CVE-2025-62645

Name of the Vulnerable Software and Affected Versions Restaurant Brands International (RBI) assistant platform versions through 2025-09-06

Description The Restaurant Brands International (RBI) assistant platform allows a remote authenticated attacker to obtain a token with administrative privileges for the entire platform. This is achieved by exploiting the createToken GraphQL mutation. An authenticated attacker, meaning someone with existing access, can leverage this mutation to gain full administrative access. There is no information available regarding the number of potentially affected devices worldwide or any real-world incidents where this issue was exploited. The vulnerability resides in the use of the createToken mutation within the GraphQL API.

Recommendations Restrict access to the createToken GraphQL mutation. Monitor for suspicious activity related to token creation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.