Low-code platforms like Salesforce’s Industry Cloud promise to speed up digital transformation by making it easier for organizations to build and deploy apps. With tools like OmniStudio, employees can quickly create workflows and interfaces tailored to their industry, from healthcare and finance to manufacturing and the public sector.
This convenience is driving widespread adoption. Business units no longer have to wait for overburdened IT teams to deliver solutions. They can build what they need, when they need it.
But that speed comes with a cost. As the surface area of these platforms expands, so do the opportunities for misconfiguration and misuse. Security teams often struggle to keep up, especially when they have limited visibility into what’s being built or who has access to it.
That tension between rapid innovation and secure implementation is now at the center of a growing concern: Low-code platforms may be quietly introducing serious security gaps inside enterprise environments. Recent research by AppOmni revealed multiple zero-day vulnerabilities in Salesforce’s Industry Cloud, exposing how easily those risks can go unnoticed.
Discovery of Critical Zero-Day Vulnerabilities
The vulnerabilities were found within OmniStudio, the low-code framework used to build and deploy custom workflows and applications. They allowed unauthorized access to sensitive data and functionality within Salesforce instances, even without valid user credentials. In total, AppOmni identified six separate zero-day issues. Four were classified by Salesforce as "high severity," while two were deemed "medium." The affected modules included OmniScript, Integration Procedures, and DataRaptors, all core components commonly used across multiple industries.
Salesforce moved quickly to patch the issues, releasing fixes shortly after being alerted by AppOmni. But not everything could be resolved automatically. Some of the risks stemmed from how customers had configured their environments. In those cases, organizations were responsible for taking additional steps, such as adjusting permissions or redesigning specific workflows, to close remaining gaps.
The discovery highlighted a broader issue: low-code platforms don’t just introduce security challenges for the vendor; they shift much of the security burden to customers, many of whom may not even realize they’re exposed.
Dangerous Defaults: Common Misconfiguration Issues
One of the most troubling aspects of the Salesforce vulnerabilities was how easily they could be triggered by default configurations. In many cases, the risk wasn’t due to flaws in the platform’s code, but rather in how its low-code tools were being used—or misused—by customers.
AppOmni found that key components like Integration Procedures and DataRaptors were often deployed without proper access controls. These tools are designed to move and transform data across systems, but without safeguards, they can be exploited to extract sensitive information.
Another issue was workflow and code execution. Some OmniScripts could be invoked anonymously or with elevated privileges, opening the door to unauthorized actions inside Salesforce environments.
Caching was another weak point. While designed to improve performance, misconfigured caching mechanisms sometimes served up stale or sensitive data to users who shouldn't have had access. This created the risk of unintentional data exposure across sessions or user types.
AppOmni also flagged security problems with OmniOut, a low-code app template often used for public-facing forms. In several cases, improperly secured deployments exposed API tokens in client-side code, effectively handing attackers the keys to backend systems.
Even more fundamentally, many of the vulnerabilities stemmed from how data and logic were embedded directly into components. Sensitive data hardcoded into OmniScripts or Integration Procedures could be accessed by anyone with visibility into the component, whether they were supposed to see it or not.
Finally, default permission settings posed a major risk. Some packages and workflows were accessible without proper role-based restrictions, making them visible to more users than intended. In low-code environments where components are shared and reused, that kind of permissiveness can quickly multiply the risk.
Industry-Wide Implications and Risks
Because Salesforce Industry Cloud is tailored for sectors like healthcare, financial services, and government, the vulnerabilities uncovered by AppOmni have far-reaching implications. They point to the potential exposure of real, regulated data in some of the most sensitive environments.
These repercussions go beyond reputational damage. Organizations in regulated industries face legal and financial consequences if they don’t adequately safeguard sensitive data. That includes potential violations of HIPAA, GLBA, GDPR, and other privacy and security mandates. A misconfigured workflow is a compliance failure waiting to happen.
AppOmni’s findings show how easy it is for these failures to occur. In one case, a default caching setting returned previously viewed data to a different user session, putting confidential records at risk. In another, an exposed API token in a customer-deployed OmniOut app could have been used to pull data from backend systems, no login required.
Best Practices for Mitigating Low-Code Security Risks
The good news is that many of the vulnerabilities AppOmni identified can be avoided with tighter controls and smarter defaults. But it requires a shift in how organizations approach low-code security.
“Security teams should treat their Industry Cloud org as a production-critical system that demands rigorous hardening,” said Jason Soroko, Senior Fellow at Sectigo.
To start, he advises organizations to confirm they’ve applied the two remaining customer-side patches. From there, they should conduct a thorough audit of all low-code assets—FlexCards, Data Mappers, Integration Procedures, and workflows—to verify that field-level security and sharing rules are correctly applied. Public caching should be disabled, any embedded tokens should be rotated, and access to workflow components should be tightly restricted based on user roles.
He also emphasizes the importance of maintaining continuous visibility into the environment. That includes posture monitoring to catch insecure defaults, penetration-style testing of new low-code elements before they go live, and logging any off-platform calls. Finally, least-privilege access should be enforced using granular profiles and permission sets.
Balancing Innovation and Security
Low-code platforms like Salesforce Industry Cloud are here to stay. They offer a clear path to faster development, reduced IT bottlenecks, and greater responsiveness to business needs. But as the recent vulnerabilities show, that agility can’t come at the expense of security.
Organizations need to build security into their low-code strategies from the start. That means setting guardrails, educating users, and making security reviews part of the development lifecycle. When business units are empowered to build, IT and security teams must stay in the loop not as blockers, but as partners.
As low-code adoption continues to grow, companies should consider designating security leads for these environments, creating standardized templates and permission models, and investing in tools that provide visibility into what’s being built.
Act Now: Secure What You’ve Built
For Salesforce Industry Cloud customers, this isn’t a wait-and-see moment. If your organization relies on OmniStudio components, now is the time to review your environment. Salesforce has addressed the platform-level vulnerabilities, but many of the remaining risks are in the hands of customers. Misconfigurations, exposed tokens, and overly permissive components remain exploitable until customers intervene.
Just as important is building a habit of vigilance. Low-code platforms are dynamic by nature. New features, new users, and changing business needs can quietly introduce new weaknesses. Ongoing security reviews, automated scans, and regular collaboration between business units and security teams are essential to staying ahead.
Speed and simplicity are the appeal of low-code, but without proper oversight, they become liabilities. The organizations that benefit most will be those that treat security not as a checkbox, but as a built-in part of how they innovate.
