H3-2026-0034¶

Exposed API Key in Web Response

Description¶

An API key was returned to an unauthenticated client in a publicly accessible response. Common root causes include embedding the key in client-side bundles, or accidentally exposing it through configuration endpoints or error pages.

Impact¶

An attacker who reads the response can use the exposed key directly against the API that it authorizes, with no authentication or prior access required. This expands the attack surface and allows unauthorized access at the scope associated with the key.

References¶

• CWE-798: Use of Hard-coded Credentials
• CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
• OWASP Top Ten: Security Misconfiguration