Unauthenticated Access to /api/admin/users Leaking PII and Admin Flags #202
Description
Describe the bug
The API endpoint /api/admin/users exposes detailed user information, including emails, UUIDs, verification status, and admin privileges without requiring authentication or authorization.
To Reproduce
Steps to reproduce the behavior:
Send a GET request to:
http://app.aixblock.io/api/admin/users
Observe the full JSON user data in the response.
Note sensitive fields such as:
email, is_superuser, is_organization_admin, is_verified, last_activity
Expected behavior
The /api/admin/users endpoint should be accessible only to authenticated admin users, and must not expose sensitive user data publicly.
All user-supplied input (e.g., first_name) should be properly sanitized to prevent HTML or script injection.
Screenshots
Desktop (please complete the following information):
OS: macOS 10.15
Browser: Firefox
Version: 140.0
Recommendation:
Protect all /api/admin/ routes with proper authentication and role-based access control (RBAC)
Sanitize all user input fields (e.g., first_name)
Avoid exposing PII (personally identifiable information) in unauthenticated responses
Impact:
Exposure of users’ personally identifiable information (PII), including emails, usernames, UUIDs, and verification status
Admin account enumeration through is_organization_admin and is_superuser flags
Increases risk of phishing, spam, impersonation, and social engineering