The Restaurant Brands International (RBI) assistant platform through 2025-09-06 allows a remote authenticated attacker to obtain a token with administrative privileges for the entire platform via the createToken GraphQL mutation.
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.