Publicly accessible OpenAPI specification
The OpenAPI specification for the Mynth API was publicly fetchable, giving attackers a full machine-readable map of the backend API surface (endpoints, expected parameters, schemas) without authentication.
Description
The OpenAPI / Swagger specification for the Mynth API was reachable without authentication. While public APIs often expose their schemas intentionally, doing so on an in-progress rollout surfaces the full API map (endpoints, expected fields, validation rules) to attackers and to automated discovery tools.
Impact
Informational. The spec does not introduce a new vulnerability on its own; it lowers the cost of mapping the API surface for an attacker.
Recommendation
Decide whether the spec should be public for this rollout phase. If it should not, gate it behind auth or move it to an internal-only path. If it must remain public, ensure the spec does not leak internal-only routes or unreleased fields.
Novaswap: Confirmed. Zealynx: Fixed.