Joernchen reported a bug that could allow an attacker to bypass API authentication for specific users of organizations. The problem resulted from the way MySQL compares numeric values in a query against string columns. This was resolved by forcing parameters into the correct type before using them in queries and also by disabling the input of parameters in ways that allow type to be specified by the user. Joernchen wrote a great blog post about this type of vulnerability in general.

Thanks joernchen, for participating in the beta test of this program.