# Authenticated Route Bypass

An authentication bypass occurs when secure endpoints aren't protected by authentication measures, allowing unauthorized access to sensitive areas like admin panels or user accounts. This can lead to data breaches and exposure. Proper authentication checks are crucial to prevent this risk. Developers should review code, ensure all sensitive endpoints are protected, and conduct regular security audits

## Vulnerable Code <a href="#score-1" id="score-1"></a>

In the below code snippet, the `get_all_users` endpoint lacks authentication or authorization, which means anyone can access the list of users without restriction. This creates a vulnerability in scenarios where sensitive user information should be restricted to authenticated or authorized users only.

```python
@router.get("/users")
async def get_all_users(db: Session = Depends(get_db)):
    users = await get_all_users_handler(db)
    return JSONResponse(status_code=200, content={"status": "success", "message": "Users retrieved successfully", "data": jsonable_encoder(users)})
```

## Vulnerable APIs

**(Admin) Get All Users**

<https://apidoc.fvb.vchan.in/#ff62ee09-4e94-4a0f-9621-ddff39925fd8>

## Compliance[​](https://docs.escape.tech/testing/vulnerabilities/access_control/auth_bypass#compliance) <a href="#compliance" id="compliance"></a>

* OWASP: **API2:2023**
* PCI: **6.5.10**
* GDPR: **Article-32**
* SOC2: **CC1**
* ISO27001: **A.14.2**
* NIST: **SP800-53**

## CWE & CVSS[​](https://docs.escape.tech/testing/vulnerabilities/access_control/auth_bypass#score-1) <a href="#score-1" id="score-1"></a>

* CWE: **285**
* CVSS VECTOR: **AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N**
* CVSS  SCORE: **6.5**


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://fvb.vchan.in/api-vulnerabilities/authenticated-route-bypass.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.