Severity
High · CVSS 7.5
Target
Enterprise Consumer Brand
Date
2026-02
Category
Credential Exposure / API Architecture Disclosure

Exposed Swagger UI with Hardcoded Admin Credentials

An internal integration API exposed a fully functional Swagger UI documenting multiple internal microservice APIs across business operations. The authentication API specification contained hardcoded admin credentials including username, password pattern, and internal identifiers.

Attack Chain

    Step 1: Swagger UI accessible on the integration API

    Multiple API specifications loaded including auth, users, business entities, and financial operations.

    Step 2: Auth spec contained hardcoded credentials

    The authentication API spec included a working example request body with admin username, password, and internal identifiers.

    Step 3: Authentication endpoint confirmed live

    The endpoint accepted requests and returned validation errors, confirming it was active and processing.

What Scanners Would Miss

Nikto flags open Swagger pages. It doesn't read the spec to find that the auth endpoint has hardcoded production credentials baked into the example request body.

By the Pinaka team · Published for educational purposes. All findings were responsibly disclosed.