Fix guide · medium · pocketbase_collections_metadata_public
Pocketbase collections metadata readable without auth
Your Pocketbase deployment's /api/collections endpoint returned the full schema without authentication. Attackers can see every collection name, every field, every type, every validation rule.
Why it matters
Knowing the schema isn't a direct vulnerability, but it's a roadmap. Combined with blank list/view rules (pocketbase_list_rule_blank), the attacker now knows exactly which collections to enumerate first.
How to fix it
Pocketbase exposes the collections metadata to admins by default. To require admin auth for the metadata endpoint:
- Open the Admin UI → Settings → API Rules
- Set the metadata access to admin-only
Or, behind a reverse proxy, gate /api/collections (without an ID) to require an authorization header.
Note: this is defence-in-depth. The real fix is ensuring every collection's list/view rules are correct — see /fix/pocketbase_list_rule_blank.
Did vibecheck flag this on your app?
If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.
Run another inspection