CVE-2025-43701 Overview
CVE-2025-43701 is an Improper Preservation of Permissions vulnerability [CWE-281] in Salesforce OmniStudio FlexCards. The flaw allows unauthenticated network attackers to expose data stored in Salesforce Custom Settings. FlexCards fail to enforce the originating user permissions when retrieving Custom Settings records, breaking the platform's expected access control boundary.
The issue affects all OmniStudio releases prior to version 254. Salesforce has addressed the issue in OmniStudio version 254 and later.
Critical Impact
Unauthenticated attackers can read Custom Settings data through OmniStudio FlexCards, exposing configuration values, feature flags, and sensitive application metadata that administrators expect to be permission-gated.
Affected Products
- Salesforce OmniStudio (FlexCards) before version 254
- Salesforce orgs with OmniStudio FlexCards deployed and exposed to guest or low-privilege users
- Custom Settings referenced by FlexCard data sources in vulnerable OmniStudio versions
Discovery Timeline
- 2025-06-10 - CVE-2025-43701 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-43701
Vulnerability Analysis
OmniStudio FlexCards are declarative UI components that render Salesforce data through configurable data sources. The vulnerability stems from FlexCards bypassing the running user's permission context when fetching Custom Settings records. Custom Settings are typically used to store application configuration, feature toggles, API endpoints, and integration parameters.
When a FlexCard queries a Custom Setting, the platform should evaluate the user's object-level and field-level security. In affected versions the FlexCard returns the Custom Setting values without enforcing those checks. An unauthenticated attacker reaching a FlexCard exposed through a Salesforce Experience Cloud site or guest user surface can retrieve data the user has no rights to read.
The flaw is classified under CWE-281 (Improper Preservation of Permissions) and affects confidentiality only. It does not allow modification or denial of service. The EPSS model currently estimates a 0.317% probability of exploitation in the next 30 days.
Root Cause
The root cause is missing permission propagation in the FlexCard runtime when resolving Custom Settings data sources. The component executes the underlying SOQL or metadata read in a context that ignores the calling user's profile, permission sets, and sharing rules. This violates the principle of least privilege expected by administrators configuring Custom Settings visibility.
Attack Vector
Exploitation requires only network access to a Salesforce site that exposes a vulnerable FlexCard. No authentication, user interaction, or specialized privileges are needed. An attacker identifies a public-facing FlexCard, invokes its data source endpoint, and parses the response to extract Custom Settings values. See the Salesforce Help Article for vendor technical details.
Detection Methods for CVE-2025-43701
Indicators of Compromise
- Unexpected high-volume requests to FlexCard endpoints under /services/apexrest/ or Experience Cloud /sfsites/ paths from a single source.
- Guest user activity in Salesforce Event Monitoring that references Custom Settings objects via FlexCard data sources.
- Anomalous read patterns against Custom Settings objects originating from low-privilege or unauthenticated session contexts.
Detection Strategies
- Review Salesforce Event Monitoring ApiEvent and LightningPageView logs for FlexCard invocations correlated with Custom Settings reads.
- Audit all FlexCards deployed to Experience Cloud sites and identify those with Custom Settings data sources.
- Compare current OmniStudio version against 254 using the Salesforce Setup Installed Packages page.
Monitoring Recommendations
- Forward Salesforce Event Monitoring logs into a SIEM and alert on guest-context access to sensitive Custom Settings.
- Track FlexCard response payload sizes for sudden growth that may indicate enumeration.
- Monitor Salesforce Trust advisories and CVE feeds for related OmniStudio disclosures.
How to Mitigate CVE-2025-43701
Immediate Actions Required
- Upgrade Salesforce OmniStudio to version 254 or later in all affected orgs.
- Inventory FlexCards exposed to guest users and Experience Cloud sites and validate their data sources.
- Rotate any secrets, API keys, or tokens that may have been stored in Custom Settings reachable through vulnerable FlexCards.
Patch Information
Salesforce has remediated the issue in OmniStudio version 254. Customers running earlier OmniStudio releases must upgrade through the AppExchange managed package update path. Refer to the Salesforce Help Article for the official advisory and upgrade guidance.
Workarounds
- Restrict guest user profile access to Custom Settings objects until the OmniStudio upgrade is completed.
- Remove or disable FlexCards on public-facing Experience Cloud pages that reference Custom Settings.
- Relocate sensitive configuration values from Custom Settings to Custom Metadata Types or Named Credentials with stricter access controls.
# Query installed OmniStudio version via Salesforce CLI
sf data query --query "SELECT Id, Name, NamespacePrefix FROM Publisher WHERE NamespacePrefix = 'omnistudio'" --target-org my-org
# List FlexCards referencing Custom Settings (Tooling API)
sf data query --use-tooling-api \
--query "SELECT Id, DeveloperName FROM OmniUiCard__c WHERE DataSourceType__c = 'Custom Settings'" \
--target-org my-org
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
