Broken access control

What is broken access control?

Broken access control is a security vulnerability in which an application fails to correctly enforce authorization, which results in allowing users to access data or perform actions beyond their intended permissions.

How does broken access control happen?

Broken access control happens when authorization checks aren’t enforced at the point where actions are executed. This typically occurs when the server trusts data sent by the client, such as user IDs or role values stored in session tokens or cookies. If the server accepts these values without validation, an attacker can modify them to access other users’ data or gain additional privileges.

It can also happen when permission checks are enforced only in the user interface, applied inconsistently across services, or checked only at the start of a workflow. In these cases, attackers can bypass restrictions by directly calling backend API endpoints or altering request parameters. Flow diagram showing an attacker’s request reaching a web app or API, a missing authorization check, and unauthorized access or actions. Callouts summarize common patterns and prevention steps.

Where does broken access control occur?

Broken access control can surface in a variety of contexts, including:

Web applications with role‑based features: Sites that assign roles (such as admin, editor, or viewer) depend on strong server‑side controls to ensure each user can only perform the actions they’re allowed to.
Mobile apps that call backend APIs: Mobile applications typically talk to a server to fetch or update data. If the server trusts information sent by the client, attackers can manipulate requests and bypass authorization.
Administrative panels and dashboards: Control interfaces for content management systems, IoT devices, and other tools may have hidden or poorly tested endpoints that could have been overlooked during development.
Multi‑tenant SaaS environments: Software‑as‑a‑Service (SaaS) providers host multiple customers on shared infrastructure. Proper authorization is needed to keep each tenant’s data and permissions separate.
Microservices and internal tools: Modern applications are frequently built from many small services that expose APIs. Inconsistent authorization logic across these services can lead to gaps that allow unauthorized access.

Risks and privacy concerns

Broken access control can result in unauthorized access to personal, financial, or confidential data belonging to other users or organizations. This exposure increases the risk of identity theft, financial abuse, and misuse of sensitive information.

From a privacy standpoint, such failures may violate data protection laws and contractual obligations by allowing data to be accessed outside its intended scope.

FAQ

What’s the difference between authentication and authorization?

Authentication verifies identity, while authorization defines what actions that identity is allowed to perform. Broken access control concerns the failure of authorization.

What are IDOR and BOLA, and how do they relate?

An insecure direct object reference (IDOR) occurs when an application uses user‑controlled identifiers to access objects without confirming ownership, allowing attackers to change the identifier and access another user’s data. Broken object-level authorization (BOLA), the API equivalent, occurs when an API endpoint lacks proper authorization checks. Both represent broken access control.

Why are APIs prone to broken access control?

APIs expose granular operations and often trust client-provided data. Developers may assume front‑end controls are sufficient and omit server‑side checks. Rapid development and versioning can create inconsistent authorization policies across endpoints.

Is broken access control the same as privilege escalation?

No. Privilege escalation is an attack that exploits a vulnerability to gain higher privileges, whereas broken access control refers to missing or weak authorization checks. Privilege escalation can result from broken access control, but also arises from other flaws.