H3-2026-0051¶
Swagger API Specification Exposed to Unauthenticated Users
| Category | SECURITY_MISCONFIGURATION |
| Base Score | 0.0 |
Description¶
A web server returned a Swagger API specification to an unauthenticated client in a publicly accessible response.
Impact¶
An attacker can read the Swagger specification to enumerate the application's API surface: every route, HTTP method, parameter, and data model. This accelerates reconnaissance and gives an attacker a precise map for targeting other weaknesses, although it does not constitute an exploitable weakness by itself.