Vulnerability Details
Severity:
High
Category:
API
Description
API endpoints do not verify that the authenticated user is authorized to access the specific object referenced in the request, allowing unauthorized data access through predictable object IDs.
Risks
An attacker could access, modify, or delete data belonging to other users by iterating through or guessing object identifiers in API requests.
Remediation
Implement authorization checks at the object level for every API endpoint. Use unpredictable object identifiers (UUIDs). Verify that the authenticated user has permission to access each requested object before processing the request.