The API does not properly enforce function-level access controls, allowing regular users to access administrative API endpoints by directly calling them.
An attacker could access administrative functions such as user management, system configuration, or data export by directly invoking privileged API endpoints.
Implement centralized authorization mechanisms. Deny access by default and require explicit grants. Ensure administrative endpoints are protected by role-based checks. Audit all API endpoints for proper access controls.