Skip to main content
VibeAudit Liability Index
criticalauth/access-control riskFix order 1

Client-Side Admin Fantasy

What it is

Admin or privileged flows appear to be enforced from client-side state or UI branches rather than server-side authorization.

This usually appears when UI state, route naming, or optimistic client branches are mistaken for server-side authorization evidence.

How to fix it

Move authorization checks to trusted server code, add role tests, and reject privileged requests at the API boundary.

  1. 1Move privileged decisions from UI state into trusted server code.
  2. 2Reject unauthorized privileged API requests at the boundary.
  3. 3Test allowed and denied roles through the server path.

How VibeAudit checks for this

VibeAudit checks this with CONTROL_DOMINANCE and SAST_LOCAL_STRUCTURAL route/control evidence, plus DAST_AUTHZ_2A two-actor authorization evidence when the scan includes authorized probes. The free tier may show the surface name only, without private evidence or remediation details. Metadata-only surface maps do not create missing-control findings. Unsupported private repositories, authenticated behavior, destructive workflows, account configuration, and business logic remain unverified unless the scan includes matching local, imported, or authorized runtime evidence.

Related failure modes

Check your public launch surface and keep unsupported scope visible.

Run Quick Scan