Back to Glossary

Glossary Term

Broken Object Level Authorization (BOLA)

APIs skip per-object permission checks, so attackers can change IDs to read or edit someone else’s data.

1 min read

Share this definition

Post it to your feed or send it to teammates.

Broken Object Level Authorization (BOLA)

1-minute read

What it is

BOLA occurs when an API does not properly verify that a user is authorized to access a specific object, such as a record, file, or account. Attackers manipulate object identifiers or IDs in requests to retrieve or modify data belonging to other users.

Why it matters

This vulnerability grants direct access to sensitive data without breaking authentication. It is one of the most common and damaging API security issues, often leading to large-scale data breaches and privacy violations.

How to reduce risk

  • Enforce authorization checks for every single object request
  • Validate object ownership and permissions server-side, never in the client
  • Avoid exposing predictable identifiers that make object guessing trivial

Related Terms: Access Control, API Misconfiguration, Insecure Direct Object Reference (IDOR)

External Resources: