Unrestricted access to Kong Gateway API
Description
The Kong Gateway Admin API provides administrative capabilities for managing API configurations, routes, services, and plugins. This vulnerability exists when the Admin API is exposed without proper authentication controls, allowing unauthorized users to access sensitive configuration data and administrative functions. By default, Kong's Admin API listens on port 8001 and does not enforce authentication unless explicitly configured.
Remediation
Implement authentication and access controls for the Kong Admin API using one of the following methods:
1. Enable Role-Based Access Control (RBAC) if using Kong Enterprise, or implement the Key Authentication plugin for Kong Gateway (OSS)
2. Restrict network access to the Admin API by binding it to localhost or a private network interface only
3. Use a reverse proxy with authentication (such as nginx with basic auth) in front of the Admin API
4. Configure firewall rules to limit Admin API access to trusted IP addresses only
Example configuration to bind Admin API to localhost only in kong.conf:
admin_listen = 127.0.0.1:8001
For production environments, it is recommended to combine multiple security layers, such as network restrictions plus authentication, to ensure defense in depth.