H3-2026-0013¶

Insecure Direct Object Reference (IDOR) / Broken Object Level Authorization (BOLA)

Description¶

This weakness affects API-based web applications that fail to implement object-level authorization checks, and therefore do not validate that a logged-in user requesting access to an object is authorized to do so. By manipulating object identifier parameters (such as IDs, usernames, or filenames), an attacker can access or modify resources belonging to other users or tenants without proper authorization checks.

Impact¶

An attacker can access, modify, or delete resources belonging to other users by manipulating object identifiers in API requests. This can lead to unauthorized data access, data modification, or data deletion across tenant or user boundaries.

References¶

• CWE-639: Authorization Bypass Through User-Controlled Key
• OWASP API1:2023 - Broken Object Level Authorization