Writer AI Patches Critical Cross-Tenant Flaw That Exposed Customer Sessions

A one-click bug dubbed WriteOut let outsiders hop between customer accounts on the enterprise AI platform before it was quietly fixed.

ThreatVectr Newsdesk· 3 min read
Full-frame edge-to-edge photoreal editorial shot of a modern glass office corridor at dusk, with two adjacent identical meeting rooms separated by a cracked gla
Share

Key points

  • Researchers at Sand Security disclosed a critical session isolation flaw in Writer, an enterprise AI platform used by large companies, in November 2025.
  • The bug, nicknamed WriteOut, could let an outsider take over any Writer AI account with a single click by the victim.
  • Writer has patched the vulnerability, and no customer action is currently required beyond standard account hygiene.
  • The flaw sat in Writer's agent preview feature, which shared session tokens across customer tenants that should have been walled off from each other.

Writer, an enterprise generative AI platform used by Fortune 500 companies to build custom writing agents, has fixed a critical vulnerability that broke the wall between paying customers.

The flaw was found and reported by researchers at Sand Security, who named it WriteOut. It was first reported by The Hacker News.

In plain terms: an attacker with no prior access could have taken over another company's Writer account if a single user clicked one crafted link.

What actually went wrong inside Writer?

The bug lived in Writer's agent preview feature, the tool that lets developers try out an AI agent before publishing it. Previews were supposed to run inside a customer's own private space, known in cloud jargon as a tenant.

They did not.

According to the Sand Security writeup, the preview flow leaked session tokens, the digital keys that prove a user is logged in, across those tenant boundaries. An attacker who lured a Writer user into loading a malicious preview could scoop up that user's token and impersonate them.

From there, the attacker could read anything the victim could read. That includes prompts, uploaded documents, drafts, and any connected data sources the target company had wired into its Writer agents.

Sand Security called it a "one-click" attack. The victim did not need to type credentials, approve a permission, or install anything. A click was enough.

Who was exposed?

Writer markets itself to large enterprises, including banks, retailers, and consultancies that feed sensitive internal text into its agents. A cross-tenant flaw in that setting is serious because one customer's data is meant to be invisible to every other customer sharing the platform.

The researchers say Writer patched the issue after private disclosure. There is no public evidence, at the time of writing, that WriteOut was exploited in the wild before the fix landed.

Writer has not published a detailed public advisory of its own. That is a pattern worth watching. Enterprise AI vendors sit outside the traditional CVE, or Common Vulnerabilities and Exposures, numbering system that covers most software flaws, which means customers often learn about serious bugs through researcher blogs rather than vendor bulletins.

What should Writer customers do now?

If your organisation uses Writer, the practical steps are modest but worth taking.

Rotate any API keys tied to Writer agents. Review audit logs for unusual preview activity or logins from unfamiliar locations over the past several months. Ask your Writer account team, in writing, for the date the patch was deployed and whether your tenant showed any indicators of prior abuse.

For ordinary staff who simply use Writer to draft copy: nothing to do. The fix is server-side.

Why this keeps happening to AI platforms

WriteOut fits a growing pattern. Over the past year researchers have found tenant isolation failures in several AI and low-code platforms, where the shiny new agent-building features shipped faster than the boring plumbing that keeps customers separate.

The underlying lesson is old. Session tokens must be scoped tightly. Preview and sandbox environments must inherit the same access controls as production. When a platform lets one customer's browser touch another customer's session, even briefly, the isolation model has failed.

Expect more of these disclosures as enterprise AI adoption climbs and independent researchers keep poking at the seams.

© 2026 Threat Vectr