Zion Boggan

In-depth vulnerability research, detection engineering & applied cryptography.

● Open to security-research & detection roles
GitHub · LinkedIn · Email
← Research notebook
Info disclosure

Project Name Enumeration

Zion Boggan · April 7, 2026 · coordinated disclosure

SUBMISSION 1

TITLE: Project Name Enumeration via 403/404 Response Differentiation Leaks Customer List

TARGET: api.aiven.io (https://api.aiven.io/login)

VRT CATEGORY: Server Security Misconfiguration > Information Disclosure

URL: https://api.aiven.io/v1/project/{project_name}

DESCRIPTION:

Summary

The GET /v1/project/{project_name} endpoint returns differentiated HTTP responses for existing vs non-existing projects, allowing any authenticated user to enumerate all project names on the Aiven platform. Since project names frequently match company or organization names, this directly reveals Aiven’s customer list.

  • Existing project (not owned by requester): 403, "Not a project member"
  • Non-existing project: 404, "Project does not exist"

Steps to Reproduce

  1. Authenticate to the Aiven API with any valid token.

  2. Query existing project name:

curl -s https://api.aiven.io/v1/project/netflix \
 -H "Authorization: aivenv1 <TOKEN>"

Response (403):

{"errors":[{"message":"Not a project member","status":403}]}
  1. Query non-existing project name:
curl -s https://api.aiven.io/v1/project/doesnotexist12345xyz \
 -H "Authorization: aivenv1 <TOKEN>"

Response (404):

{"errors":[{"message":"Project does not exist","status":404}]}
  1. The 403/404 differentiation confirms whether a project name exists on the platform.

Confirmed Existing Projects

Project Name HTTP Status
netflix 403 (exists)
spotify 403 (exists)
google 403 (exists)
facebook 403 (exists)
tesla 403 (exists)
databricks 403 (exists)
redis 403 (exists)
grafana 403 (exists)
production 403 (exists)
internal 403 (exists)

Controls: doesnotexist12345xyz, another-fake-project-abc → 404.

Impact

An attacker can enumerate Aiven’s customer base by iterating company names against this endpoint. This reveals which organizations use Aiven for their database infrastructure, commercially sensitive information that enables competitive intelligence gathering and targeted supply chain attacks against confirmed Aiven customers.

Suggested Fix

Return a uniform 404 "Project does not exist" for both non-existing projects and projects the requester doesn’t have access to.

Source · github.com/zionsworking/security-research-notebook · writeups/aiven/project-name-enumeration.md