While using InfluxDB 2.7.11, we have detected an unauthorized access vulnerability affecting the Swagger API endpoint /api/v2/swagger.json. Could you please advise on solutions to block this endpoint? Thank you.

TingFing · May 28, 2026, 3:11pm

TingFing · June 1, 2026, 1:52am

@scott，can you help me ?

jdstrand · June 1, 2026, 5:03pm

Thanks for reaching out. The server serves a /docs page and it requires /api/v2/swagger.json for the API reference. Both of these currently serve without authorization, but /api/v2/swagger.json is static content and /docs simply prettifies that for the user (ie, nothing should be served that can’t be obtained from the influxdb/main-2.x repo). At the moment, if you don’t want to serve this content, you would need to use a proxy to block these routes as there isn’t currently a configuration flag to block these routes.

For InfluxData developers, AFAICS, the UI doesn’t link to these (neither main nor release/OSS) and at least influxdb-client-python, influxdb-client-js and telegraf do not use /api/v2/swagger.json. PR 11366 introduced this, but without a corresponding issue. It seems straightforward enough to conditionally serve this based on a new config option (similar to how we disable other development features).

Topic		Replies	Views
Configuring access to debug/vars endpoint InfluxDB 2 influxdb	0	697	October 7, 2019
Running InfluxDB2.0 without UI InfluxDB 2 influxdb	2	834	November 11, 2024
InfluxDb 2.5: error 401 access denied when executing "influx server-config" InfluxDB 2 security	1	1328	November 28, 2022
Influxdb 2.0.5 influxql not working on grafana Grafana	2	2868	June 23, 2021
Metrics and Health endpoints auth InfluxDB 2 influxdb	0	472	January 23, 2021

While using InfluxDB 2.7.11, we have detected an unauthorized access vulnerability affecting the Swagger API endpoint /api/v2/swagger.json. Could you please advise on solutions to block this endpoint? Thank you.

Related topics