Exposed Admin API Route — No Auth Check
Found an admin API route on a SaaS app with zero auth. No middleware, no session check. Anyone with the URL could delete accounts, change billing, export the entire user DB. Took 5 minutes to find. OWASP #1 for a reason.
— Ryan O'Callaghan (@ocallry)
What I found
A SaaS app built with Next.js and Supabase had an admin API route at /api/admin/users with zero authentication. No middleware, no session check, no role validation. The route accepted DELETE, PUT, and GET requests — meaning anyone who guessed the URL could delete user accounts, modify billing info, and export the entire user database as JSON.
Why it matters
This is a full account takeover vector. An attacker doesn't need credentials, exploits, or social engineering — just the URL. In this case the route followed a predictable naming pattern (/api/admin/*), making it trivially discoverable through directory brute-forcing or even guessing. This is OWASP A01:2021 — Broken Access Control, the #1 web application security risk.
The fix
Added Supabase auth middleware to every admin route, verifying both the session token and the user's role before processing requests. Also added row-level security policies in Supabase as a second layer of defense, so even if the API layer is bypassed, the database won't return unauthorized data.
Think your app might have something like this?
Get Your Review