Unprotected mass assignment
ApiKeyScope.new(:resource => resource, :action => action, :allowed_parameters => build_params(scope_params, ApiKeyScope.scope_mappings.dig(resource.to_sym, action.to_sym)[:params]))
Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.
Solution: fix the issue in app/controllers/admin/api_controller.rb or mark it as false positive.