[Security] CodeTrust Security Review — 2 findings for your consideration

[autoailabadmin]

Security Improvement Suggestions

Hi! We ran an automated security review on this repository using CodeTrust, an AI-powered logical security scanner.

We identified 2 potential security improvements related to endpoint authentication and rate limiting.

Per your SECURITY.md, we are also sending the detailed report to security@tiangolo.com with full CWE references, CVSS scores, and fix suggestions.

Summary (no exploit details):

1. A user-creation endpoint that may be accessible without authentication in certain deployment configurations
2. Missing rate limiting on registration and password recovery endpoints

Methodology: Multi-model AI review (GPT-4.1) with programmatic AST verification, mapped to OWASP WSTG-BUSL standards. Each finding independently validated.

We are happy to submit fix PRs for any confirmed issues.

---

Automated security review by CodeTrust — AI-powered logical security analysis by AutoAI Labs

[autoailabadmin]

Hi — adding specific evidence to show this is a genuine review:

Finding 1: In app/api/routes/private.py, the create_user endpoint at @router.post("/users/") has no authentication dependency. The function signature is:

def create_user(user_in: PrivateUserCreate, session: SessionDep) -> Any:

No Depends(get_current_active_superuser) or similar. While the /private/ prefix suggests internal use, if this route is exposed (e.g., via reverse proxy misconfiguration), anyone can create user accounts.

Finding 2: Registration and password recovery endpoints have no rate limiting. We verified no Limiter, slowapi, or middleware is applied.

What we did NOT report: Our initial scan flagged mass assignment on UserUpdateMe, but we verified the model only allows full_name and email — correctly restricted. We suppressed that false positive.

Per your SECURITY.md, we will also email security@tiangolo.com with the full report.

— Tauqeer, AutoAI Labs (autoailabs.co.uk)