AppOmni researchers identified over 20 security issues—including five zero-day vulnerabilities and numerous insecure configurations—in Salesforce Industry Cloud, particularly within its OmniStudio suite. These findings highlight the risks that can arise from default settings, low-code development shortcuts, and customer misconfigurations, potentially exposing sensitive business and personal data to unauthorized access.
Salesforce Industry Clouds are designed for rapid, low-code development, enabling both technical and non-technical users to build and deploy workflows quickly. While this accelerates innovation, it also means that users without deep security expertise can unintentionally misconfigure access controls or overlook critical security settings, leading to data exposure.
Many default configurations do not enforce strict access controls, such as field-level security (FLS) or encrypted data checks. For example, some components, such as FlexCards and Data Mappers, do not enforce FLS by default, which can expose sensitive or encrypted data to unauthorized users if not manually configured. Similarly, required permissions may be enforced only on the client side, making them easy to bypass.
The platform’s ease of use can lead to a reliance on default settings, with users assuming the system is secure by default. In reality, these defaults are often designed for broad compatibility and ease of deployment, not maximum security. This can result in sensitive data—such as personal, financial, or health information—being accessible to unauthorized internal or external users.
Salesforce addresses some vulnerabilities at the platform level, but many security controls—such as sharing rules, field-level access, and workflow permissions—must be configured by the customer. If organizations do not proactively review and harden these settings, they remain vulnerable to attack or accidental data leakage.
Five Critical CVEs
Salesforce assigned CVE identifiers to five of the most severe vulnerabilities, which impacted core components like FlexCards and Data Mappers:
| CVE | Component | Description |
|---|---|---|
| CVE-2025-43697 | Data Mapper | ‘Extract’ and ‘Turbo Extract’ actions do not enforce field-level security (FLS) by default, exposing plaintext values of encrypted fields to unauthorized users. |
| CVE-2025-43698 | FlexCard | SOQL data source bypasses FLS, exposing all field data for records. |
| CVE-2025-43699 | FlexCard | ‘Required Permissions’ field can be bypassed due to client-side enforcement. |
| CVE-2025-43700 | FlexCard | ‘View Encrypted Data’ permission not enforced, returning plaintext for encrypted data to unauthorized users. |
| CVE-2025-43701 | FlexCard | Guest users can access values for Custom Settings. |
Three of these vulnerabilities were fixed by Salesforce via automatic updates; two require customers to enable new security settings.
5+ Misconfiguration Risks
Beyond the CVEs, AppOmni found at least 15 additional configuration risks. These are not inherent software bugs but rather insecure defaults or common mistakes customers make when configuring Salesforce Industry Cloud. Examples include:
• Default sharing settings that expose internal data to the public.
• FlexCards and Data Mappers bypassing access controls, allowing unauthorized data access.
• Caching and saved sessions leaking sensitive data between users.
• Hardcoded credentials and insecure storage of API tokens in OmniOut components.
• Integration Procedures that allow nested actions to skip permission validation or expose callable Apex to unauthorized users.
• Exported/imported Data Packs that can be read to bypass permissions
