Broken Object-Level Authorization (BOLA) is an access control flaw in which an application or API checks that a user is authenticated, but fails to verify whether that user is allowed to access a specific object, such as another person’s account, order, file, or medical record. The weakness often appears when requests use direct identifiers like record IDs, invoice numbers, or user IDs.
This matters because object-level checks protect the actual data behind an endpoint. If they are missing, an attacker can modify an identifier in a request and retrieve or change records they should never see. In real attacks, BOLA can expose private data, alter transactions, or allow unauthorized actions across large numbers of accounts. Defenses include server-side authorization on every object access, deny-by-default rules, indirect or unpredictable object references where appropriate, strict testing of each endpoint, and monitoring for abnormal enumeration patterns. Strong authentication alone is not enough; each object request must be authorized separately.



