BOLA means broken object-level authorization. It is an API flaw where the server checks that a user is authenticated, but does not verify that the user is allowed to access a specific object, such as an order, profile, invoice, or message. If object IDs are predictable or user-controlled, an attacker can change a number in a request and reach records belonging to someone else.
BOLA matters because it often leaks sensitive data without any obvious system compromise. Attackers use it to read, modify, or delete other users’ records, sometimes at scale by iterating through adjacent IDs. Defenders should enforce authorization on every request, not just at login, and validate ownership or access scope for each object. Good protections also include deny-by-default policies, server-side access checks, rate limiting, and logging for repeated ID probing.