CWE-306 Missing Authentication for Critical Function
What this means
SiteShadow flagged a sensitive function/route that appears reachable without a required authentication check.
Why it matters
Unauthenticated access can expose admin or internal operations.
- Public access to private data (accounts, invoices, internal docs).
- Abusable actions (deletes, exports, role changes, password resets).
- Attackers don't need an account—just the endpoint.
Safer examples
1) Make authentication the default
Use global middleware/guards and explicitly opt routes into "public" rather than "private."
2) Enforce auth at the edge and in handlers
Guard routes with middleware/decorators and ensure handlers assume user exists.
3) Use service identities for internal calls
If it's an internal endpoint, require a trusted service token/mTLS rather than leaving it unauthenticated.
How SiteShadow detects it (high level)
- Identifies sensitive operations and checks for the presence of known authentication guards.
- Flags handlers that reference
currentUser/req.userwithout enforcing authentication.
References
- CWE-306: https://cwe.mitre.org/data/definitions/306.html
---