PSSA-2026-001: Member name and pronoun disclosure via client-side state manipulation

Reported: 2026-04-18

Patched: 2026-04-18

Status: Fixed

Severity: Low

Reporter: Anonymous (by request)

Summary

A community member reported an edge case vulnerability that could be used to reveal member display names and pronouns in certain UI components. The issue was patched and deployed to production on the same day it was reported, verified locally and in production.

What was exposed

Member display names and pronouns only, one member at a time (not en masse). No other data was accessible through this issue.

Technical details

Through browser developer tools, it was possible to manipulate component state to force a member selection in a few components (e.g. member pickers, relationship selectors), which then surfaced that member's name and pronouns in the UI.

The underlying issue was that the affected components trusted client-side state that should have been validated server-side. The fix moves that validation to the server so that clients can no longer force selections they aren't authorized to make.

Impact assessment

• Data exposed: member display name, member pronouns
• Data not exposed: any other member or system data
• Scope: one member per exploit attempt, not suitable for bulk extraction

Resolution

• Server-side validation added to the affected components
• Test coverage added for this specific class of client-side state trust issue
• Fix deployed to production on 2026-04-18

Credit

Thanks to the reporter, who asked to remain anonymous. If they choose to reveal themselves later, this page will be updated.

Reporting security issues

If you find a security issue in PluralSpace, please report it privately so it can be fixed before drawing public attention to it:

• Email: [email protected]
• Discord: DM Drexel (preferred for speed)

Response time: ASAP, typically within 24 hours.