Two Leads Center issues enable Page Admin identification through lead assignment disclosure and error‑based role inference.

The graph.meta.ai API leaks detailed internal path and file information when a malformed or invalid access token is supplied in a GET request.

The flaw allows any user to modify the verification waitlist for any business simply by knowing its Business ID.

Unauthorized ability to toggle messaging notifications for any Meta Horizon account, allowing attackers to manipulate victims’ settings remotely.

An internal review endpoint allowed access to private videos by ID, exposing CDN URLs for videos marked private

Anyone with the preview link ID could delete/expire shared Ads Reporting previews using Graph API, impacting externally shared reports.

Authorization flaw allowed adding arbitrary creators to a brand's Paid Partnership on Instagram via GraphQL mutation.

A Page member with only 'Insight' role could create Page questions (fun fact prompts) via GraphQL, bypassing required admin/editor privileges.

Users from allowed/verified domains could join a Workplace without admin approval using invite link or activation flow.

Buyer-side GraphQL mutations allowed changing a Marketplace listing to 'Paid', deceiving sellers and disabling the 'Mark as paid' control.