REST API vulnerability