The Restaurant Brands International (RBI) assistant platform through 2025-09-06 allows a remote authenticated attacker to obtain a token with administrative privileges for the entire platform via the createToken GraphQL mutation.
An attacker with an account (even with low privileges) can invoke a GraphQL mutation named 'createToken', which incorrectly processes the request and returns a token with administrative privileges at the platform level. The authorization mechanism does not properly verify the permission level of the user sending this request. As a result, a regular user can obtain a token that provides administrative access to all platform resources.
An attacker can gain full administrative control over the entire RBI Assistant platform, which provides access to data and configuration of all brands within the group (including Burger King, Tim Hortons, Popeyes). It is possible to read, modify or delete data and further compromise the confidentiality, integrity and availability of the system.
Patches available from the manufacturer should be applied in accordance with references. Additionally, it is recommended to audit logs for unauthorized calls to the 'createToken' mutation in GraphQL and immediately revoke tokens issued before the fix was implemented.
Restaurant Brands International (RBI) Assistant platform in versions published through 2025-09-06 inclusive.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HRbi Restaurant Brands International Assistant
APPRbi≤ 2025-09-06
Related vulnerabilities
The Restaurant Brands International (RBI) assistant platform through 2025-09-06 relies on client-side authenti...
The Restaurant Brands International (RBI) assistant platform through 2025-09-06 has a Global Store Directory t...
The Restaurant Brands International (RBI) assistant platform through 2025-09-06 allows remote attackers to rev...
The Restaurant Brands International (RBI) assistant platform through 2025-09-06 provides the functionality of ...
The Restaurant Brands International (RBI) assistant platform through 2025-09-06 allows remote attackers to adj...