A critical vulnerability dubbed "WriteOut" has been disclosed in the Writer enterprise AI platform that enabled attackers to hijack victim session tokens across organizational boundaries using a malicious agent preview link, according to a forensic analysis published on DEV.to.

The Attack Vector

The flaw exploited Writer's live preview sandbox functionality, which incorrectly forwarded authentication credentials when users interacted with specially crafted agent preview links. This meant an attacker could create a malicious link, send it to a victim within a different tenant organization, and automatically capture their session token upon preview rendering.

Scope of the Exposure

This was not a minor bugβ€”it was a complete bypass of multi-tenant isolation. Session tokens stolen through this method would grant attackers full access to the victim's account within their own organization, potentially exposing sensitive documents, team permissions, API keys, and any data stored within the platform. Enterprise teams using Writer for content workflows, brand guidelines, or collaborative editing were particularly at risk.

Root Cause Analysis

The forensic summary indicates the vulnerability stemmed from how the live preview sandbox handled authentication forwarding. When rendering agent previews, the system appears to have trusted the preview context without properly validating token scopes against tenant boundariesβ€”a fundamental architectural failure in a platform handling enterprise workloads.

Disclosure and Response

The disclosure was made through standard responsible reporting channels before publication of the technical analysis on July 9, 2026. Organizations using Writer's enterprise features should verify their platform logs for any anomalous session activity from preview link interactions during the vulnerable period.

Key Takeaways

  • Session token leakage via client-side rendering is a real threat in AI agent platforms
  • Multi-tenant SaaS architectures require rigorous scope validation at every boundary
  • Live preview features are high-risk attack surfaces that need sandboxed execution environments separate from production auth flows
  • Enterprise AI platforms handling sensitive content need defense-in-depth beyond basic authentication

The Bottom Line

This is exactly the kind of vulnerability that keeps platform security engineers up at nightβ€”simple in concept, devastating in impact, and hiding in plain sight within commonly-used features. If you're running Writer enterprise, assume compromise until proven otherwise and rotate those session tokens now.