H3-2026-0048¶

Authenticated Endpoint Accessible Without Authentication

Description¶

A web application served content from an endpoint, which otherwise requires authentication, to an unauthenticated client. When the authentication material was removed from a previously authenticated request and the request was replayed, the server returned the same protected content. This indicates that the endpoint does not enforce access control on the server side.

Impact¶

An attacker can reach protected functionality or data without valid credentials, bypassing the application's authentication and authorization controls.

References¶

• CWE-862: Missing Authorization
• CWE-306: Missing Authentication for Critical Function
• CWE-284: Improper Access Control
• OWASP Top Ten: Broken Access Control