Bug #19: Broken Access Control: Non-Super Admin Can Create Admin Users via API - aKinderWellness Testing and Quality analysis - Redmine

Actions

Bug #19

closed

Broken Access Control: Non-Super Admin Can Create Admin Users via API

Added by Vivek Kumar about 1 month ago. Updated about 1 month ago.

Status:

Closed

Priority:

High

Assignee:

-

Start date:

03/17/2026

Due date:

% Done:

100%

Estimated time:

Spent time:

Description

A non-superadmin user (Intakes Staff role) is able to create new admin accounts by directly calling the /api/admin/add-admin API endpoint.
This indicates missing backend authorization checks, as admin creation should be restricted to superadmin users only.

Steps to Reproduce

Login as a user with Intakes Staff role
Capture the JWT token
Send POST request to: /api/admin/add-admin
Observe that admin account is successfully created

Expected Result
Only Super Admin should be able to create admin users.

Actual Result
Non-superadmin user is able to create admin users successfully.

NOTE: A Postman request has been created and shared to demonstrate the issue for easier reproduction.

Files

POST AdminCreateAPI.txt (2.42 KB) POST AdminCreateAPI.txt

Vivek Kumar, 03/17/2026 09:30 AM

Actions

#1

Updated by Adhi Narayanan about 1 month ago

Status changed from New to Resolved
% Done changed from 0 to 100

Actions

#2

Updated by Vivek Kumar about 1 month ago

Status changed from Resolved to Closed

Actions

Also available in: Atom PDF