Nightly AI Agent Exposes Critical Security Gaps: IDOR Flaws, Incomplete Pentest Configs

A nightly AI security agent has flagged multiple high-severity vulnerabilities in a software project's test suite and configuration, revealing a pattern of insufficient security coverage. The automated report, generated on April 15, 2026, identified five critical gaps, including a high-risk Insecure Direct Object Reference (IDOR) flaw and dangerously incomplete security configuration files. This systematic failure in the spec-driven test suite suggests a broader, unaddressed risk pattern within the codebase.

The most severe finding is a missing test for an IDOR vulnerability on the `deleteAccount` endpoint, where a user could potentially delete another user's saved account by knowing the `accountId`. The AI agent notes this flaw mirrors a previously confirmed IDOR pattern on the `/payment/status` and `/payment/summary` endpoints, indicating a recurring architectural weakness. Furthermore, the example pentest configuration file (`config/pentest.properties.example`) is missing seven required keys, including critical IDs for IDOR probes and Stripe API keys. This forces developers running tests locally to silently rely on hardcoded fallbacks, masking security failures.

These gaps point to systemic issues in the project's security posture. The medium-severity finding that `createPayment` authentication tests are vacuous—because the `AuthTestTemplates` only inspect query parameters while auth params are in the JSON body—compounds the risk. The automated nature of these findings, produced by a routine Pentest Coverage Analysis job, underscores how essential security validation is being overlooked in the development lifecycle, leaving the application exposed to fundamental access control and data integrity attacks.