VAPT Security Report — dev.fix-it.ai

Date: 2026-07-02  |  Mode: Greybox — OWASP Top 10:2025 + LLM Top 10:2025 + Agentic Top 10:2026  |  Target: dev.fix-it.ai  |  OpenClaw Security Agent
122Total
12Critical
45High
31Medium
27Low
7Info
0 FixedResolved
All Active New Open Persisting Fixed Accepted Risk
Showing 122 findings
Findings 122
IDSeverityFindingLayerOWASPStatus
WB-01 Critical
Firebase Service Account Private Key on Disk (Active Credential)
fixit-whatsapp-inbound-controller/secrets/serviceAccountKey.json
backend A02:2025 Cryptographic Failures, A05:2025 Security Misconfiguration New
WB-02 Critical
MongoDB Credentials in Plaintext .env Files on Disk
fixit-whatsapp-inbound-controller/.env:1-2, .env.local:2
backend A02:2025 Cryptographic Failures New
WB-03 Critical
Hardcoded CRM API Token and Secret Key in Source Code
fixit-whatsapp-inbound-controller/src/scripts/update_script.py:10-11
backend A02:2025 Cryptographic Failures, A07:2025 Identification and Authentication Failures New
WB-04 Critical
WhatsApp Webhook POST Lacks x-hub-signature-256 Verification
fixit-whatsapp-inbound-controller/src/routes/backend/webhooks/webhook.py:162-230
backend A07:2025 Identification and Authentication Failures, LLM01:2025 Prompt Injection New
WB-05 High
Raw WhatsApp User Message Injected into LLM Without Sanitization
fixit-whatsapp-agent/webhook.py:261,974,990
backend LLM01:2025 Prompt Injection, ASI01:2026 Prompt Injection via External Input New
WB-06 High
WhatsApp Webhook Signature Verification Fail-Open in Agent Service
fixit-whatsapp-agent/webhook.py:1333-1338
backend A07:2025 Identification and Authentication Failures New
WB-07 High
MCP API Keys Stored in Plaintext in MongoDB
fixit-mcp/src/db/models/c_mcp_sessions.ts:5-8
backend A02:2025 Cryptographic Failures New
WB-08 High
MCP API Key Exposed in HTTP URL Path (Logged to Axiom)
fixit-mcp/src/middleware/auth.ts:58-64, src/index.ts:44-50
backend A02:2025 Cryptographic Failures, A09:2025 Security Logging and Monitoring Failures New
WB-09 High
TLS Certificate Validation Disabled on All MongoDB Connections
fixit-whatsapp-inbound-controller/src/database/connections.py:44-45, fixit-shared-config/fsc/integrations/db/mongodb_provider.py:154-155
backend A02:2025 Cryptographic Failures New
WB-10 High
Docker Containers Run as Root — No USER Directive in Runtime Stage
fixit-whatsapp-agent/Dockerfile, fixit-whatsapp-workers/Dockerfile, fixit-whatsapp-inbound-controller/Dockerfile
ci/cd A05:2025 Security Misconfiguration New
WB-11 High
GitHub Actions PR Title Injected Into Shell run: Steps (Script Injection)
pr-changelog-report.yml:312-313 across all 4 repos
ci/cd A03:2025 Injection, A08:2025 Software and Data Integrity Failures New
WB-12 High
Production K8s Workers — Excessive Linux Capabilities (SYS_PTRACE + 13 others)
fixit-whatsapp-workers/manifests/prod/deployment.yaml:securityContext.capabilities
ci/cd A05:2025 Security Misconfiguration New
WB-13 High
PII Lead Data (Names + Phone Numbers) Committed to Git History
fixit-mcp/leads.csv:1-68 (git tracked, commit 3a85047)
backend A02:2025 Cryptographic Failures, A05:2025 Security Misconfiguration New
WB-14 High
JWT_SECRET_KEY Nullable — HS256 Operations May Use None as Secret
fixit-whatsapp-inbound-controller/src/routes/ui/admin_call_recording_handler.py:33,800,1531
backend A07:2025 Identification and Authentication Failures New
WB-15 Medium
CORS Wildcard (*) When ENV=development in Inbound Controller
fixit-whatsapp-inbound-controller/main.py:291-293
backend A05:2025 Security Misconfiguration New
WB-16 Medium
Google Ads OAuth Credentials in .env.local (Commented But Real Values)
fixit-whatsapp-inbound-controller/.env.local:4-7
backend A02:2025 Cryptographic Failures New
WB-17 Medium
Insecure PRNG (random.choices) for Security-Sensitive ID Generation
fixit-whatsapp-inbound-controller/src/database/models/d_campaign.py:29, d_user.py:40, mutator/org_mutator.py:419
backend A02:2025 Cryptographic Failures New
WB-18 Medium
LLM Agent Has Write-Tool Access Without Per-Action Authorization Gate
fixit-whatsapp-agent/src/assistant.py, webhook.py
backend LLM06:2025 Excessive Agency, ASI03:2026 Insufficient Tool Authorization, ASI04:2026 Unbounded Agent Action New
WB-19 Medium
GitHub Actions Use Floating Version Tags (Supply Chain Risk)
Multiple workflows across all 4 repos (quality-check.yaml, be-lint-typecheck.yml, rollback.yml)
ci/cd A08:2025 Software and Data Integrity Failures New
WB-20 Medium
Production CI Workflow Has Unnecessary contents:write Permission
fixit-whatsapp-inbound-controller/.github/workflows/fixit-whatsapp-inbound-controller-prod.yml:16-18
ci/cd A01:2025 Broken Access Control, A08:2025 Software and Data Integrity Failures New
WB-21 Medium
WhatsApp Verify Token Logged in Plaintext
fixit-whatsapp-inbound-controller/src/routes/backend/webhooks/webhook.py:152
backend A09:2025 Security Logging and Monitoring Failures New
WB-22 Low
Missing readOnlyRootFilesystem and runAsNonRoot in K8s SecurityContext
fixit-whatsapp-workers/manifests/prod/deployment.yaml, fixit-whatsapp-inbound-controller/manifests/prod/deployment.yaml
ci/cd A05:2025 Security Misconfiguration New
WB-23 Low
HTTP Requests Without Timeout to Twilio API
fixit-whatsapp-inbound-controller/src/routes/ui/admin_call_recording_handler.py:1545,1603
backend A05:2025 Security Misconfiguration New
WB-25 Critical
Hardcoded Azure Cognitive Services API Keys in Frontend and Voice Bot Source
fixitUI/components/temporary/speakText.tsx:4, fixit_voice_bot/src/livekit/livekit_integration.py:371, fixit_voice_bot/testing/azure_stt_ivr.py:12-14
frontend A02:2025 Cryptographic Failures New
WB-26 High
Missing Content-Security-Policy Header Across All Frontend Pages
fixitUI/next.config.ts (async headers section)
frontend A05:2025 Security Misconfiguration New
WB-27 High
XSS via dangerouslySetInnerHTML Rendering Unsanitized API-Sourced HTML (34 Confirmed Instances)
fixitUI/src/components/dashboards/marketing-tab.tsx:158,203,394 fixitUI/components/call-view/transcript.tsx:115 fixitUI/components/recommendations/flywheel-content.tsx:226 fixitUI/components/campaign-wizard/action-bar.tsx:98
frontend A03:2025 Injection New
WB-28 High
voice_bot Dockerfile Runs Container as Root — No USER Directive
fixit_voice_bot/Dockerfile (builder and runtime stages)
backend A05:2025 Security Misconfiguration New
WB-29 High
Excessive Linux Capabilities in voice_bot K8s Deployment (SYS_PTRACE, SYS_CHROOT, DAC_OVERRIDE)
fixit_voice_bot/manifests/dev/deployment.yaml securityContext.capabilities.add fixit_voice_bot/manifests/staging/deployment.yaml
backend A05:2025 Security Misconfiguration New
WB-30 Critical
MongoDB Connection String with Credentials Committed to SKILL.md
fixit_voice_bot/SKILL.md:856
backend A02:2025 Cryptographic Failures New
WB-31 High
Voice Bot Speech Input Passed Directly to LLM — Prompt Injection via Voice Channel
fixit_voice_bot/main.py:279 (LLMApi streaming call) fixit_voice_bot/models/conversation_bot.py:11 (system_prompt field)
backend LLM01:2025 Prompt Injection New
WB-32 High
Mongoose strict:false Applied to All Shared DB Models — Arbitrary Field Injection
fixit-shared-config-ts/src/db/base.ts:4 fixit-shared-config-ts/src/db/models/loggingSchemas.models.ts:127,213,264,309
backend A03:2025 Injection New
WB-33 High
secret_pin Stored as Plaintext String in All User Documents
fixit-shared-config-ts/src/db/models/dUser.models.ts:15,46
backend A02:2025 Cryptographic Failures New
WB-34 Medium
fixitUI Build Suppresses TypeScript Errors and ESLint — Security Rules Silent at Build
fixitUI/next.config.ts (typescript.ignoreBuildErrors, eslint.ignoreDuringBuilds)
frontend A05:2025 Security Misconfiguration New
WB-35 Medium
Hardcoded Static WebSocket Client ID Leaks Service Identity in Frontend Bundle
fixitUI/components/aiagent/voice-chat/hooks/useVoiceBotWebSocket.js:23
frontend A02:2025 Cryptographic Failures New
WB-36 Medium
Gateway Auth Rate Limiter Loopback Exemption May Bypass Protection via Proxy IP Spoofing
fixit-openclaw-integration/src/gateway/auth-rate-limit.ts (exemptLoopback default: true) fixit-openclaw-integration/src/gateway/auth.ts
backend A07:2025 Identification and Authentication Failures New
BB-01 High
CORS Wildcard Origin Reflection with Access-Control-Allow-Credentials: true
https://dev.fix-it.ai/ — all endpoints (Cloudflare Access layer)
backend A05:2025 Security Misconfiguration / A01:2025 Broken Access Control New
BB-02 High
CSP unsafe-inline Allows Arbitrary Inline Script Execution
https://dev.fix-it.ai/ — Content-Security-Policy header
frontend A05:2025 Security Misconfiguration / A03:2025 Injection New
BB-03 Medium
CSP connect-src Allows Plaintext HTTP to Loopback on Any Port
https://dev.fix-it.ai/ — Content-Security-Policy connect-src
frontend A05:2025 Security Misconfiguration New
BB-04 Medium
CF_Session Cookie Set with SameSite=None
https://dev.fix-it.ai/ — CF_Session Set-Cookie header
backend A07:2025 Identification and Authentication Failures New
BB-05 Medium
Ports 2000 (SCCP) and 5060 (SIP) Open — VoIP Protocol Exposure
dev.fix-it.ai:2000, dev.fix-it.ai:5060
backend A05:2025 Security Misconfiguration New
BB-06 Low
HSTS Missing 'preload' Directive
https://dev.fix-it.ai/ — Strict-Transport-Security header
frontend A05:2025 Security Misconfiguration New
BB-07 Low
Missing Permissions-Policy Header
https://dev.fix-it.ai/ — HTTP response headers
frontend A05:2025 Security Misconfiguration New
BB-08 Low
Deprecated X-XSS-Protection Header in Use
https://dev.fix-it.ai/ — X-XSS-Protection header
frontend A05:2025 Security Misconfiguration New
BB-09 Low
Firebase Project ID Exposed in JWT Claims — OSINT Target
Firebase project fixit-160dc
backend A04:2025 Insecure Design New
BB-10 Low
Kubernetes Dev Cluster Naming Convention Leaked via Public DNS
voicebot-staging.fix-it.ai DNS CNAME (passive OSINT only)
ci/cd A05:2025 Security Misconfiguration New
BB-11 Info
S3 Buckets 'fixit' and 'fixit-assets' Confirmed Existing (Private)
https://fixit.s3.amazonaws.com/, https://fixit-assets.s3.amazonaws.com/
backend A05:2025 Security Misconfiguration New
BB-12 Info
dev.fix-it.ai Fully Protected by Cloudflare Access (Positive Finding)
https://dev.fix-it.ai/
backend N/A — Positive Control New
BB-13 Info
Ghost DNS Entries for teleport.fix-it.ai and openclaw.fix-it.ai
teleport.fix-it.ai, openclaw.fix-it.ai
ci/cd A05:2025 Security Misconfiguration New
GB-01 Critical
PostHog Webhook Signature Verification Disabled — Privilege Escalation via Forged Webhook
fixit-inbound-controller/src/routes/backend/webhooks/posthog_webhook.py:44
backend A07:2025 Identification and Authentication Failures New
GB-02 High
Firebase Authentication API Key Invalid — Frontend Auth Misconfiguration
fixit-frontend (Sentry project) — Firebase auth initialization
frontend A07:2025 Identification and Authentication Failures New
GB-03 Medium
Internal MongoDB ObjectIDs Exposed in Plaintext Application Logs
fixit-inbound-controller/src/auth/middleware.py:71
backend A09:2025 Security Logging and Monitoring Failures New
GB-04 Medium
Firebase Token Invalidation Errors in WhatsApp Service — Session Management Risk
fixit-frontend/services/WhatsAppService.ts, externalApi/request.ts
backend A07:2025 Identification and Authentication Failures New
GB-05 Low
Unauthenticated POST to /Config/SaveUploadedHotspotLogoFile — Possible Legacy Upload
dev.fix-it.ai/Config/SaveUploadedHotspotLogoFile (POST)
backend A05:2025 Security Misconfiguration New
GB-06 Low
Next.js Server Action Mismatch — Stale Deployment Cache Risk
dev.fix-it.ai — Next.js 15.5.18 Server Actions
frontend A05:2025 Security Misconfiguration New
GB-07 Low
Rate Limiting Errors — Potential API Abuse or Client-Side Throttling Gap
fixit-frontend — API calls generating rate limit errors
backend A04:2025 Insecure Design New
GB-08 Info
Intelligence Endpoints 403 Feature Gate Bypassable via PostHog Escalation (GB-01)
fixit-inbound-controller — /intelligence/* endpoints
backend A01:2025 Broken Access Control New
GB-09 Info
Grafana Internal-Only — No Public Internet Exposure (Positive Finding)
grafana.fix-it.ai
backend A05:2025 Security Misconfiguration New
RT-01 Low
Elevated warn-level Log Baseline in Backend Workers
Axiom dev-logs — 60-min window ending 2026-07-02T13:14:30Z
backend A10:2025 Mishandling of Exceptional Conditions New
RT-02 Info
Grafana Metrics Unreachable from VAPT Runner — Telemetry Coverage Gap
http://grafana.fix-it.ai (internal-only, RFC-1918)
backend A02:2025 Security Misconfiguration New
WB-37 High
K8s Deployments Missing allowPrivilegeEscalation: false (whatsapp-workers, whatsapp-agent)
fixit-whatsapp-workers/manifests/*/deployment.yaml, fixit-whatsapp-agent/manifests/*/deployment.yaml
backend A05:2025 Security Misconfiguration New
WB-38 Medium
K8s Production Ingress Serving Unencrypted HTTP (No TLS) — fixit-whatsapp-agent, fixit-whatsapp-workers
fixit-whatsapp-agent/manifests/prod/ingress.yaml:listen-ports:HTTP:80, fixit-whatsapp-workers/manifests/prod/ingress.yaml
backend A02:2025 Cryptographic Failures New
WB-39 High
Multiple High/Critical CVEs in fixit-mcp npm Dependencies (tar 8.8, hono 7.1, uuid 7.5, tmp 7.7)
fixit-mcp/package-lock.json, fixit-mcp/pnpm-lock.yaml
backend A06:2025 Vulnerable and Outdated Components New
WB-50 Critical
Unauthenticated MongoDB read: /db-query endpoint publicly exposed
fixit-whatsapp-inbound-controller/main.py:133 + src/routes/ui/__init__.py:80 + src/routes/ui/db_query.py:62
backend A01:2025 New
WB-51 High
PostHog webhook HMAC verification disabled by default (insecure default)
fixit-whatsapp-inbound-controller/src/services/helpers/posthog_helpers.py:61
backend A07:2025 New
WB-52 High
Azure Blob presigned URL endpoint missing user-scope validation on container/blob path
fixit-whatsapp-inbound-controller/src/routes/ui/blob_storage.py:48-131
backend A01:2025 New
WB-53 High
LangSmith tracing hardcoded enabled in inbound-controller — PII sent to third party
fixit-whatsapp-inbound-controller/main.py:58-59
backend A02:2025 New
WB-54 Medium
inbound-controller K8s container runs with 14 excessive Linux capabilities
fixit-whatsapp-inbound-controller/manifests/prod/deployment.yaml:80-97
ci/cd A05:2025 New
WB-55 Medium
whatsapp-agent K8s container runs with 13 excessive Linux capabilities (incl. SYS_PTRACE)
fixit-whatsapp-agent/manifests/prod/deployment.yaml:67-86
ci/cd A05:2025 New
WB-56 Low
Health endpoint leaks DB hostname, Redis hostname, and queue config without authentication
fixit-whatsapp-inbound-controller/main.py:602-609 + _check_connections() lines 491-598
backend A05:2025 New
WB-57 Low
Hardcoded demo account IDs in qualifier-web trigger expose production campaign to abuse
fixit-whatsapp-inbound-controller/src/routes/backend/integrations/qualifier_web_trigger.py:60-72
backend A05:2025 New
BB-14 Low
TLS 1.0 and TLS 1.1 Legacy Protocol Support
dev.fix-it.ai:443
backend A02:2025 New
BB-15 Low
Cross-Origin-Embedder-Policy (COEP) Header Missing
https://dev.fix-it.ai/
frontend A05:2025 New
BB-16 Info
Wildcard TLS Certificate Covers All Subdomains
dev.fix-it.ai:443 (cert CN: fix-it.ai, SAN: fix-it.ai, *.fix-it.ai)
backend A07:2025 New
WB-58 Critical
Live GCP Service Account Key Confirmed Active by TruffleHog --only-verified
fixit-whatsapp-inbound-controller/secrets/serviceAccountKey.json:6
backend A07:2025 New
WB-59 Medium
Container Images Deployed Without SHA256 Digest Pinning (Supply Chain Risk)
fixit-whatsapp-agent/manifests/pr-preview/deployment.yaml, manifests/dev/deployment.yaml, manifests/prod/deployment.yaml
ci/cd A06:2025 New
WB-60 Medium
Stored Prompt Injection: Historical WhatsApp Messages Replayed to LLM Without Sanitization
fixit-whatsapp-agent/src/utils/context_processor.py:59,134,187,262,322
backend A03:2025 New
WB-61 High
Credentials and Secrets Logged in Plaintext — 92 Instances Across All Repos (Semgrep)
fixit-shared-config/fsc/integrations/ai/google_key_pool.py:231, fixit-whatsapp-agent/scripts/openclaw/openclaw_runner.py:371, fixit-whatsapp-inbound-controller/src/auth/firebase.py:36, fixit-whatsapp-workers/src/utils/keyvault_loader.py:93 (+88 more instances)
backend A09:2025 Security Logging and Monitoring Failures New
WB-62 Medium
ReDoS Risk: RegExp() Called with User-Controlled Term in fixit-mcp serper.ts
fixit-mcp/src/intel/adapters/serper.ts:186
backend A04:2025 Insecure Design New
WB-63 Critical
Firebase JWT Decoded with verify=False — Authentication Signature Bypass
fixit-whatsapp-inbound-controller/src/auth/firebase.py
backend A07:2025 Identification and Authentication Failures New
WB-64 High
Unencrypted WebSocket Connections (ws://) — Plaintext Token and Audio Transmission Across 4 Repos
fixit_voice_bot/src/livekit/hamsa_tts.py:318, fixit_voice_bot/src/livekit/livekit_integration.py:79 & :87, fixit_voice_bot/src/utils/service_health.py:210, fixitUI/lib/envUrls.ts:113, fixitUI/__tests__/callaudit/chat-db/index.test.tsx:10, fixit-openclaw-integration/src/cli/gateway-cli.coverage.e2e.test.ts:157 & :192, fixit-openclaw-integration/CHANGELOG.md:1166 (example URL), fixit-openclaw-integration/apps/ios/README.md:13, fixit-openclaw-integration/apps/macos/Sources/OpenClaw/GatewayDiscoveryHelpers.swift:43, fixit-openclaw-integration/apps/macos/Sources/OpenClaw/GeneralSettings.swift:306
backend A02:2025 Cryptographic Failures New
WB-65 High
Slack Webhook URL Hardcoded in Prometheus Monitoring Manifest
fixitUI/manifests/monitoring/prometheus/prod/values.yaml:5
backend A02:2025 Cryptographic Failures New
WB-66 High
SSRF via urllib with Dynamic file:// URL — Potential Local File Read Across 4 Repos
fixit-openclaw-integration/skills/openai-image-gen/scripts/gen.py:122 & :227, fixit-whatsapp-agent/scripts/ci/check_min_package_age.py:52, fixit-whatsapp-agent/scripts/openclaw/fixit_data_entry_test.py:99, fixit_voice_bot/src/utils/blob_storage.py:313
backend A10:2025 Server-Side Request Forgery (SSRF) New
WB-67 High
Arbitrary Python Module Loading via importlib.import_module() with User Input
fixit-whatsapp-workers/src/database/selectors/__init__.py:24
backend A03:2025 Injection New
WB-68 Critical
OTP Authentication Bypass — /api/dev-auth and /api/engagement-token Trust User-Controlled Origin Header
fixitUI/app/api/dev-auth/route.ts, fixitUI/app/api/engagement-token/route.ts
backend A07:2025 Identification and Authentication Failures New
WB-69 High
NODE_TLS_REJECT_UNAUTHORIZED=0 Set in All K8s Environments — TLS Certificate Validation Globally Disabled
fixit-openclaw-integration/manifests/dev/deployment.yaml, fixit-openclaw-integration/manifests/staging/deployment.yaml, fixit-openclaw-integration/manifests/prod/deployment.yaml
backend A02:2025 Cryptographic Failures New
WB-70 Medium
Developer ngrok Tunnel URLs in Production CORS Allowlist
fixit-openclaw-integration/src/config/cors.ts (or equivalent CORS config)
backend A05:2025 Security Misconfiguration New
WB-71 Medium
JWT Auth Token Passed in WebSocket URL Query String — Leaks to Logs, Proxies, and Browser History
fixitUI/components/aiagent/voice-chat/hooks/useVoiceBotWebSocket.js
frontend A02:2025 Cryptographic Failures New
WB-72 High
Second Hardcoded Azure Speech API Key in fixit_voice_bot Testing Module (Distinct from WB-25)
fixit_voice_bot/testing/azure_stt_ivr.py
backend A02:2025 Cryptographic Failures New
WB-73 Critical
GCP / Firebase Service-Account Private Key in fixit_voice_bot Git History
fixit_voice_bot/gcp_vertex_key.json (git history, commit 44151a2a, 2026-04-21)
backend A02:2025 Cryptographic Failures, A05:2025 Security Misconfiguration New
WB-74 High
WhatsApp Webhook HMAC Signature Verification Missing / Fail-Open in inbound-controller
fixit-whatsapp-inbound-controller/src/routes/backend/webhooks/webhook.py:162
backend A07:2025 Identification and Authentication Failures New
WB-75 High
E2E Test-Mode Authentication Bypass via X-Playwright-E2E Header in inbound-controller
fixit-whatsapp-inbound-controller/src/auth/firebase.py:29-35, 48-49, 79-80, 108-109
backend A07:2025 Identification and Authentication Failures New
WB-76 High
fixit-mcp: 37 Vulnerable npm Dependencies — hono IP Bypass, tar Arbitrary File Write, tmp Path Traversal
fixit-mcp/package-lock.json (npm audit)
backend A03:2025 Software Supply Chain Failures New
WB-77 High
Customer Lead PII Committed to fixit-mcp Repository (leads.csv — 67 Records)
fixit-mcp/leads.csv (67 records, currently tracked in repo)
backend A02:2025 Cryptographic Failures New
WB-78 High
.env File with ~15 Secrets Committed to fixitUI Git History
fixitUI/.env (git history — ~15 secret pattern matches)
backend A02:2025 Cryptographic Failures New
WB-79 High
Production gunicorn Error Log with 152 Secret Matches Committed to fixitUI History
fixitUI/backend/logs/gunicorn-error.log (git history)
backend A09:2025 Security Logging & Alerting Failures, A02:2025 Cryptographic Failures New
WB-80 High
Firebase Admin SDK Private Keys Committed to fixitUI Git History
fixitUI/lib/firebase-admin.ts (history), fixitUI/newUI/lib/firebase-admin.ts (history), fixitUI/scripts/migrateAndUpdateUsers.js (history)
backend A02:2025 Cryptographic Failures, A07:2025 Identification and Authentication Failures New
WB-81 High
OpenAI and Google API Keys Committed to fixitUI Git History
fixitUI/backend/main.py (history), fixitUI/backend/module/CPU1.py (history), fixitUI firebase config files (history)
backend A02:2025 Cryptographic Failures New
WB-82 High
SSRF in Unauthenticated Next.js Image Proxy — /api/demo/logo-proxy Lacks Host Allowlist
fixitUI/app/api/demo/logo-proxy/route.ts
frontend A01:2025 Broken Access Control New
WB-83 High
Fail-Open Authorization: Missing Role Claim Defaults to 'admin' in fixit_voice_bot
fixit_voice_bot/helper/read_auth_token.py
backend A01:2025 Broken Access Control, A10:2025 Mishandling of Exceptional Conditions New
WB-84 Medium
Full WhatsApp Webhook Payload Including Phone Numbers Logged in Cleartext
fixit-whatsapp-inbound-controller/src/routes/backend/webhooks/webhook.py:200
backend A09:2025 Security Logging & Alerting Failures New
WB-85 Medium
fixit-openclaw-integration: 53 Dependency Advisories in pnpm Tree
fixit-openclaw-integration/pnpm-lock.yaml (osv-scanner)
backend A03:2025 Software Supply Chain Failures New
WB-86 Medium
JWT Bearer Tokens and Azure AD Client Secret in fixit-whatsapp-inbound-controller Git History
fixit-whatsapp-inbound-controller/Gupshup_Scripts/src/**/constants.py (history), fixit-whatsapp-inbound-controller/src/utils/keyvault_loader.py (history)
backend A02:2025 Cryptographic Failures New
WB-87 Medium
AWS Access Token Committed in fixitUI Playwright Test Report
fixitUI/playwright-report/summary.html (git history)
ci/cd A02:2025 Cryptographic Failures New
WB-88 Medium
Unauthenticated /monitor and /monitor/subprocesses Endpoints Expose Runtime Internals
fixit-whatsapp-workers/main.py:421 (GET /monitor), fixit-whatsapp-workers/main.py:497 (GET /monitor/subprocesses)
backend A01:2025 Broken Access Control, A05:2025 Security Misconfiguration New
WB-89 Medium
Shared Static-Password Authentication Without Rate Limiting in fixitUI verify-password Route
fixitUI/app/api/auth/verify-password/route.ts
frontend A06:2025 Insecure Design, A07:2025 Identification and Authentication Failures New
WB-90 Low
WhatsApp Webhook verify_token Logged in Cleartext
fixit-whatsapp-inbound-controller/src/routes/backend/webhooks/webhook.py:152
backend A09:2025 Security Logging & Alerting Failures New
WB-91 Low
Python Services Bind to All Network Interfaces (0.0.0.0) — Bandit B104
fixit-whatsapp-agent/main.py, fixit-whatsapp-workers/main.py, fixit_voice_bot/main.py, fixit-whatsapp-inbound-controller/main.py
backend A05:2025 Security Misconfiguration New
WB-92 Low
HTTP Requests Without Explicit Timeouts in Multiple Python Services — Bandit B113
fixit-whatsapp-agent (multiple files), fixit-whatsapp-workers (multiple files), fixit_voice_bot/src (multiple files), fixit-whatsapp-inbound-controller (multiple files)
backend A10:2025 Mishandling of Exceptional Conditions New
WB-93 Low
MD5 Used for Identifier Generation in fixit_voice_bot Testing Utilities — Bandit B327
fixit_voice_bot/testing/utilities.py:269
backend A02:2025 Cryptographic Failures New
WB-94 Low
Unsafe XML Parsing (Potential XXE) in fixit-shared-config Test Helper — Bandit B411
fixit-shared-config/tests/fsc/_build_gap_json.py:64, 73, 112, 119
backend A05:2025 Injection New
WB-95 Low
Hardcoded /tmp Paths in fixit-whatsapp-agent and fixit-whatsapp-workers — Bandit B108
fixit-whatsapp-agent (32 instances), fixit-whatsapp-workers (21 instances)
backend A05:2025 Security Misconfiguration New
WB-96 Low
fixitUI: 4 Dependency Advisories from OSV Scanner (Not Detected by npm audit)
fixitUI/lockfile (osv-scanner)
frontend A03:2025 Software Supply Chain Failures New
WB-97 Low
Build Gates Disabled: eslint.ignoreDuringBuilds and typescript.ignoreBuildErrors in next.config.js
fixitUI/next.config.js
frontend A05:2025 Security Misconfiguration New
WB-98 Low
Subprocess Launched with Request-Derived Arguments in fixit_voice_bot Testing Module
fixit_voice_bot/testing/azure_stt_essentials.py:771, 775, 803, 807
backend A03:2025 Injection New
WB-99 Low
WebSocket Connection Accepted Before Authentication Check in fixit_voice_bot bot_router.py
fixit_voice_bot/routes/v1/bot/bot_router.py:107-113
backend A07:2025 Identification and Authentication Failures New
WB-100 Low
No Supply Chain Cooldown: pnpm Minimum-Release-Age and uv Dependency Cooldown Not Configured
fixit-openclaw-integration pnpm-workspace.yaml, Python services pyproject.toml / uv.lock
ci/cd A03:2025 Software Supply Chain Failures New
WB-101 Low
MongoDB Connection Strings in Documentation and Test Fixtures
fixit_voice_bot/SKILL.md (history), fixit-whatsapp-agent/tests/ (test fixtures)
backend A02:2025 Cryptographic Failures New
WB-102 Medium
XSS Risk: Template Variables Injected into Script Blocks
fixit-openclaw-integration/export-html/template.html
Whitebox A03:2021 - Injection New
WB-103 High
LiveKit API Key Hardcoded in Testing Module (fixit_voice_bot)
fixit_voice_bot/testing/livekit_integration.py:371
Whitebox A02:2021 - Cryptographic Failures New
WB-104 Medium
Hardcoded Azure Cognitive Services Key in azure_stt_logger.py
fixit_voice_bot/testing/azure_stt_logger.py:30
Whitebox A02:2021 - Cryptographic Failures New
WB-105 High
Hardcoded client_id Credential in VoiceBot WebSocket Hook
fixitUI/components/aiagent/voice-chat/hooks/useVoiceBotWebSocket.js:23
Whitebox A02:2021 - Cryptographic Failures New
WB-106 High
RSA Private Key Embedded in E2E Test File (fixit-openclaw-integration)
fixit-openclaw-integration/gateway/client.e2e.test.ts:85
Whitebox A02:2021 - Cryptographic Failures New