API Security
    2/23/2026

    The Invisible Threat of IDOR and BOLA

    The Invisible Threat of IDOR and BOLA

    Mastering Object-Level Authorization and the BOLA Threat

    In the modern API-first landscape, the most critical question isn't just "Who are you?" (Authentication) but "Are you allowed to see this specific piece of data?" (Authorization).

    When an API fails this check, it creates a Broken Object Level Authorization (BOLA) vulnerability—formerly known as IDOR (Insecure Direct Object Reference).

    BOLA has remained the #1 risk on the OWASP API Security Top 10 since 2019 because it is:

    • Easy to exploit
    • Extremely difficult to detect with legacy tooling
    • Devastating in multi-tenant SaaS environments
    • Highly automatable at scale

    In 2026, BOLA is no longer just a web app issue - it affects AI systems, mobile backends, partner APIs, and internal microservices alike.

    The Mechanics: How BOLA Manifests Across API Servers

    BOLA occurs when an application uses a client-provided ID to access a resource without verifying the user's right to that specific object.

    • REST APIs: The most common target. Attackers simply increment IDs in the URL (e.g., changing /api/orders/1001 to /api/orders/1002) to harvest data from other users.
    • GraphQL: While REST has fixed endpoints, GraphQL uses a single endpoint. BOLA here often hides in nested resolvers. An attacker might start with a legitimate query for their own profile but use nested fields to "crawl" into unauthorized objects like user -> posts -> comments -> private_email.
    • gRPC: Often used for internal microservices, gRPC can be vulnerable if developers assume the binary Protobuf format provides security by obscurity. Without server-side interceptors to verify object ownership, gRPC calls are just as exposed as REST.
    • WebSockets: Since connections are persistent, developers often forget to re-authorize individual messages. Once a socket is open, an attacker might send a message to "subscribe" to a data stream (like a private chat ID) that doesn't belong to them.

    AI & Agent APIs (New 2026 Risk Surface)

    As organizations integrate APIs with AI copilots and LLM-powered agents:

    • Internal APIs are exposed to AI systems.
    • Developers assume internal trust.
    • Object-level checks are skipped.

    Result: AI agents have been observed retrieving tickets, CRM entries, and HR records belonging to unrelated users because the backend validated identity — but not ownership.

    AI does not eliminate BOLA. It amplifies it.

    Implementation: Object-Level Authorization (RBAC vs. ABAC)

    To prevent BOLA, you must move beyond simple Role-Based Access Control (RBAC).

    ModelMechanismBOLA Effectiveness
    RBACAssigns permissions to roles (e.g., "Manager").Low: Confirms a Manager can see invoices, but not which manager sees which invoice.
    ABACUses attributes (User ID, Resource Owner, IP).High: Dynamically checks if user_id == resource_owner_id for every request.

    RBAC answers:

    "Can managers see invoices?"

    ABAC answers:

    "Can THIS manager see THIS invoice?"

    That distinction is the difference between secure and breached.

    Real-World Failures (2024–2026)

    BOLA isn't theoretical; it has fueled the largest breaches of the last two years:

    Salesforce Supply Chain (August 2025)

    Attackers exploited compromised OAuth tokens in the Salesloft–Drift integration within the Salesforce ecosystem.

    By abusing overly broad permissions and weak object isolation, they extracted:

    • AWS access keys
    • Sensitive CRM records
    • Data from 700+ organizations

    Lesson: OAuth scopes ≠ object-level authorization.

    Volkswagen MyVW (2025)

    Researchers discovered that manipulating VIN numbers in the Volkswagen MyVW API allowed access to:

    • Real-time vehicle locations
    • Owner personal data
    • Vehicle telemetry

    The API validated authentication — but not VIN ownership.

    McDonald's / Paradox.ai Hiring Platform (2025)

    A hiring chatbot platform used sequential candidate IDs.

    Incrementing:

    /api/chat/10001 → /api/chat/10002

    exposed thousands of applicant records tied to McDonald's recruitment systems.

    Data included:

    • Names
    • Email addresses
    • IP addresses
    • Personality test results

    FinTech Open Banking API Incident (2025)

    A European fintech startup allowed:

    /accounts/{account_id}/transactions

    OAuth tokens included read:transactions.

    But the backend never verified that the requesting partner was authorized for that specific account_id.

    Critical insight:
    Scope-based authorization without object validation creates horizontal privilege escalation.

    Healthcare Scheduling SaaS Exposure (2026)

    Predictable appointment_id values allowed patients to access other patients':

    • Visit notes
    • Appointment times
    • Contact details

    The DAST scanner passed it as secure because it received 200 OK.

    It never tested cross-user object access.

    The Scaling Problem: Why Manual & Legacy Tools Fail

    As API ecosystems grow, the attack surface expands exponentially.

    1. Manual Testing Bottleneck: 75% of enterprises lack a complete API inventory. Manual testers cannot keep up with weekly CI/CD deployments or "Shadow APIs" hidden in the code .
    2. DAST Limitations: Traditional Dynamic (DAST) scanners are "blind" to BOLA. They typically test with one set of credentials. If a request returns "200 OK," the scanner assumes it passed, failing to realize it should have been a "403 Forbidden" if the ID belonged to another user.
    3. SAST Limitations: Static (SAST) tools analyze code at rest but cannot see the runtime interaction between identity providers and databases where BOLA logic actually lives.

    The Scaling Reality in 2026

    Attackers now automate:

    • Horizontal privilege escalation
    • Cross-tenant data crawling
    • ID enumeration at massive scale

    In SaaS platforms, one missing object-level check can expose millions of records across tenants.

    The Solution: Autonomous API Security

    Organizations must transition toward Autonomous API Security:

    AI-driven platforms can:

    • Build behavioral baselines of API usage
    • Map object relationships dynamically
    • Simulate cross-user attacks automatically
    • Detect when a 200 OK should have been 403 Forbidden

    Security testing must evolve from:

    "Is the endpoint reachable?"

    to:

    "Is this specific object accessible only to its rightful owner?"

    Final Thought

    From automotive APIs to fintech, healthcare SaaS, AI copilots, and global CRM ecosystems, BOLA remains the most exploited API vulnerability entering 2026.

    Authentication answers:

    "Who are you?"

    Authorization must answer:

    "Should you see THIS exact object?"

    If that second question is not enforced consistently - everywhere - your API is one ID away from a breach.

    Back

    Subscribe to our newsletter

    Get API security tips and ApyGuard updates straight to your inbox. No spam, just useful content.

    You can unsubscribe at any time with one click.