Venueless fixes cross-world user deletion via API isolation bug

TL;DR — A tenant/isolation bug in Venueless lets an API user with manage users in one “world” delete user accounts belonging to other worlds.

What happened

Venueless is an online-conference platform that supports multiple isolated “worlds” (tenants) within a deployment.

GitHub advisory GHSA-gwjc-33fv-2gh4 describes a cross-world isolation failure: a user with API access and the manage users permission in any Venueless world can trigger deletion of user accounts in other worlds. The advisory rates this High severity with a CVSS v4.0 base score of 7.3.

Cross-tenant authorization and isolation bugs are operationally high-risk in multi-tenant systems because they turn “delegated admin” permissions in one tenant into destructive impact across tenants.

Who is impacted

• Any Venueless deployment running a commit prior to the patched commit listed in the advisory.
• Deployments where non-superadmin users are granted manage users permissions (e.g., community moderators, event staff, tenant admins).

What to do now

• Follow vendor remediation guidance and ensure your deployed code includes the fix:

  • "The issue is fixed in all commits after 02b9cbe."

• If you cannot update immediately, apply the stated operational constraint while you plan remediation:

  • "There are no workarounds, other than not giving privileged permissions to anyone."

• Inventory where manage users is assigned (per world/tenant) and remove it from any accounts that do not strictly require it.
• Treat this as an integrity incident class:
  • Review audit trails / logs for unexpected user deletions, especially deletions initiated via API paths.
  • Confirm tenant boundary checks for any internal tooling or automation that can delete users across worlds.