Improper Restriction of Excessive Authentication Attempts

Summary

Fides is an open-source privacy engineering platform. Prior to version 2.69.1b2, the Fides Admin UI login endpoint relies on a general IP-based rate limit for all API traffic and lacks specific anti-automation controls designed to protect against Brute-Force Attacks. This could allow attackers to conduct Credential Testing Attacks, such as Credential Stuffing or Password Spraying, which poses a risk to accounts with weak or previously compromised passwords. For organizations with commercial Fides Enterprise licenses, configuring Single Sign-On (SSO) through an OIDC provider (like Azure, Google, or Okta) is an effective workaround. When OIDC SSO is enabled, username/password authentication can be disabled entirely, which eliminates this attack vector. This functionality is not available for Fides Open Source users.