WB-E-1 — Cross-tenant data access by manipulating X-Tenant-ID header
Component: Wallet Backend. Mitigations: JWT
tenant_idis authoritative; header ignored when JWT present. Action: None required.
| Property | Value |
|---|---|
| Section | Elevation of Privilege |
| Owner | platform |
Mapped Controls
| Control | Title |
|---|---|
| SID-ACCESS-01 | Multi-Tenant Isolation |
Source: STRIDE analysis (April 2026), architecture/stride-threat-model.md