A critical vulnerability has been found in a web application of Companies House, the government agency responsible for maintaining the public register of companies in the United Kingdom.
According to Tax Policy Associates, the security hole was discovered by John Hewitt of Ghost Mail on March 12, but it existed for several months before a patch was rolled out.
Hewitt found that any logged-in user could access other companies’ accounts on the Companies House platform. The attacker could have gained access to the non-public information of five million registered firms, including directors’ dates of birth, home addresses and email addresses.
In addition, an attacker could have changed a company’s details and could have submitted unauthorized filings.
While the vulnerability could only be exploited by an authenticated attacker, conducting an attack would have been easy and required no technical skills.
An attacker only needed to select the ‘file for another company’ option, enter the unique number associated with the targeted company and, when prompted for an authentication code, press the back button a few times. The attacker would then automatically be logged in to the targeted company’s account.
In a statement issued on Monday, Companies House confirmed the security hole, saying it affected its WebFiling service. The flaw was introduced in October 2025 and it was addressed over the weekend after the service was shut down on Friday.
“This was not accessible to the general public. Only users with an authorised code and logged in to the service could have performed this action,” the organization said.
Companies House clarified that the vulnerability did not expose passwords and information collected during the identity verification process (such as passports). In addition, an attacker could not have made changes to existing filed documents.
“We believe that this issue could not have been used to extract data in large volumes or to access records systematically. Any access would have been limited to individual company records, viewed one at a time by a registered WebFiling user,” the agency clarified.
Companies House also noted that while it’s not aware of any instances of data being accessed or changed through the exploitation of this vulnerability, companies should verify their details and filing history and report any concerns.
Related: UK Government Unveils New Cyber Action Plan
Related: UK Government Acknowledges It Is Investigating Cyber Incident After Media Reports
Related: Reddit Hit With $20 Million UK Data Privacy Fine Over Child Safety Failings
