Project

General

Profile

Actions
Copy link

Bug #19

closed

Broken Access Control: Non-Super Admin Can Create Admin Users via API

Added by Vivek Kumar about 1 month ago. Updated about 1 month ago.

Status:
Closed
Priority:
High
Assignee:
-
Start date:
03/17/2026
Due date:
% Done:

100%

Estimated time:
Spent time:
4:00 h

Description

A non-superadmin user (Intakes Staff role) is able to create new admin accounts by directly calling the /api/admin/add-admin API endpoint.
This indicates missing backend authorization checks, as admin creation should be restricted to superadmin users only.

Steps to Reproduce

  1. Login as a user with Intakes Staff role
  2. Capture the JWT token
  3. Send POST request to: /api/admin/add-admin
  4. Observe that admin account is successfully created

Expected Result
Only Super Admin should be able to create admin users.

Actual Result
Non-superadmin user is able to create admin users successfully.

NOTE: A Postman request has been created and shared to demonstrate the issue for easier reproduction.

Files

POST AdminCreateAPI.txt (2.42 KB) POST AdminCreateAPI.txt Vivek Kumar, 03/17/2026 09:30 AM
Actions
Copy link

Also available in: Atom PDF