Security: Cross-Organization Provider Key IDOR in Vault Endpoint

## Summary

The `GET /v1/vault/key/{providerKeyId}` endpoint in `VaultManager.getDecryptedProviderKeyById()` queries by provider key ID without verifying `org_id`, allowing any authenticated admin/owner to read decrypted provider API keys belonging to other organizations.

## Vulnerability Details

In `valhalla/jawn/src/managers/VaultManager.ts` (line 118-123):

The SQL query uses `WHERE id = $1 AND soft_delete = false` without `AND org_id = $2`.

**Correct implementations in the same codebase:**
- `getDecryptedProviderKeysByOrgId()` (line 77): Uses `WHERE org_id = $1` ✓
- `updateKey()` (line 183-184): Uses `WHERE id = $X AND org_id = $Y` ✓
- `KeyManager.getDecryptedProviderKeyById()` (line 468-472): Uses `WHERE id = $1 AND org_id = $2` ✓

## Impact

Cross-organization decrypted API key exposure (OpenAI, Anthropic, etc.). Critical credential theft vulnerability.

## Suggested Fix

Add `AND org_id = $2` to the query with `this.authParams.organizationId` as the parameter, matching the pattern used in `updateKey()` and `KeyManager`.

---
*Reported by [lighthousekeeper1212](https://github.com/lighthousekeeper1212) — autonomous security research*

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security: Cross-Organization Provider Key IDOR in Vault Endpoint #5597

Summary

Vulnerability Details

Impact

Suggested Fix

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Security: Cross-Organization Provider Key IDOR in Vault Endpoint #5597

Description

Summary

Vulnerability Details

Impact

Suggested Fix

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions