Showing results for 
Show  only  | Search instead for 
Did you mean: 

Eportfolios from an account can be viewed in unrelated accounts

Eportfolios from an account can be viewed in unrelated accounts

Canvas white logo

This behavior has been resolved and deployed to the production environment as of 5/3/22.




  • Public eportfolio can be viewed on any Canvas domain/under any instance's branding as long as the the sharded eportfolio ID is used.

  • This allows bad actors to pass off malicious content as being from specific Canvas customer accounts, which makes brand sensitive admins concerned.

Expected Behavior


Don’t allow eportfolios to be viewed from unrelated accounts (redirect if accounts are in a trust/consortium)


Disable eportfolios across all instances or monitor all user activity.

Steps to Reproduce


  1. Create an eportfolio in any account
  2. Obtain the portion of the URL to the eportfolio with the shard id (e.g. eportfolios/9758~3916)
  3. Add that portion of the URL to any Canvas instance domain and see the eportfolio appears to originate from that instance.

Additional Info


Known issues indicate notable behaviors that has been escalated to the Canvas engineering team. Known issues are not a guarantee for an immediate resolution. This document is for informational purposes only and does not replace the Support process. If you are encountering the behavior outlined in this document, please ensure you have submitted a Support case (per your institution's escalation process) so Canvas Support can adequately gauge the overall customer impact and prioritize appropriately.

Labels (1)