- Severity
- High · CVSS 7.5
- Target
- Enterprise Consumer Brand
- Date
- 2026-02
- Category
- Credential Exposure / API Architecture Disclosure
Exposed Swagger UI with Hardcoded Admin Credentials
An internal integration API exposed a fully functional Swagger UI documenting multiple internal microservice APIs across business operations. The authentication API specification contained hardcoded admin credentials including username, password pattern, and internal identifiers.
Attack Chain
Step 1: Swagger UI accessible on the integration API
Multiple API specifications loaded including auth, users, business entities, and financial operations.
Step 2: Auth spec contained hardcoded credentials
The authentication API spec included a working example request body with admin username, password, and internal identifiers.
Step 3: Authentication endpoint confirmed live
The endpoint accepted requests and returned validation errors, confirming it was active and processing.
What Scanners Would Miss
Nikto flags open Swagger pages. It doesn't read the spec to find that the auth endpoint has hardcoded production credentials baked into the example request body.
By the Pinaka team · Published for educational purposes. All findings were responsibly disclosed.