This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis →
Q1What is this vulnerability? (Essence + Consequences)
🚨 **Essence**: A critical flaw in the RBI Assistant Platform allows attackers to steal admin tokens via a GraphQL mutation.…
🏢 **Vendor**: Restaurant Brands International (RBI). 🍔 **Products**: Assistant Platform (used by Burger King, Popeyes, Tim Hortons). 📅 **Affected Versions**: All versions released **before 2025-09-06**.…
🔑 **Privileges**: Escalates from standard user to **Full Administrator**. 📂 **Data Access**: Complete access to the entire platform backend. 🚗 **Real World**: Attackers can control drive-thru systems and customer data.…
🔍 **Check**: Scan for the `createToken` GraphQL endpoint. 🧪 **Test**: Attempt to trigger the mutation with low-privilege credentials. 📡 **Indicator**: Look for unexpected admin token generation in logs.…
🛠️ **Fix**: Update to version **2025-09-06 or later**. ✅ **Official Patch**: RBI has acknowledged the issue and released a fix. 📥 **Action**: Immediate upgrade required for all Assistant Platform instances.…