Critical Authentication Bypass in LLM Wiki Web Exposes Admin Access to Any Password

Security analysis of the LLM Wiki web application backend has identified a critical authentication bypass vulnerability in `AuthController.login()`. The method accepts any non-empty password for existing user accounts, effectively bypassing credential verification entirely. The flaw was discovered in `backend/llm-wiki-web/src/main/java/com/llmwiki/web/controller/AuthController.java`, where password validation has been removed or disabled in the login flow.

The vulnerability stems from a simplified authentication implementation that retrieves user roles directly from an in-memory map using only the username, without invoking any password check. Notably, a `PasswordEncoder` bean exists within the application's Spring framework but is never utilized during the login sequence. The current code path allows authentication using any arbitrary string as a password, provided the target username exists in the user store. This creates a direct path to unauthorized access, particularly for administrative accounts where privilege escalation could lead to full system compromise.

The exposure is severe. Any actor with knowledge of a valid username—whether obtained through reconnaissance, social engineering, or leaked data—can authenticate without legitimate credentials. This breaks a fundamental security control and exposes the system to account takeover, credential stuffing attacks, and insider threats. In production deployments, admin-level access could enable data exfiltration, configuration manipulation, or lateral movement to adjacent systems. The vulnerability requires immediate remediation: passwords must be stored using bcrypt hashing and validated against stored hashes via `passwordEncoder.matches()` before JWT issuance. Organizations running this codebase should audit authentication logs for anomalous access patterns and consider network-level restrictions until a patch is deployed.