Security Glossary

What Is BOLA (IDOR) Vulnerability?

UbserveMarch 28, 20262 min read
Focus
BOLA
Risk
High
Stack
Supabase/Next.js
Detection
Ubserve Runtime Simulation

BOLA, also called IDOR, is an authorization flaw that exposes records outside the requester’s scope. It lets attackers access other users’ objects by changing identifiers.

Dark security wireframe showing object ID request paths and authorization checks.

BOLA, also called IDOR, is an authorization flaw that exposes records outside the requester’s scope. It lets attackers reach another user’s object by changing an identifier.

The vulnerability is rarely caused by missing login checks. It usually appears when code validates "who are you?" but skips "do you own this object?" on read or write paths. AI-generated APIs often miss this second check.

A non-technical analogy: being allowed into an apartment building does not mean you can open every unit door by changing the unit number on the intercom request.

[Component: DarkWireframeKey]

As shown in the Policy Gate diagram, the left lane should represent authenticated actor identity, and the right lane should represent object-level ownership enforcement per request.

Start free scan | See sample audit

Agentic Risk (Cursor, v0, Bolt)

Ubserve Internal Audit data from 2026 shows 27.9% of AI-generated mutation routes enforce session presence but miss actor-to-object checks. This is the highest-frequency launch blocker in founder-shipped APIs.

Wrong vs. Right

// WRONG: object fetch by ID only
const order = await db.order.findUnique({ where: { id: params.id } });

// RIGHT: object fetch by ID + tenant/user scope
const order = await db.order.findFirst({
  where: { id: params.id, tenantId: session.tenantId },
});

Copy-Paste Fix Prompt for Cursor/Claude

Audit my API for BOLA/IDOR vulnerabilities.
1) Enumerate all routes accepting IDs.
2) Flag lookups not constrained by authenticated tenant/user scope.
3) Patch all reads/writes with actor-to-object ownership checks.
4) Add negative tests where UUIDs from other tenants return 404/403.
Return code diffs + test cases only.

Related resources

Token validation wireframe showing signature and claim validation path.
Security Glossary
01
What Is JWT Token Forgery and Claim Spoofing?
Server action security wireframe across form inputs, identity, and data writes.
Security Glossary
02
What Is Next.js Server Action Security?
Two-lane SAST vs DAST wireframe showing potential risk from static analysis versus validated exploit paths from runtime testing.
Security Glossary
03
What Is SAST vs DAST for AI-Built Apps?

How Ubserve Applies This in Real Scans

Ubserve treats What Is BOLA (IDOR) Vulnerability? as a production risk, not a theory term. Our runtime simulation maps this control to attacker paths in auth, data access, and API behavior, then returns fix-ready guidance tied to your stack. OWASP-style principles are used as the baseline, but we prioritize what is actually exploitable in your live flow.

Detection

Runtime exploit simulation + behavioral authorization checks.

Evidence

Clear proof path showing where trust boundaries fail.

Remediation

AI-ready fix prompts and implementation-level patch guidance.

FAQs

Is BOLA the same as IDOR?+
Yes in practice. IDOR is the older name; BOLA is the modern API-security term.
Why is BOLA common in AI-built apps?+
Generated routes often validate authentication but skip object-level ownership validation.
Glossary to action

Want Ubserve to test this risk in your app?

Run a scan and get attacker-first validation, exploit evidence, and fix guidance mapped to what is bola (idor) vulnerability?.

Scan this riskSee sample audit
Start free scan