Lakshman Kumar Pandey Fixes Drupal JSON\:API Username Exposure Vulnerability

Drupal expert Lakshman Kumar Pandey discovered and resolved a security flaw in a headless Drupal implementation using JSON\:API. A routine scan revealed that unauthenticated API requests could confirm valid usernames, creating a potential entry point for targeted attacks. Despite no passwords being exposed, the system returned a 200 OK with metadata confirming user identities like "admin."

The issue stemmed from JSON:API’s reliance on entity access rather than UI permissions. User entities were unintentionally exposed, and anonymous users could enumerate usernames due to the absence of field-level access restrictions.

To fix the problem, Lakshman disabled the user endpoint using the `jsonapi_extras` module, enforced route restrictions programmatically, and audited all API exposures using tools such as Postman and JSON\:API Explorer. His actions blocked username enumeration and resolved the vulnerability.

Lakshmans write-up emphasizes the need to audit JSON\:API endpoints even when no sensitive data appears exposed. Developers running headless Drupal applications are encouraged to verify and harden their API configurations.

For more details, visit Lakshman Kumar Pandey’s article on LinkedIn.