Mandiant open-sources AuraInspector to detect and fix Salesforce Aura misconfigs

TL;DR

Mandiant has published AuraInspector, an open source, read-only scanner that looks for access-control misconfigurations in Salesforce Aura components. The tool automates common abuse techniques and recommends fixes to help admins close exposures in Experience Cloud sites.

What happened

Mandiant released AuraInspector, an open source utility aimed at helping Salesforce administrators find and remediate access-control misconfigurations tied to the Aura UI framework used on Experience Cloud sites. The tool simulates common abuse methods attackers use against Aura components — including techniques that can expose Account records through the getItems method and ways to circumvent default record limits — then surfaces remediation guidance. Mandiant says AuraInspector performs only read-only operations and will not alter customer Salesforce instances. The company positioned the tool as a defensive resource for teams maintaining legacy Aura components, noting that the framework’s complexity often contributes to dangerous configuration mistakes. The release follows prior industry research documenting large-scale data exposure on Experience Cloud and similar Community sites when Aura access controls are misapplied.

Why it matters

• Misconfigured Aura components can expose sensitive records on Experience Cloud sites, creating an easy target for attackers.
• AuraInspector automates detection of practical abuse paths, reducing the manual effort required for audits.
• A read-only, open source scanner gives teams a way to test environments without risking unintended changes.
• Many organizations still run legacy Aura functionality, so tools focused on that surface remain relevant despite migration to newer frameworks.

Key facts

• Tool name: AuraInspector; released by Mandiant and published as open source.
• Primary focus: access-control issues in Salesforce Aura components used on Experience Cloud/Community sites.
• Example abuse: unauthorized access to all records in an Account object can be exploited via the getItems method.
• Attackers can bypass typical request limits (e.g., 2,000-record cap) by manipulating sort orders, though this can produce duplicate records.
• GraphQL API access is available to guest accounts by default and can be abused if object permissions are misconfigured.
• Mandiant states AuraInspector runs read-only operations and will not modify Salesforce instances.
• The tool automates both exploitation techniques and suggested remediation steps for defenders.
• Despite adoption of Lightning Web Components for new projects, Aura remains widely used for legacy features.
• Previous research from Varonis and reporting by security journalists highlighted real-world data exposures tied to Aura misconfigurations.

What to watch next

• Whether Salesforce issues formal guidance or configuration changes in response to the tool — not confirmed in the source
• Adoption and community contributions to AuraInspector on the public repository over time — not confirmed in the source
• If Mandiant expands coverage to include Lightning Web Components or other Salesforce frameworks — not confirmed in the source

Quick glossary

• Aura: A UI framework used by Salesforce to build Experience Cloud (formerly Community) pages and components; complexity in its configuration can lead to access-control errors.
• Experience Cloud: Salesforce service for building external-facing websites and portals (formerly called Community sites) that can expose data if access controls are misconfigured.
• GraphQL API: A query language and runtime for APIs; when exposed to guest or unauthenticated users, it can be abused unless object permissions are correctly set.
• Lightning Web Components: A newer Salesforce UI framework used for modern site development; many organizations still retain Aura for legacy functionality.
• Misconfiguration: An incorrect or unsafe setting in software that can weaken security controls and allow unauthorized access to data or functionality.

Reader FAQ

Is AuraInspector free to use?
Yes. Mandiant has published the tool as open source and said it is available for free.

Will AuraInspector change my Salesforce instance?
Mandiant states the tool performs only read-only operations and will not make modifications to customer Salesforce instances.

What kinds of problems does AuraInspector look for?
It targets access-control misconfigurations in Aura components, including abuse paths that expose record lists, admin panels, or data via getItems and GraphQL endpoints.

Where can I download the tool?
not confirmed in the source

SAAS Mandiant open sources tool to prevent leaky Salesforce misconfigs AuraInspector automates the most common abuses and generates fixes for customers Connor Jones Tue 13 Jan 2026 // 12:34 UTC Mandiant has released an…

Sources

• Mandiant open sources tool to prevent leaky Salesforce misconfigs
• Mandiant Exposes Salesforce Phishing Campaign as …
• Abusing Misconfigured Salesforce Experiences for Recon …
• Google Sheds Light on ShinyHunters' Salesforce Tactics

Related posts

• CISA orders agencies to fix or remove Gogs after active zero‑day exploit
• Brazil orders pause on Meta’s WhatsApp policy banning third-party AI
• Scottish X accounts tied to Iran stop posting after Iran internet blackout