API endpoints do not verify that the authenticated user is authorized to access the specific object referenced in the request, allowing unauthorized data access through predictable object IDs.
An attacker could access, modify, or delete data belonging to other users by iterating through or guessing object identifiers in API requests.
Implement authorization checks at the object level for every API endpoint. Use unpredictable object identifiers (UUIDs). Verify that the authenticated user has permission to access each requested object before processing the request.