Context-Inappropriate Capability
Medium
- Confidence
- 99% confidence
- Finding
- The application exposes an admin dashboard plus unauthenticated lead and message APIs that return full phone numbers, qualification data, and conversation history to any requester who can reach the server. Because there is no authentication or authorization on '/', '/api/leads', or '/api/leads/<id>/messages', this creates a direct privacy breach and broad unauthorized access to sensitive customer communications.
