What's New -- February 2026 Security Hotfix

What's New -- February 2026 Security Hotfix

Release date: February 20, 2026

Historical note: this release note reflects the legacy payment/wallet implementation that existed in February 2026. Current customer billing runs through plans and subscriptions.

This patch release enforces strict backend access controls for validated P1 security findings. The system now treats JWT identity and organization claims as authoritative for the affected endpoints.

What Changed

• Call data creation now enforces token user ownership. If user_id is supplied in payload and mismatches the token user, the API returns 403.
• Chat session creation/initialization now enforces token user ownership. Mismatched payload user_id returns 403.
• Payments reads are now scoped by role:
  • superadmin: full visibility
  • manager and admin: organization-only via wallet org scope
  • employee: own-wallet payments only
  • Out-of-scope GET /payments/{id} returns 404.
• Products create/list now enforce token organization scope. Mismatched organization input/query returns 403.
• Company knowledge base reads now enforce organization authorization (superadmin override retained).
• Product persona generation now requires product ownership (non-owner requests return 403).
• Geographies/Industries now enforce strict multi-tenant containment for list/read/write/update/delete.

API Behavior Notes

• Client-supplied identity/org fields are now optional/deprecated in affected create payloads, but still accepted for compatibility.
• For protected resources, cross-tenant violations now fail fast with 403 (or 404 on payments-by-id to reduce object disclosure risk).
• Endpoint paths and response models remain unchanged.

Verification

• Dedicated P1 regression tests were added and passed for all remediated exploit paths.