheckCachedMetadataRecord Security OmniStudio setting, it was found that the only way to implement authorisation checks is to turn off the scale cache for Data Mappers.
The integration procedures also do not obey the Required Permission setting or the Sharing Rules of any Data Mapper or IProc. Salesforce reports this pattern, but it is risky mainly because the users need to satisfy the access control of the starting IProc to call any Data Mapper or IProc.
Firms may have widely accessible IProcs that lead to decisive actions under the misguidance that the permission requirements of an IProc’s actions will be examined for the calling user. If those APIs need authentication, firms may hardcode usernames, passwords, or API access tokens. Those who can execute an IProc can also find hardcoded values stored within. This involves external or guest users who can execute IProcs in debug mode.
FlexCards and IProcs back a data source type named Remote Actions, which enables the execution of Apex classes. Apex is a Java-like object-oriented language in Salesforce that builds applications on the platform.
When an OmniStudio element tries to execute an Apex class through remote actions, the request is alternated through the Businessprocessdisplaycontroller Apex class, which includes a genericinvoke2nocont method. This process does not check whether the calling user can access Remote Action.
Another feature that produces sensitive information risks is Data Packs, which can export and import components to other Salesforce cases. Such a feature keeps artefacts in the form of JSON definition files that comprise dependent objects like IProcs, which again include Data Mappers.
Data Packs can also become homeless if the user developing them clicks on the cancel button during the procedure. In this context, the attachments are being created and not eliminated. Again, when they are not enlisted in the Data Packs inventory page in OmniStudio, it makes it difficult for admins to find them, adding to the industry cloud riddled with risks.
When included in an external website, FlexCard or OmniScript elements require an access token to access Salesforce. Such tokens should be developed using the OmniOut app. However, the website’s end-user can ass the API requests locally in their browsers and extract this token, which could be further misused. Costello suggests that organisations use an alternative for conversation between external OmniStudio elements and Salesforce.
An alternative may not help when the token itself is included in flawed OmniOut code or stored in public version control systems such as GitHub. Moreover, an alternative may have an industry cloud riddled with risks if not managed properly, since users may attempt to manipulate parameters and values.
Wrapping Up
Overall, OmniScripts that associate multiple back-end operations through IProcs, Data Mappers, and FlexCards have a feature named Saved Session that enables users to save their progress and return to their script later. Salesforce has developed CVEs that could help in managing industry cloud riddled with configuration vulnerabilities.
Also Read:
