Attack  ·  Glossary

Broken Object Level Authorization (BOLA)

A software flaw in which the system does not properly check whether a logged-in user has the right to view or change a specific piece of data, so they can simply request another user's records by guessing or iterating an identifier. In AI platforms, this allows one user to read or overwrite another user's AI agent configurations, conversation history, or tool credentials. It is the top-ranked vulnerability in the OWASP API Security Top 10.
AI platforms store sensitive assets — custom AI agent instructions, tool API keys, and proprietary workflows — that become accessible to any authenticated user if BOLA is present, turning a low-privilege account into a gateway to enterprise data.
OWASP API Security Top 10 — API1:2023 Broken Object Level Authorization
Track this in the live feed See how this plays out in real AI security and governance developments.
Open the feed →