F-2026-0009·information-exposure

Customer Swagger Docs Exposed in Production

Acknowledgedpentestbackendapigithub.com/bloom-art/api
TL;DR

Customer Swagger UI is always served (including in production), giving any visitor a complete endpoint map. Accepted as intentional public API surface for partner client generation, with CI gates preventing admin/oracle/lending/webhook paths from leaking into the customer spec.

Severity
LOW
Impact
LOW
Likelihood
LOW
Method
MManual review
CAT.
Complexity
LOW
Exploitability
LOW
02Section · Description

Description

typescript
// bootstrap.utils.ts L164-L167
if (!environmentService.isInProdEnvironment()) {
  initSwagger(app);           // Internal swagger, gated ✓
}
initCustomerSwagger(app);     // Customer swagger, ALWAYS exposed, including production

Frontend / on-chain mitigation analysis: The Swagger UI at /v1/customer-docs provides a complete endpoint map to attackers. Considering the customer API is designed for B2B partner consumption, this may be intentional, but should be verified.

03Section · Impact

Impact

Complete endpoint enumeration without authentication, enabling targeted attack planning.

04Section · Recommendation

Recommendation

If intentional, ensure no internal endpoints leak through module imports. If not, gate behind the same environment check.

05Section · Resolution

Resolution

Accepted by team, intentional public API surface for partner client generation; CI gates already prevent admin/oracle/lending/webhook paths from leaking into the customer spec.

ZEALYNX SECURITY · published 2026-04-29
F-2026-0009

oog
zealynx

Smart Contract Security Digest

Monthly exploit breakdowns, audit checklists, and DeFi security research — straight to your inbox

REQUEST AN AUDIT

Quick Links

Services

Company

Resources

© 2026 Zealynx