Intel

AIKIDO-2026-314365

openapi-backend is vulnerable to Authorization Bypass

Authorization Bypass Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 25, 2026

68

Medium Risk

This Affects:

JSopenapi-backend
5.5.0 - 5.17.0
Fixed in 5.18.0
Are you affected? Scan for Free

TL;DR

openapi-backend authorizes incoming requests by running registered security handlers and inspecting their return values. The request-authorization logic only treats a returned object as a failed check when that object's single key is error, so a rejection object that also carries any other property such as a user or a status code is misread as a successful authorization. An attacker whose credentials are rejected can reach operations that should be denied, because the authorized flag is set on the deny path. The fix treats any object with a truthy error property as a failed authorization regardless of its other properties.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your security handlers reject requests by returning an object that includes an error property alongside other keys.

Background info

openapi-backend is vulnerable to Authorization Bypass in versions 5.5.0 - 5.17.0.

How to fix this

Upgrade the openapi-backend library to the patch version.