The application fails to properly enforce role-based access controls, allowing a lower-privileged user to access functionality reserved for higher-privileged roles such as administrators.
An attacker could gain administrative access to the application, modify security settings, access all user data, create backdoor accounts, or compromise the entire system.
Implement role-based access control (RBAC) with server-side enforcement. Deny access by default and grant permissions explicitly. Audit all administrative endpoints for proper authorization checks. Implement separation of duties.