# Exposed Administrative Endpoint

- ID: python-exposed-admin-endpoint
- Severity: HIGH
- CWE: CWE-425 (CWE-425)
- Languages: Python
- Frameworks: flask, django, fastapi

## Description

Detects administrative endpoints (admin, debug, internal, system) that lack
proper authentication or authorization checks. These endpoints should require
admin privileges and be protected from public access.

## Remediation

Add authentication decorator to admin endpoints.

```python
from flask_login import login_required, current_user
from functools import wraps

def admin_required(f):
    @wraps(f)
    @login_required
    def decorated(*args, **kwargs):
        if not current_user.is_admin:
            abort(403)
        return f(*args, **kwargs)
    return decorated

@app.route('/admin/users')
@admin_required
def admin_users():
    return jsonify(get_users())
```

Learn more: https://shoulder.dev/learn/python/cwe-425/exposed-admin-endpoint

## Documentation

[object Object]