Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Unauthenticated OpenAI API Access - Vulnerability Database

Unauthenticated OpenAI API Access

Description

The application exposes an OpenAI-compatible API endpoint (typically at /v1/*) without requiring authentication credentials. This allows any user with network access to send requests to the Large Language Model (LLM) service and receive responses, effectively providing free and unrestricted access to what should be a protected resource. This misconfiguration represents a critical security oversight in API access control.

Remediation

Implement comprehensive authentication and access control measures to secure the API endpoint:

  • Enforce API Key Authentication: Require valid API keys or bearer tokens for all requests to /v1/* endpoints. Validate tokens on every request before processing
    // Example: Express.js middleware for API key validation
const authenticateAPIKey = (req, res, next) => {
  const apiKey = req.headers['authorization']?.replace('Bearer ', '');
  
  if (!apiKey || !isValidAPIKey(apiKey)) {
    return res.status(401).json({ error: 'Unauthorized: Invalid or missing API key' });
  }
  
  next();
};

app.use('/v1/*', authenticateAPIKey);
  • Implement Rate Limiting: Apply per-user and per-IP rate limits to prevent abuse and resource exhaustion. Consider tiered limits based on user roles or subscription levels
  • Enable Request Logging and Monitoring: Log all API requests including timestamps, user identifiers, model accessed, and token consumption. Set up automated alerts for anomalous patterns such as high-volume requests, unusual geographic access, or repeated authentication failures
  • Apply Network-Level Controls: Where applicable, restrict API access to trusted IP addresses or networks using firewall rules or IP whitelisting
  • Implement Role-Based Access Control (RBAC): Ensure users can only access models and features appropriate to their authorization level. Not all authenticated users should have access to all models
  • Set Usage Quotas: Establish per-user spending limits or token quotas to contain potential financial exposure from compromised credentials
  • Regular Security Audits: Periodically review API access logs, authentication mechanisms, and user permissions to identify and remediate security gaps

References

OpenAI API Authentication
OWASP API Security Top 10 - Broken Authentication
OWASP Top 10 for LLM Applications

Severity

Medium

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N