The API automatically binds client-provided parameters to internal object properties without proper filtering, allowing attackers to modify fields they should not have access to.
An attacker could modify sensitive fields such as user roles, account status, pricing, or access levels by including unexpected parameters in API requests.
Implement explicit allowlists of properties that can be updated by the client. Never automatically bind all request parameters to data models. Use separate DTOs for input and output. Validate all incoming data against a strict schema.