VibeScan found an admin or sensitive API endpoint that returns a 200 response to unauthenticated requests. This means anyone on the internet can access it — no account, no session, no credentials required.
AI coding tools (Lovable, Bolt, Cursor) often scaffold admin dashboards and API routes but don't automatically add authentication checks. The route handler gets created, it works in your browser because you're logged in — but the auth check is never actually enforced server-side.
Check for a valid session and verify the user has admin privileges before doing anything else. Return 401 or 403 immediately if not.
// Next.js App Router example
import { getServerSession } from 'next-auth'
import { authOptions } from '@/lib/auth'
export async function GET() {
const session = await getServerSession(authOptions)
if (!session) {
return Response.json({ error: 'Unauthorized' }, { status: 401 })
}
if (session.user.role !== 'admin') {
return Response.json({ error: 'Forbidden' }, { status: 403 })
}
// ... admin logic
}Rather than adding auth checks to every route individually, use Next.js middleware to protect all /admin/* and /api/admin/* routes at once.
// middleware.ts
import { withAuth } from 'next-auth/middleware'
export default withAuth({
callbacks: {
authorized: ({ token }) => token?.role === 'admin',
},
})
export const config = {
matcher: ['/admin/:path*', '/api/admin/:path*'],
}Open an incognito window and manually navigate to /api/admin/users. You should receive a 401, not a 200 with data. If you get data, the fix didn't work.
“VibeScan found that my admin API routes are accessible without authentication. Please add proper auth checks to all routes under /api/admin/* so that only users with the admin role can access them. Unauthenticated requests should return 401. Non-admin authenticated users should return 403. Use middleware to protect the entire /admin and /api/admin route group rather than adding checks to each route individually.”
VibeScan probes common admin and API routes alongside 10 other checks — free, in under 60 seconds.
Scan my app free →