Skip to content

SEC: User and Agent Enumeration via differential API responses #186

Description

@vybe

Pentest Finding 3.3.3 — Low (CVSS 2.0)

User Enumeration

Location: POST /api/auth/email/request

  • Unregistered email → "If your email is registered, you'll receive a code shortly"
  • Registered email → "Verification code sent to your email" with expires_in_seconds
  • Response difference confirms whether email exists in the system

Agent Enumeration

Location: 30+ endpoints including GET /api/agents/{name}, /logs, /schedules, /playbooks, /info, /activities, /capabilities, /executions, /git/*, /public-links, /tags, /notifications, /monitoring

  • Non-existent agent → 404 "Agent not found"
  • Existing but inaccessible agent → 403 "Access denied to agent"
  • Response difference confirms agent existence

Remediation

  • Email: Return the same generic message regardless of email existence (e.g., "Further instructions have been sent to your email address")
  • Agent: Return 403 "Access denied" for both non-existent and inaccessible agents (don't distinguish 404 vs 403)

References

Source: UnderDefense Web Pentest Report, March 2026

Metadata

Metadata

Labels

complexity-lowComplexity: low (board points 1-3)pentestFrom penetration testing reportpriority-p2ImportantsecuritySecurity vulnerabilityseverity-lowLow severity security findingstatus-in-devMerged to dev, awaiting release cut to maintheme-securityTheme: Securitytype-bugBug fix

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Relationships

None yet

Development

No branches or pull requests

Issue actions