Skip to content
← Back to Vulnerability Database
CRITICALCWE-306Authentication

Admin Route Without Authentication

Description

Admin or management routes are accessible without any authentication check, allowing anyone to access privileged functionality.

How Vezraa Detects It

We crawl your app for common admin paths (/admin, /dashboard, /api/admin) and test if they return data without auth.

Real-World Impact

Anyone on the internet can access admin panels, user management, and sensitive configuration pages. Full account takeover of all users is possible.

Fix Example

// Middleware check
export function middleware(request) {
  if (request.nextUrl.pathname.startsWith('/admin')) {
    const token = request.cookies.get('session');
    if (!token) return NextResponse.redirect('/login');
  }
}

Affected Stacks

Next.jsReactVueExpressAll frameworks

References

Check if your app has this vulnerability

Scan your app in 25 seconds — no install, no code access required.

Admin Route Without Authentication — Vulnerability Database | Vezraa