VBS-2026-0006HIGHCVSS 8.1CWE-306

Missing authentication on API routes generated by AI coding tools

LLMs routinely generate Next.js API routes for sensitive operations (user data fetching, payment processing, admin actions) without authentication middleware. The AI focuses on making the feature "work" rather than securing it, resulting in unauthenticated endpoints that expose user data or perform privileged operations for any caller.

Published
2026-02-08
Discovered By
PolyDefender Research
CVSS Score
8.1 / 10
Affected AI Platforms
LovableBolt.newv0ChatGPTCursor
Affected Tech Stack
Next.jsExpressFastifyHono
Proof of Conceptpoc.ts
// app/api/users/route.ts - no auth check:
export async function GET() {
  const users = await db.select().from(usersTable)
  return NextResponse.json(users)  // Returns ALL users to anyone
}
Remediation

Add authentication to every sensitive route. Use middleware to protect entire route groups. Check auth at the top of every handler before touching data.

#authentication#authorization#api#next.js#ai-generated
Check if your app is vulnerable to VBS-2026-0006

PolyDefender detects this and dozens of other AI-specific vulnerability patterns.

FAQ
Q

How do I check if my Next.js + Express app is affected by missing authentication on API routes generated by AI coding tools?

A

LLMs routinely generate Next.js API routes for sensitive operations (user data fetching, payment processing, admin actions) without authentication middleware. Search your codebase for Next.js, Express, Fastify, Hono patterns and verify the remediation has been applied.

Q

Why does Lovable and Bolt.new generate code with CWE-306 (high severity)?

A

LLMs routinely generate Next.js API routes for sensitive operations (user data fetching, payment processing, admin actions) without authentication middleware. The AI focuses on making the feature "work" rather than securing it, resulting in unauthenticated endpoints that expose user data or perform privileged operations for any caller.

Q

How do I fix missing authentication on API routes generated by AI coding tools?

A

Add authentication to every sensitive route. Use middleware to protect entire route groups. Check auth at the top of every handler before touching data.

Q

What can an attacker do if my app contains VBS-2026-0006?

A

With CVSS 8.1 (high), this vulnerability is high risk — significant data or functionality can be compromised. The AI focuses on making the feature "work" rather than securing it, resulting in unauthenticated endpoints that expose user data or perform privileged operations for any caller..