May 30, 2026
Admin Dashboard Accessible Without Authentication
Severity: critical Bounty: 5 digits (PHP)

By 3r3n
I discovered this vulnerability during a bug bounty event sponsored by a local tech company in collaboration with our school.
This vulnerability is simple enough for those who already know about security. But I want to share it because sometimes it can really confuse developers.
Here's How I found it.
I noticed that the admin subdomain console had a login form meant only for admins. That got my attention!
I ran a directory brute-forcer and saw several directories returning 302 status code including /user
when i opened /user in my browser, it redirected to the login page. That's normal behavior for unauthenticated users.
But I got curious — What if I could bypass the redirect? I tried accessing the same directory without following the redirect!. And it worked.
Proof of Concept (POC):
All 302-protected directories became accessible — no authentication required.
This vulnerability is responsibly disclosed.