CVE-2026-45365: Fastapi Internal Auth Bypass Flag As Query Param
FastAPI route handler `$FN` declares `$PARAM` as a plain primitive-typed function parameter. Because the parameter is a `bool`/`Optional[bool]` and is not wrapped in `Body(...)`, `Header(...)`, `Cookie(...)`, or `Depends(...)`, FastAPI binds it to the HTTP query string. An external caller can therefore append `?$PARAM=true` to the request URL and flip an int
greprules fetch cve-2026-45365-fastapi-internal-auth-bypass-flag-as-query-param --engine opengrepDescription
FastAPI route handler `$FN` declares `$PARAM` as a plain primitive-typed function parameter. Because the parameter is a `bool`/`Optional[bool]` and is not wrapped in `Body(...)`, `Header(...)`, `Cookie(...)`, or `Depends(...)`, FastAPI binds it to the HTTP query string. An external caller can therefore append `?$PARAM=true` to the request URL and flip an int
Detection target
Not provided
Recommended fix
Not provided
False-positive notes
Not provided
Community feedback
Sign in to report false positives, mark this rule useful, or suggest metadata improvements.