Access control bypass is a weakness that lets a user reach data, settings, or actions they should not be allowed to use. The failure is usually in authorization logic, not authentication: the system may know who the user is, but it checks permissions incorrectly or not at all. Common causes include broken role checks, missing object-level validation, predictable URLs, and trusting client-side controls.
In cyber security, this matters because it can expose sensitive files, change administrative settings, or unlock functions meant only for privileged users. Attackers often look for bypasses in web admin panels, APIs, upload features, and request handlers, where a small logic mistake can reveal private data or create a foothold for later attacks. Defenders reduce the risk by enforcing server-side authorization on every request, validating object ownership, limiting management interfaces, and testing for privilege escalation during code review and penetration testing.