A critical SOQL injection vulnerability was discovered in Salesforce's default Aura controller, potentially exposing millions of user records across thousands of deployments.