Client-Side Admin Fantasy
What it is
Admin or privileged flows appear to be enforced from client-side state or UI branches rather than server-side authorization.
This usually appears when UI state, route naming, or optimistic client branches are mistaken for server-side authorization evidence.
How to fix it
Move authorization checks to trusted server code, add role tests, and reject privileged requests at the API boundary.
- 1Move privileged decisions from UI state into trusted server code.
- 2Reject unauthorized privileged API requests at the boundary.
- 3Test allowed and denied roles through the server path.
How VibeAudit checks for this
VibeAudit checks this with CONTROL_DOMINANCE and SAST_LOCAL_STRUCTURAL route/control evidence, plus DAST_AUTHZ_2A two-actor authorization evidence when the scan includes authorized probes. The free tier may show the surface name only, without private evidence or remediation details. Metadata-only surface maps do not create missing-control findings. Unsupported private repositories, authenticated behavior, destructive workflows, account configuration, and business logic remain unverified unless the scan includes matching local, imported, or authorized runtime evidence.
Related failure modes
Check your public launch surface and keep unsupported scope visible.
Run Quick Scan