CRITICALCWE-306Authentication
Admin Route Without Authentication
Description
Admin or management routes are accessible without any authentication check, allowing anyone to access privileged functionality.
How Vezraa Detects It
We crawl your app for common admin paths (/admin, /dashboard, /api/admin) and test if they return data without auth.
Real-World Impact
Anyone on the internet can access admin panels, user management, and sensitive configuration pages. Full account takeover of all users is possible.
Fix Example
// Middleware check
export function middleware(request) {
if (request.nextUrl.pathname.startsWith('/admin')) {
const token = request.cookies.get('session');
if (!token) return NextResponse.redirect('/login');
}
}Affected Stacks
Next.jsReactVueExpressAll frameworks