Auth BypassBugcrowdprivilege-escalationrbactotpfull-chainsaasOPEN

Privilege escalation via TOTP - need full chain PoC completion

Restaurant management SaaS. I discovered that a low-privilege role (waiter) can call the generateTotp endpoint intended for admin actions. The TOTP is sent to the waiter email. The createUser endpoint also lacks RBAC - if you supply a valid TOTP, you can create admin-level accounts. Steps 1-2 are proven (generateTotp succeeds, schema is documented). Step 3 (createUser with the received TOTP to mint an admin) needs a clean end-to-end PoC. The program is assessing but I think a polished full-chain recording would seal it. Need someone who has done RBAC/privilege escalation chains before. DM @BugUnstuck on Twitter.