OData Injection Risk in Low-Code/No-Code Environments
As the adoption of LCNC grows, so will the complexity of the threats organizations face.
Low-code platforms can speed software delivery but may introduce security risks through misconfigured workflows, exposed data, and weak access controls.
Search across headline titles and summaries.
Background for this topic.
Low-code platforms let developers build applications largely through visual workflows, data models, and prebuilt components, with limited hand-written code. They are used for internal tools, business processes, and customer-facing services; “no-code” platforms are the more restrictive version. Security depends not only on the generated application but also on the platform, its connectors, and the configuration chosen by its users.
Material risks include excessive permissions, insecure API connections, exposed credentials, and unintended access to sensitive data when workflows or sharing settings are misconfigured. Abstracted logic can also make it harder to review authorization, input validation, and third-party components. Security teams should inventory low-code applications, assess platform and connector vulnerabilities, enforce least-privilege identities and secret management, review configurations and generated code where possible, and retain audit logs for investigation. Vendor update practices, data residency, deletion, and export capabilities also affect vulnerability management, privacy, and compliance.
As the adoption of LCNC grows, so will the complexity of the threats organizations face.