Composio May 2026 Security Incident

by ComposioMay 21, 202614 min read
Composio
Version

API keys created before 11:00 PM PST, 22 May 2026 were deleted at 11:00 PM PST on 23 May. If you haven't already, create a new API key to restore service. Learn more here.

We've identified a security incident involving unauthorized access to certain internal Composio systems. We are actively investigating and have engaged external incident response experts to assist with investigation and remediation.

This is a space which we can keep updating as we find more information. For now, this bulletin has:

Updates

We are still investigating and figuring out what has been affected, as we have more findings we will share them here :

Date Update
May 21, 11:45 AM PST No updates published.
May 21, 3:50 PM PST Further clarified the list of compromised toolkits
May 21, 8:41 PM PST Clarity on internal vs external users, with additional product follow up and completed security work
May 22, 2:00 PM PST Added Indicators of Compromise (IOCs)
May 23, 5:00 AM PST Advisory on potentially leaked API Keys
May 23, 6:50 AM PST Revoking potentially compromised API Keys
May 23, 01: 19 PM PST Recommendations on revocation of customer's connected accounts
May 24, 2:51 AM PST Added a Frequently Asked Questions section and a per-toolkit revocation status
May 24, 7:21 AM PST Updated the revocation status
May 24, 12:53 PM PST Updated the revocation status (added API-key revocations); reorganized layout
May 25, 4:30 AM PST Added codebase obfuscation measures following a leaked internal GitHub token
May 25, 6:10 PM PST Proactively notified third-party providers about potentially leaked credentials keys for flagging and revocation

Who is impacted

We have identified a small percentage of users whose GitHub tokens were compromised, we are in the process of reaching out to them. As a precautionary measure, we have revoked all user GitHub tokens and contacted the affected users with recommendations for token revocation and abuse detection.

A small number of additional users were affected via specific API keys, and we have contacted them directly.

We are continuing to investigate for any further signs of compromise and will update this bulletin as we learn more.

Below is the full list of leaked connections, about 0.3% of total active connections. The attack reached beyond GitHub but stayed fairly contained across other apps. We revoked every affected connection immediately.

The list below distinguishes internal connections (Composio test accounts) from external ones.

Connector Count (0.3% of Total Connections)
GitHub 5001
Gmail 12
Strava 5 (1 internal)
Jira 2 (1 internal)
Google Drive 1 (internal only)
Google Sheets 1 (internal only)
Google Slides 1 (internal only)
HubSpot 1
Instantly 1 (internal only)
Linear 1
LinkedIn 1 (internal only)
Metabase 1 (internal only)
Notion 1
PostHog 1 (internal only)
Render 1 (internal only)
Sentry 1 (internal only)
Slack 1
Slackbot 1 (internal only)
Telegram 1 (internal only)
Vercel 1 (internal only)
Workday 1 (internal only)
Bitbucket 1 (internal only)
You.com 1 (internal only)
Microsoft Excel 1 (internal only)
Gong 1 (internal only)
Google Calendar 1

Our ongoing forensic investigation suggests that some Composio API keys may have been leaked. We do not yet know the full scope of the incident, or whether specific keys were definitively compromised. As a precaution, we are asking all customers to rotate their API keys now. We are also rolling out IP allowlisting in the dashboard and recommend that customers configure allowlisted IPs.

An auxiliary cache service the attacker likely had access to had 5,241 API keys during the breach window. These api keys have a higher potential of being compromised. As a preventative measure, we have revovked these api keys which might have caused downtime to production customers.

Updated advice is, we now recommend all customers ask their users to revoke their connected accounts tokens and api keys. We have revoked whatever tokens we can, your customers will have to reconnect. There are certain tokens and api keys we cannot revoke. We are soon adding the details to specific toolkits to revoke in recommendations section.

What we know so far

The attacker probed our systems extensively, brute-forcing many combinations of exploits using LLM generated attack patterns until they gained a foothold in an internal agentic tool used to monitor our infrastructure and report connector failures. From that initial foothold, they abused the tool to obtain elevated access to the automated remediation systems that fix errors in our connectors. They then registered malicious tool definitions inside our sandboxed execution environment, chaining each step to escalate privileges further, until they were ultimately able to execute arbitrary code within our tool-execution sandbox.

The attacker moved at exceptional speed as we tracked them across our systems, demonstrating deep knowledge of our API surface and internal architecture. Their sophistication is consistent with a highly skilled actor, likely augmented by advanced AI systems.

We have thoroughly verified that our supply chain remains safe, including our Python and TypeScript SDKs and our CLI binary. As a precaution, we have paused all new releases until our investigation is complete.

Recommendations

We are mandating Composio developer platform customers to rotate all their API keys by May, 23 at 11:00 PM PST (May 24, at 6:00 AM UTC). Your production projects will break post this, without rotate to new api keys.

We are now recommending that customers ask their users to revoke their connected account tokens and api keys. Currently we recommend deleting all connected accounts with auth scheme API_KEY

For any toolkit not in the list we've already revoked (see the revoked toolkits under Things we've done so far) — especially API_KEY connections, which we cannot revoke for you — please ask your end-users to revoke and rotate those credentials directly with the provider.

Additionally, we now recommend setting up IP whitelisting for Composio Projects at this link.

We are currently following up with affected customers with tactical recommendations. At a high level, double-check your GitHub usage from 1:05 AM PT - 9:15 AM PT on May 21.

If you are particularly concerned about a specific app, we are happy to run a revocation job for you for that app. Please reach out to us for the same.

Things we have done so far

Since detecting the attacker we have been constantly taking mitigations to curtail malicious actors. Many of these changes have been:

  • Rolled various credentials, including encryption keys
  • Taking down auxiliary environments and background services temporarily to minimize attack surface outside the core api path
  • Revocation of all confirmed leaked credentials via public revocation endpoints
  • Deleted all API keys created before 11:00 PM PST on 22 May 2026 (deletion began 11:00 PM PST on 23 May); keys created on or after 23 May are unaffected
  • As a precaution, the "Get connected account by ID" API now redacts access tokens for all accounts — even with "mask secrets" turned off
  • Obfuscated internal routes and setup various honeypot routes to trap automated attacks
  • We've finished restricting API keys to only IP addresses that have been used by the organization in the past two weeks prior to the security incident, including any API Keys created in the past two days as well. If your app does not have static IP addresses please create a new API key without any IP restrictions.
  • Spend 1-1 time with affected customers helping them manage comms and any custom things they need including custom revocation they wanted.
  • Revoked the access tokens we could across ~100 toolkits — OAuth2 connections on both Composio-managed and custom auth, plus API-key connections on the toolkits that support API-key revocation (listed below). For connections we can't revoke from our end — including most API-key connections — your end-users should revoke/rotate the credentials directly with the provider.
  • Revoked additional connections on toolkits that support API-key-based revocation — Vercel, Algolia, Elasticsearch, LaunchDarkly, Cloudflare (API key & Browser Rendering), and Buildkite (as of 9:30 AM PST, 24 May).
  • One of the leaked GitHub tokens was an internal token with access to our production codebase. As a precaution, we obfuscated our codebase to prevent the attacker from leveraging our internal code patterns to identify exploits against users. We began with our authentication systems, which was the reason for the intentional downtime on the dashboard.

Revoked toolkits (OAuth2 unless noted): GMAIL, GITHUB, GOOGLECALENDAR, GOOGLEDOCS, GOOGLESHEETS, GOOGLESLIDES, GOOGLESUPER, YOUTUBE, GOOGLEMEET, NOTION, SLACK, LINEAR, GOOGLEDRIVE, GOOGLEPHOTOS, GOOGLEMAPS, HUBSPOT, SALESFORCE, ACCELO, ADOBE_DOCUMENT_GENERATION_API, ALIBABA_CLOUD, APALEO, ATLASSIAN, AUTH0, BATTLENET, BLOGGERCOM, BOLDSIGN, BRAINTREE, BREX, BREX_STAGING, CANVAS, CAPSULE_CRM, CISCO_MERAKI, CM_360, CONFLUENCE, DATADOG, DAYTONA, DIALPAD, DIGITAL_OCEAN, EPIC_GAMES, FACEBOOK, FAIRE, FITBIT, FOLLOW_UP_BOSS, FRAPPE, FRESHBOOKS, GOOGLE_ADMIN, GOOGLE_CHAT, GOOGLE_SEARCH_CONSOLE, GOOGLEBIGQUERY, GOOGLECONTACTS, GOOGLEFORMS, GORGIAS, GUSTO, INSTAGRAM, INTERCOM, JIRA, KIT, LINKEDIN_ADS, METAADS, NANO_BANANA_GEMINI, NETSUITE, PIPEDRIVE, PRODUCTBOARD, RAMP, REDDIT_ADS, SPOTIFY, SQUARE, STACK_EXCHANGE, TIKTOK, TIMELY, WEBFLOW, WHATSAPP, ZENDESK, ZOHO, ZOHO_BIGIN, ZOHO_BOOKS, ZOHO_CLIQ, ZOHO_DESK, ZOHO_INVENTORY, ZOHO_INVOICE, ZOHO_MAIL, ZOOMINFO, OUTLOOK, MSFT_TEAMS, ONE_DRIVE, ONE_NOTE, EXCEL, RING_CENTRAL, SAGE, SALESFORCE_SERVICE_CLOUD, SUPABASE, TWITCH, WAKATIME, WHOOP, WHOP, WIZ, WORKABLE. Via API-key revocation: VERCEL, ALGOLIA, ELASTICSEARCH, LAUNCH_DARKLY, CLOUDFLARE_API_KEY, CLOUDFLARE_BROWSER_RENDERING, BUILDKITE.

As an additional precaution, we've proactively reached out to over 50 third-party providers, including Datadog, Notion, HubSpot, Shopify, Ashby, Postman, Fireflies, OpenAI, ElevenLabs, Perplexity, Cloudinary, and Rocketlane, so they can flag and revoke potentially exposed credentials on their end. We're doing this to make sure potentially affected credentials can be rotated even when we have no direct channel to the end users who own them. Those providers are now in the process of reviewing and revoking on their side and may reach out to users prior to revoking.

Product Updates

Over the next week, expect various product related changed to harden our security posture.

  • Moving towards a Zero Trust Proxy KMS solution where customers can self custody their encryption keys
  • Moving forwards making api-key visible only at creation time and not making them readable after
  • Allowing for IP whitelist blocks from customers to restrict access to specific inbound IPs

Indicators of Compromise (IOCs)

During our investigation we identified the following IP addresses associated with attacker activity. We are publishing them so customers can search their own logs for the affected windows and identify any connected accounts or downstream systems that may warrant additional review.

20.45.50.174
31.222.254.190
31.222.254.194
31.222.254.248
45.13.235.133
45.13.235.187
86.48.9.13
185.81.124.66
185.81.124.142
185.81.124.143
185.81.124.145
185.81.124.146
185.81.124.149
185.81.124.151
185.81.124.152
185.81.124.166
185.81.124.222
185.81.124.233
185.81.126.168
185.81.126.169
185.81.126.235
185.81.127.96
217.216.123.44
217.216.123.67

We will continue to update this page as our investigation progresses and new information becomes available.

Notice of Threat Vector

Internally we found the attacker was able to compromise auxiliary systems using magic link sign-in by compromising Gmail OAuth token of certain Composio employees. This threat vector was abused from our staging system and while we have taken remediation steps of revoking Gmail tokens, we believe this threat vector could be open upstream and would recommend security and forensics teams to verify that such a breach has not occurred during the breach window.

Additionally we would recommend disabling magic-link sign-ins for any auxiliary systems.

Frequently asked questions

Which toolkits / connections were affected? See the table above and revoked toolkits. GitHub was by far the largest (5,001 connections); a handful of Gmail and 1–2 each across other apps — about 0.3% of active connections, many of them internal test accounts. We revoked every affected connection. Beyond this, the impact is not known.

What was compromised — were my users' emails, chat messages, or project data leaked? Our investigation with external experts is ongoing, so we're not characterizing specific data exposure at this time. We're recommending the same precautionary steps to all customers (see Recommendations), and will contact you directly if we find anything specific to your account.

What should I do to secure my connections? We're handling bulk revocation of OAuth connections (managed and custom auth) — monitor progress in revoked toolkits and check your connections with the Get connected account API. On your side: (1) rotate your Composio API keys; (2) for API_KEY connections and any toolkit not in our list — which we can't revoke for you — have your end-users revoke/rotate them directly with the provider. To force-revoke a specific connection immediately, use the revoke endpoint.

Was my account affected, and how do I check? If a connection of yours was affected, we've contacted you directly. You can also cross-reference the affected-connector table and check your provider audit logs for the attacker IPs. Even if you weren't directly affected, take the precautionary steps in Recommendations.

Will you tell me if you find something specific to my account? Yes — our investigation is ongoing; we'll post updates here and contact affected customers directly.

Which of my API keys were affected, and what happened to old keys? All API keys created before 11:00 PM PST, 22 May 2026 were deleted (starting 11:00 PM PST, 23 May). Keys created on or after 23 May are unaffected — if you haven't already, create a new one.

Why might I get a precautionary notification even after an earlier all-clear? Our understanding evolves as we investigate; where we have any reason for caution we reach out, so notifications may be updated. These steps are precautionary.

If I delete an integration, is the token actually invalidated? Not necessarily — deleting a connection in Composio doesn't guarantee the token is dead at the provider. Revoke via the revoke endpoint (which calls the provider's revocation), and for API keys rotate at the provider. Rotate, don't just delete.

Why are my access tokens redacted even with "mask secrets" off? Intentional, not a bug. Following this incident, the Get connected account by ID API now redacts access tokens for all accounts, regardless of your "mask secrets" setting.

I see a "composio-service-key" being created repeatedly — is it malicious? No — it's a known bug, not attacker activity. It's safe to delete.

Why am I getting a 403 / “forbidden” / authorization error with a valid key? The most common cause is IP allowlisting. As part of our incident response we automatically restricted existing API keys to the IP addresses your organization had used in the two weeks before the incident (see “Things we've done so far” above). So a request from an IP outside that set is rejected with a 403 even though the key itself is valid — this typically happens when you're on a VPN, or your network's egress IP changed or isn't static. Fix: add your current IP to the key's allowlist, or — if your app doesn't have static IPs — create a new API key with no IP restrictions. If your allowlist is already unrestricted and you still see 403s, reach out with the request details.

Are there connections Composio can't revoke? Yes — under 5%, across both default and custom auth. Some tokens can't be revoked via standard provider APIs; for example, Google returns "token is not revocable" for Workspace admin-consented apps or deleted/disabled OAuth clients (the token still validates, but /revoke refuses). Revoke these on the provider side (e.g. remove the app in your Workspace admin console). Check status anytime via your dashboard or the Get connected account API.

Should I reconnect my apps now? The reconnect flow works (re-authorize with the same connected account).

I build on Composio and manage many end-customers — how should I handle this? Our revocation covers Composio-managed and custom auth. For apps we haven't revoked (see revoked toolkits) — especially API_KEY connections, which we can't revoke for you — have your end-users revoke/rotate. Track state via the Get connected account API, and re-authorize (same connected account).

How can I reduce risk going forward? Enable IP allowlisting, rotate credentials regularly, and watch this page for the self-custody encryption keys (Zero-Trust KMS) and create-time-only API keys noted under Product Updates.

C
AuthorComposio

Share