CVE-2025-43698 Overview
CVE-2025-43698 is a critical Improper Preservation of Permissions vulnerability in Salesforce OmniStudio, specifically affecting the FlexCards component. This security flaw allows attackers to bypass field-level security (FLS) controls for Salesforce objects, potentially exposing sensitive data and enabling unauthorized modifications to protected fields.
The vulnerability stems from improper handling of permission checks within FlexCards, a key feature of OmniStudio used for building guided customer experiences and dynamic UI components. When FlexCards render data from Salesforce objects, the security enforcement mechanism fails to properly preserve the configured field-level permissions, allowing unauthorized access to restricted fields.
Critical Impact
Attackers can bypass field-level security controls to read and potentially modify sensitive data in Salesforce objects that should be protected by FLS configurations.
Affected Products
- Salesforce OmniStudio (FlexCards) - versions prior to Spring 2025
- OmniStudio managed package deployments using FlexCards
- Salesforce environments with custom FlexCard implementations
Discovery Timeline
- 2025-06-10 - CVE-2025-43698 published to NVD
- 2025-06-12 - Last updated in NVD database
Technical Details for CVE-2025-43698
Vulnerability Analysis
This vulnerability is classified under CWE-281 (Improper Preservation of Permissions), indicating that the application fails to maintain the intended access control restrictions during certain operations. In the context of Salesforce OmniStudio FlexCards, this manifests as a failure to enforce field-level security when FlexCards query and display data from Salesforce objects.
FlexCards are designed to create dynamic, data-driven UI components that pull information from various Salesforce objects. The vulnerability occurs when the FlexCards component retrieves data without properly enforcing the field-level security permissions configured on the underlying Salesforce objects. This means that even if an organization has configured specific fields to be hidden or read-only for certain user profiles, FlexCards may expose this data regardless of these security configurations.
The network-based attack vector with no required authentication makes this particularly concerning for organizations using OmniStudio in customer-facing applications. An attacker could potentially craft requests through FlexCard interfaces to access fields that should be restricted based on their profile permissions.
Root Cause
The root cause lies in the FlexCards component's failure to properly check and preserve field-level security permissions when performing data operations. Salesforce's field-level security is designed to restrict access to specific fields based on user profiles and permission sets. However, the FlexCards implementation prior to Spring 2025 does not consistently enforce these restrictions, creating a permission bypass pathway.
When FlexCards execute queries against Salesforce objects, they may operate in a context that bypasses the standard FLS enforcement mechanisms. This could be due to running in system context rather than user context, improper use of WITH SECURITY_ENFORCED clauses, or failure to check field accessibility before rendering data.
Attack Vector
The attack leverages the network-accessible FlexCards interface to bypass field-level security controls. An attacker with legitimate but limited access to a Salesforce environment could exploit this vulnerability to:
- Access sensitive fields they shouldn't be able to view based on their profile permissions
- Potentially modify data in fields that should be restricted
- Exfiltrate confidential information through FlexCard-rendered interfaces
The vulnerability can be exploited without authentication in certain configurations where FlexCards are exposed to unauthenticated users through Experience Cloud sites or public-facing applications.
The exploitation involves interacting with FlexCards that reference Salesforce objects containing sensitive fields. The FlexCards component fails to verify field-level permissions, returning data from restricted fields in the response payload regardless of the user's configured access level.
Detection Methods for CVE-2025-43698
Indicators of Compromise
- Unusual access patterns to FlexCard endpoints requesting sensitive object fields
- API logs showing retrieval of field data that users shouldn't have access to based on their profiles
- Unexpected data exports or access to confidential fields through OmniStudio components
- User activity logs indicating access to restricted fields via FlexCard interfaces
Detection Strategies
- Monitor Salesforce Event Monitoring logs for unusual field access patterns through OmniStudio components
- Review FlexCard configurations to identify those accessing objects with sensitive field-level security requirements
- Implement audit logging for all FlexCard data retrievals and compare against expected user permissions
- Use Salesforce Shield Event Monitoring to detect anomalous access to protected fields
Monitoring Recommendations
- Enable detailed transaction security policies for OmniStudio component access
- Configure alerts for bulk data access through FlexCard interfaces
- Implement real-time monitoring for access to objects with PII or sensitive financial data
- Review login IP ranges and session management for users accessing FlexCards
How to Mitigate CVE-2025-43698
Immediate Actions Required
- Upgrade OmniStudio to Spring 2025 release or later immediately
- Audit all FlexCard configurations for access to sensitive Salesforce objects
- Review field-level security settings on objects accessed by FlexCards
- Consider temporarily disabling FlexCards that access highly sensitive data until patched
Patch Information
Salesforce has addressed this vulnerability in the OmniStudio Spring 2025 release. Organizations should upgrade their OmniStudio managed package to the latest version available. For detailed patch information and upgrade instructions, refer to the Salesforce Help Article.
The patch ensures proper enforcement of field-level security within FlexCards by implementing consistent permission checks during data retrieval operations.
Workarounds
- Implement custom Apex controllers with explicit FLS checks using Schema.SObjectType field accessibility methods
- Use WITH SECURITY_ENFORCED in all SOQL queries within FlexCard data sources
- Apply additional permission validation through custom Lightning web components wrapping FlexCards
- Restrict FlexCard access through Experience Cloud site guest user permissions until upgrade is complete
# Configuration example - Verify OmniStudio version in Salesforce
# Navigate to Setup > Installed Packages > OmniStudio
# Ensure version is Spring 2025 or later
# Review FlexCard security settings via Salesforce CLI
sfdx force:data:soql:query -q "SELECT Id, Name, DeveloperName FROM FlexCard__c" -u your-org-alias
# Check field-level security on sensitive objects
sfdx force:schema:sobject:describe -s Account -u your-org-alias | grep -A5 "fields"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
