How to Fix Broken Object Level Authorization in FastAPI March 2026 [CVE-2026-2975]

CVE-2026-2975 describes a security flaw in FastApiAdmin up to version 2.2.0 where the function reset_api_docs in the Custom Documentation Endpoint improperly handles access control, leading to information disclosure. This vulnerability is an instance of Broken Object Level Authorization: an endpoint that manipulates or reveals sensitive application data (in this case, the OpenAPI/OpenAPI-like documentation) can be accessed without proper authorization. An attacker who can reach the remote server could trigger the reset_api_docs path and retrieve the entire API surface, including internal routes, schemas, and security details, increasing the attack surface for further abuse. The CVE highlights how a trusted admin-like operation can expose objects (the API docs) to unauthorized actors, effectively leaking sensitive information about the backend and its endpoints. The disclosure is mediated by a public exploit release, amplifying the risk in production environments where docs or admin endpoints were left unprotected. CWE-200 (Information Exposure) and CWE-284 (Improper Access Control) map to this class of vulnerability, where an object (the API documentation) is accessible without verifying the requester’s authorization, enabling information leakage and potential misuse.