Info LeakBugcrowdprometheusmetricsinternal-exposurefintechunauthenticatedOPEN

Internal metrics dashboard (Prometheus) accessible without authentication

Found an exposed Prometheus metrics endpoint on a fintech platform that reveals internal system metrics including request rates, error counts, memory usage, goroutine counts, and internal service names. The endpoint requires no authentication and is accessible from the public internet. While this is typically classified as informational, the leaked service names and error patterns could help an attacker map internal architecture and identify weak points. Looking for someone to help assess whether this has enough impact for the program or if I should chain it with other findings.