UK Companies House WebFiling had a broken access control flaw (CWE-639, CWE-285) that exposed dashboard data for all five million UK-registered companies between October 2025 and March 2026, with both read access to director personal data and write access to submit unauthorized filings. No CVE has been assigned; the flaw is reported as remediated. Organizations with UK-registered entities should audit all filings submitted during the exposure window, notify affected directors of potential data exposure, and treat director personal data held in WebFiling as potentially compromised. The vendor-reported CVSS of 5.0 is noted but assessed as likely underrepresenting actual impact given the scope and write-access capability of the flaw.