The application exposes internal object references (such as database IDs) and fails to verify user authorization before granting access to the referenced objects.
An attacker could access, modify, or delete data belonging to other users by manipulating object references in API requests or URLs.
Implement proper authorization checks for every request. Use indirect references or UUIDs instead of sequential IDs. Validate that the authenticated user has permission to access the requested resource.