Admin Monitoring Endpoint Exposes Absolute Server Paths in [Product] API

A security concern has been identified in the administrative monitoring interface of [product], where a diagnostics endpoint returns absolute filesystem paths that could potentially aid malicious actors in server reconnaissance. The vulnerability, documented in the project's security tracker, affects the configuration diagnostics route accessible at `GET /api/v1/admin/monitoring/config`. While access is restricted to administrative users, security researchers note that the exposure of internal directory structures compounds risk if combined with any additional vulnerability in the system.

The affected code resides in `backend/monitoring_router.py` around line 237, where the endpoint returns full paths for `data_dir`, `logs_dir`, and `frontend_static_dir`. According to the issue, these absolute filesystem locations are returned directly in the API response rather than abstracted diagnostic flags. This contrasts with security best practices for administrative tooling, which typically surfaces only boolean states—such as whether a directory exists—without revealing underlying system architecture.

The report recommends refactoring the endpoint to return only boolean diagnostics, for example `data_dir_exists: true`, instead of exposing the literal paths. Security analysts warn that knowledge of server directory layouts can significantly reduce the effort required for lateral movement within a compromised environment. The issue remains under review, with no confirmation yet on whether this constitutes an active exploitation vector or has been addressed in recent patches. System administrators operating instances of this software should monitor official security advisories for updates regarding this finding.