Authentication Bypass
| Scan ID | generic.accept_unauthenticated_operation |
|---|---|
| Severity | High |
| CVSS 4.0 | 9.3 — CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
| OWASP Category | OWASP API2:2023 Broken Authentication |
The “Authentication Bypass” vulnerability occurs when an endpoint that is expected to require authentication returns a success response (2xx) when the request contains no credentials at all. VulnAPI detects this by sending a request to the endpoint without any Authorization header, cookies, or other credentials and checking if the response indicates success rather than returning a 401 Unauthorized or 403 Forbidden.
Example
Section titled “Example”Normal authenticated request (should succeed):
GET /api/users/profile HTTP/1.1Authorization: Bearer eyJhbGciOiJSUzI1NiI...
HTTP/1.1 200 OKUnauthenticated request (should be rejected — but is vulnerable if it returns 200):
GET /api/users/profile HTTP/1.1
HTTP/1.1 200 OK ← vulnerable!How to test?
Section titled “How to test?”vulnapi scan curl [url] -H "Authorization: Bearer eyJhbGciOiJSUzUxMiI..." --scans generic.accept_unauthenticated_operationecho "eyJhbGciOiJSUzUxMiI..." | vulnapi scan openapi [OpenAPI_Path_Or_URL] --scans generic.accept_unauthenticated_operationvulnapi scan graphql -H "Authorization: Bearer eyJhbGciOiJSUzUxMiI..." --scans generic.accept_unauthenticated_operation [url]VulnAPI supports scanning against various types of other vulnerabilities as well.
What is the impact?
Section titled “What is the impact?”If an attacker can access a protected endpoint without any credentials, they can:
- Access sensitive data: read user profiles, financial records, private messages, or any other data the endpoint returns
- Perform privileged operations: create, modify, or delete resources without being logged in
- Bypass the entire authentication layer: any security controls that depend on authentication become ineffective
- Enumerate users or data: scrape all data from the API without needing an account
CVSS 9.3 reflects that this is network-exploitable with no prior authentication required and provides full read/write access.
How to remediate?
Section titled “How to remediate?”-
Enforce authentication at every protected endpoint: every route that serves or modifies user data must validate credentials before processing the request.
-
Return 401 for unauthenticated requests: always return
401 Unauthorized(not200,404, or500) when no valid credentials are provided. A403 Forbiddenis appropriate when the user is authenticated but lacks the required permissions. -
Apply authentication middleware globally: use a gateway-level or framework-level middleware that intercepts all requests and enforces authentication, rather than adding auth checks endpoint by endpoint.
-
Test unauthenticated access for every new endpoint: add an automated test that verifies each protected endpoint returns 401 when no credentials are provided.
# FastAPI example — require authentication globallyfrom fastapi import Depends, HTTPException, Securityfrom fastapi.security import HTTPBearer
security = HTTPBearer()
@app.get("/api/users/profile")async def get_profile(credentials = Security(security)): # credentials.credentials is the Bearer token user = verify_token(credentials.credentials) return user