Salesforce OmniStudio Flaws Expose Encrypted Data

Security research partner AppOmni disclosed five critical vulnerabilities in Salesforce’s powerful OmniStudio platform that could expose encrypted and sensitive customer data. These flaws, discovered in both the FlexCard and Data Mapper components, stem from Improper Preservation of Permissions, allowing attackers to bypass field-level security (FLS) controls and gain unauthorized access to protected fields and objects.

AppOmni has registered five CVEs—affecting versions of OmniStudio prior to Spring ’25:

FlexCard-Related Vulnerabilities

1. CVE-2025-43698 — High Severity (CVSS 7.5): Bypasses field-level security controls for standard Salesforce objects.
2. CVE-2025-43699 — Medium Severity (CVSS 5.3): Permits unauthorized access to OmniUICard objects.
3. CVE-2025-43700 — High Severity (CVSS 7.5): Enables exposure of encrypted data via improperly restricted FlexCards.
4. CVE-2025-43701 — High Severity (CVSS 7.5): Allows access to Custom Settings data, which may contain critical configurations or sensitive information.

Data Mapper Vulnerability

5. CVE-2025-43697 — High Severity (CVSS 7.5): Affects the DataMapper feature, potentially exposing encrypted records due to lax permission inheritance.

All of these issues arise from Salesforce OmniStudio’s failure to uphold proper permission constraints, posing a major threat to enterprise data confidentiality.

The implications are serious. With attackers able to sidestep configured security settings, organizations using OmniStudio may inadvertently expose encrypted fields, sensitive business logic, and backend configurations to unauthorized users—especially in multi-tenant Salesforce environments where visibility controls are critical.

Salesforce customers are advised to take the following steps immediately:

• Review affected components: Focus on both FlexCards and Data Mappers in OmniStudio deployments.
• Audit user access: Ensure that users experiencing unexpected data visibility issues have the appropriate Field-Level Security (FLS) and permission sets.
• Update profiles and permissions: Adjust user roles to align with intended visibility rules.
• Apply Spring ’25 update: Upgrade to the latest OmniStudio release to patch all five vulnerabilities.

Related Posts:

• UNC6040 Threat Actor Exploits Salesforce via Vishing and Malicious Data Loader Apps
• Google Maps Platform Goes Online: Provides Location Based Services for Third Party Applications