Pentest Finding 3.3.3 — Low (CVSS 2.0)
User Enumeration
Location: POST /api/auth/email/request
- Unregistered email →
"If your email is registered, you'll receive a code shortly"
- Registered email →
"Verification code sent to your email" with expires_in_seconds
- Response difference confirms whether email exists in the system
Agent Enumeration
Location: 30+ endpoints including GET /api/agents/{name}, /logs, /schedules, /playbooks, /info, /activities, /capabilities, /executions, /git/*, /public-links, /tags, /notifications, /monitoring
- Non-existent agent →
404 "Agent not found"
- Existing but inaccessible agent →
403 "Access denied to agent"
- Response difference confirms agent existence
Remediation
- Email: Return the same generic message regardless of email existence (e.g., "Further instructions have been sent to your email address")
- Agent: Return
403 "Access denied" for both non-existent and inaccessible agents (don't distinguish 404 vs 403)
References
Source: UnderDefense Web Pentest Report, March 2026
Pentest Finding 3.3.3 — Low (CVSS 2.0)
User Enumeration
Location:
POST /api/auth/email/request"If your email is registered, you'll receive a code shortly""Verification code sent to your email"withexpires_in_secondsAgent Enumeration
Location: 30+ endpoints including
GET /api/agents/{name},/logs,/schedules,/playbooks,/info,/activities,/capabilities,/executions,/git/*,/public-links,/tags,/notifications,/monitoring404 "Agent not found"403 "Access denied to agent"Remediation
403 "Access denied"for both non-existent and inaccessible agents (don't distinguish 404 vs 403)References
Source: UnderDefense Web Pentest Report, March 2026