Canvas and multi-tenant SaaS authorization risk: what teams missed

TL;DR: Canvas was breached because an authenticated subject could perform high-trust actions through support and content workflows, exposing usernames, email addresses, course names, enrollment data, and messages, according to EnforceAuth's analysis of Instructure's incident. The real lesson is that authentication can work perfectly while authorization still leaves a tenant-scale blast radius.

NHIMG editorial — based on content published by EnforceAuth covering the Canvas incident and multi-tenant authorization risk: The Thesis, The Claim, The Ask

Questions worth separating out

Q: What breaks when authentication is correct but authorization is weak in SaaS platforms?

A: A platform can verify identity correctly and still let the wrong subject perform high-impact actions.

Q: Why do multi-tenant SaaS apps need decision-centric authorization?

A: Because tenant safety depends on the action decision, not only on the identity proof.

Q: How do security teams know if authorization is actually working?

A: They should be able to prove, quickly, why a privileged action was allowed, who requested it, which tenant it applied to, what policy version applied, and when the grant expired.

Practitioner guidance

• Map every high-trust support path Inventory support reads, admin actions, export functions, token issuance, and content changes across your SaaS estate.
• Move privileged decisions into a central policy layer Pull the highest-risk authorization checks out of scattered application code and into a runtime policy decision point.
• Require decision logs for every privileged action Make ticket reference, tenant identity, approved purpose, grant expiry, and policy version part of the audit record for each sensitive action.

What's in the full article

EnforceAuth's full article covers the operational detail this post intentionally leaves for the source:

• A worked breakdown of the six Canvas attack steps and where each policy decision would have intervened.
• Policy-as-code examples showing how support reads, token issuance, and content changes can be evaluated at runtime.
• The discovery scanner workflow that maps where authorization logic lives across a codebase.
• A 30-day proof-of-value scope for testing one policy domain against a representative application.

👉 Read EnforceAuth's analysis of the Canvas authorization failure in multi-tenant SaaS →

Canvas and multi-tenant SaaS authorization risk: what teams missed?

Explore further

View Full Forum →  |  NHI Foundation Course →