/api/login issues an HS256 token signed with a guessable secret and never checks the password. /api/me then trusts alg:none tokens without verifying any signature — so an unsigned admin token is accepted.
Trigger: forge eyJhbGciOiJub25lIn0.eyJyb2xlIjoiYWRtaW4ifQ. then call /api/me — returns admin:true.
Detected by: browser_cdp_jwt_analyze