A broken access control flaw in Companies House’s WebFiling service allowed any authenticated user to access the dashboards of any of the five million UK-registered companies, exposing director home addresses, dates of birth, and email addresses from October 2025 through March 2026. The flaw also permitted unauthorized filings — including director changes and account submissions — against any company record. No confirmed malicious exploitation has been reported, but the five-month exposure window and the sensitivity of the data create material identity fraud and corporate impersonation risk.
The Companies House vulnerability is a textbook broken access control failure (CWE-284). An authenticated user could initiate a ‘file for another company’ workflow, encounter an authentication code prompt they could not satisfy, press back, and land on the target company’s dashboard with full session context. This is consistent with insecure direct object reference patterns where server-side session state is not re-validated after a failed authentication step. The flaw was introduced during a WebFiling system update in October 2025 and persisted for approximately five months before external researcher John Hewitt (Ghost Mail) discovered it and Dan Neidle (Tax Policy Associates) escalated the report to Companies House after no initial response. The requirement for an authenticated starting session limited the attack surface compared to unauthenticated flaws, but any of the platform’s registered users could exploit it with no technical skill beyond browser navigation.
The data exposed — residential addresses, dates of birth, and company email addresses of company directors — is high-value material for spear phishing, identity fraud, and business email compromise. Directors of UK companies are often high-net-worth individuals or officers with financial signing authority. Home addresses combined with full names and dates of birth satisfy KYC verification thresholds at many financial institutions. The possibility of unauthorized filings adds a second impact dimension: an attacker could file false director changes to hijack corporate governance records, or submit false accounts to obscure financial activity. Companies House confirmed both data access and unauthorized filing were within the flaw’s scope, though it noted no confirmed exploitation at the time of its statement.
Placing this incident alongside the IBM API Connect critical authentication bypass (CVE-2025-13915, CVSS 9.8) and the Clop campaign against Oracle E-Business Suite (CVE-2025-61882) reveals a consistent pattern across Q4 2025 and Q1 2026: authentication and access control failures in enterprise and government web platforms are enabling large-scale data exposure without requiring malware. IBM’s flaw is more severe by CVSS score — it allows unauthenticated remote access — while the Clop/Oracle campaign demonstrates that zero-day exploitation of web-facing enterprise platforms translates directly into extortion operations. The Companies House flaw sits between these two in risk profile: it required authentication but had no technical barrier for exploitation, and the target dataset spans the entire UK company registry.
A notable gap across reporting is the absence of any audit log or access telemetry disclosure from Companies House. The agency stated the exploitation vector was one record at a time, but provided no indication of whether logging was sufficient to detect systematic access during the five-month window. This matters for the ongoing ICO and NCSC investigation: without reliable access logs, the agency cannot confirm the ‘no reports of access or change’ statement with confidence. Security teams at any organization that uses Companies House data as a source of truth for due diligence or KYC processes should treat that data as potentially tainted for the October 2025 through March 2026 window.
For security operations teams, the immediate concern is downstream risk rather than direct remediation. The Companies House flaw is patched. The residual risk is that exfiltrated director PII now exists in unknown hands and may fuel targeted social engineering campaigns against UK company officers. Organizations should brief leadership and board members on the exposure, particularly those with companies registered during or before the vulnerability window. Any phishing or vishing attempts referencing accurate personal details — home addresses, dates of birth — should be treated as potentially sourced from this exposure. The broader pattern across these three incidents reinforces that access control validation at every authentication state transition is a non-negotiable control for any platform handling regulated or sensitive records.
- Takeaway 1: The Companies House flaw (broken access control, no CVE assigned in source reporting) allowed authenticated users to access any of five million company dashboards via a failed auth flow and browser back navigation — no exploit code required. Patch is applied; residual risk is data already exfiltrated.
- Takeaway 2: Exposed data (director home addresses, dates of birth, email addresses) meets identity verification thresholds at many financial institutions. UK company officers should be alerted to elevated spear phishing and identity fraud risk through at least Q2 2026.
- Takeaway 3: Companies House has not confirmed whether access logs are sufficient to identify malicious access during the five-month window. Organizations using Companies House data for KYC or due diligence should flag records last verified between October 2025 and March 2026 for re-validation.
- Takeaway 4: The IBM API Connect CVE-2025-13915 (CVSS 9.8) and Oracle EBS CVE-2025-61882 (Clop campaign) represent concurrent authentication and access control failures across government and enterprise platforms — teams should audit session state validation and post-auth re-verification controls across all web-facing applications.
- Takeaway 5: Unauthorized director and account filings were within scope of the Companies House flaw. Organizations registered in the UK should verify their Companies House records for any director changes or account filings made between October 2025 and March 16, 2026 that they did not authorize.
