You shipped a fix. You cut a new version. You moved the frontend. The old version is still live because nothing tells you how to turn it off, and one customer on an old mobile build is still calling it. Six months later, an attacker finds both versions and picks the one that still has the bug.
Improper Inventory Management is the bug where you do not know what you have running. Old API versions that were never turned off. Staging and beta subdomains pointed at prod data. Undocumented routes from a prototype nobody deleted. Every one of them is a live attack surface the team has stopped watching.
What your AI actually built
You asked for a versioned API. /api/v1 for the original launch, /api/v2 once you added multi-tenant support and fixed that nasty ownership bug. The model did exactly what you asked — it created v2 alongside v1.
What it did not do was retire v1. It did not put a 410 Gone on it, did not add a deprecation header, did not log which clients were still hitting it. v1 sits in the repo looking exactly like v2 except for the one thing you fixed.
The other flavor of this bug is the staging server. A subdomain called beta. or dev. or internal. that points at a slightly older build of the same app, often with looser auth, debug endpoints on, and the same database behind it.
How it gets exploited
The attacker notices the main app is careful: every route checks ownership, every token is scoped. They assume there is an older version somewhere.
Find the versions you forgot were live.
Flowpatrol walks every version, subdomain, and shadow route of your app and shows which ones still have the bugs you already fixed. Five minutes. One URL.
Try it free