Automated Scans Target Swagger JSON Files Across Enterprise APIs, Raising Potential Data Exposure Risks

Automated Scans Target Swagger JSON Files Across Enterprise APIs, Raising Potential Data Exposure Risks

What Happened — Security researchers observed a surge in automated internet‑wide scans that enumerate swagger.json files exposed by enterprise web services. The scans aim to harvest OpenAPI specifications, which can reveal endpoint structures, authentication schemes, and data models.

Why It Matters for TPRM —

• OpenAPI specs can expose undocumented or insecure endpoints that third‑party vendors may rely on.
• Attackers can use the harvested specifications to craft targeted exploits or credential‑stuffing attacks against supply‑chain partners.
• Persistent scanning indicates a growing reconnaissance phase that precedes more active exploitation.

Who Is Affected — SaaS platforms, API gateways, ERP/CRM integrations, and any organization publishing Swagger/OpenAPI documentation publicly.

Recommended Actions — Conduct an inventory of publicly accessible swagger.json files, restrict access to authenticated users or IP allow‑lists, and validate that the documented endpoints enforce strong authentication and least‑privilege controls.

Technical Notes —

• Attack vector: Automated internet scanning (misconfiguration discovery).
• Data types exposed: API endpoint URLs, request/response schemas, optional example data, and sometimes API keys embedded in examples.
• Mitigations: Deploy web‑application firewalls to block generic /.well-known/swagger.json requests, enforce authentication on API documentation portals, and regularly review API specs for sensitive information leakage.

Source: SANS Internet Storm Center – Continuing Scans for swagger.json (Jun 3 2026)