Skip to content

H3-2026-0051

Swagger API Specification Exposed to Unauthenticated Users

Category SECURITY_MISCONFIGURATION
Base Score 0.0

Description

A web server returned a Swagger API specification to an unauthenticated client in a publicly accessible response.

Impact

An attacker can read the Swagger specification to enumerate the application's API surface: every route, HTTP method, parameter, and data model. This accelerates reconnaissance and gives an attacker a precise map for targeting other weaknesses, although it does not constitute an exploitable weakness by itself.

References