[audittrail] Profiler endpoint exposed without authentication #36

New issue

Closed

opened 2026-03-03 03:06:38 +00:00 by ash · 0 comments

ash commented

2026-03-03 03:06:38 +00:00

Owner

Security Concern

GET /v1/profiler has no requireKey middleware — it is publicly accessible.

This exposes internal performance metrics (operation latencies, call counts) to anyone who knows the endpoint exists.

Severity: MEDIUM

Fix

Wrap the profiler handler with requireKey middleware, or restrict to admin-only API keys.

Current code

mux.HandleFunc("GET /v1/profiler", a.handleProfiler) // no requireKey!

Found by Red Team Audit 2026-03-03.

## Security Concern `GET /v1/profiler` has no `requireKey` middleware — it is publicly accessible. This exposes internal performance metrics (operation latencies, call counts) to anyone who knows the endpoint exists. ### Severity: MEDIUM ### Fix Wrap the profiler handler with `requireKey` middleware, or restrict to admin-only API keys. ### Current code ```go mux.HandleFunc("GET /v1/profiler", a.handleProfiler) // no requireKey! ``` Found by Red Team Audit 2026-03-03.