Vulnerabilities
Missing authentication on /metrics
highopenDescription
The Prometheus /metrics endpoint is exposed without authentication, leaking internal telemetry and topology.
Affected code
services/api/router.gomux.Handle("/metrics", promhttp.Handler()) // no authDetails
- Severity
- high
- CVSS
- 7.5
- CVE
- —
- CWE
- CWE-306
- File
- services/api/router.go
- Status
- open
Remediation
No remediation generated yet. The engineer agent proposes a patch when this finding is triaged.