The application fails to properly verify that a user is authorized to access resources belonging to other users at the same privilege level, allowing access to another user's data.
An attacker could access, modify, or delete data belonging to other users by manipulating identifiers in requests, leading to data breach and privacy violations.
Implement object-level authorization checks for every request. Verify that the authenticated user owns or has permission to access the requested resource. Use indirect references that cannot be manipulated.