Researchers at Sand Security identified a critical session isolation flaw in Writer, an enterprise AI platform, that enabled attackers to escalate from zero access to full tenant compromise with a single action. The vulnerability, tracked as WriteOut, allowed threat actors to extract session tokens through agent preview functionality, then weaponize those credentials to access other organizations' data and systems.

The flaw stemmed from improper isolation of user sessions in Writer's preview feature. When users tested AI agents, the platform failed to properly segment session tokens between tenants. An attacker could craft a malicious prompt or interaction that caused the agent preview to leak authentication credentials. These tokens granted access to other customers' Writer instances, workspace configurations, and potentially sensitive business documents processed by the AI system.

Writer patched the vulnerability after Sand Security's responsible disclosure. The company did not publicly specify which versions were affected or whether the flaw saw active exploitation before remediation.

The WriteOut vulnerability underscores recurring risks in multi-tenant SaaS applications. Proper session isolation requires strict enforcement of tenant boundaries at multiple layers. authentication tokens must remain compartmentalized, and preview or debugging features need equal security scrutiny as production functionality. AI platforms present additional complexity because agent behavior can be difficult to predict and control.

Organizations using Writer should verify they run patched versions and audit their AI platform configurations. Sand Security's disclosure serves as a reminder that enterprise AI tools, while delivering productivity gains, require the same rigorous isolation controls as traditional SaaS applications. For teams evaluating generative AI platforms, session management and multi-tenant security should rank as critical evaluation criteria.