API is potentially exposed due to default or insecure configurations (e.g., open CORS, Swagger UI enabled in production, missing security headers).