Auth-bypass-via-misconfiguration is missed by entry-point-only fingerprints

For application-tier surveys (RAG framework, LLM orchestration, BI dashboards, anything with a documented public-role config), entry-point fingerprints are insufficient. The probe must follow redirects and check for authenticated-state-only tokens on the post-redirect target.

Evidence

The compute-orchestration survey caught Apache Airflow instances configured with AUTH_ROLE_PUBLIC = "Admin" (anonymous public role enabled). The dashboard is reachable at /home, while /login/ still serves the login template.

A probe that only checks / (returns 302 to /home) reports “login-gated.” Following the redirect surfaces the actual auth posture.

Eight of 36 confirmed-Airflow hosts in the 2026-05-06 sample were unauth-via-/home despite / returning a redirect that looked like a login flow.

How to apply

The probe pattern:

1. Disable redirect-following on the initial fetch to capture the 302 path.
2. Make a second request to the redirect target with cookies cleared.
3. On the post-redirect response, look for authenticated-state-only tokens, Airflow’s is_scheduler_running meta tag, MLflow’s /api/2.0/mlflow/experiments/list JSON, etc.
4. If the authenticated-state token is present without auth headers, the host is in AUTH_ROLE_PUBLIC = "Admin" state.

For each platform with a documented public-role / anonymous-admin config, capture both the entry-point fingerprint and the post-auth-state fingerprint in aimap.

Source

Captured in case-studies/commercial/SYNTHESIS-2026-05.md. Survey: compute-orchestration-cloud-survey-2026-05.

SOURCE · case-studies/commercial/SYNTHESIS-2026-05.md