VC010A01:2021·CWE-862

Missing authorization checks

Authorization missing on resource access — code authenticates the user but doesn't verify they own or can access the specific resource being requested.

What this rule detects

VC010 fires when a route fetches a resource by an ID from the URL, but doesn't filter by the requesting user's ownership. The bug is subtle because the route looks like it has auth — there's a `userId` from the session — but the database query trusts the URL parameter without cross-checking.

Vulnerable vs. safe code

Vulnerable
// Authenticated, but no ownership check.
export async function GET(req: Request, { params }: { params: { orderId: string } }) {
  const { userId } = await auth();
  if (!userId) return new Response("Unauthorized", { status: 401 });

  const order = await db.order.findUnique({ where: { id: params.orderId } });
  return Response.json(order);
  // Anyone logged in can read anyone else's order.
}
Safe
export async function GET(req: Request, { params }: { params: { orderId: string } }) {
  const { userId } = await auth();
  if (!userId) return new Response("Unauthorized", { status: 401 });

  const order = await db.order.findUnique({
    where: { id: params.orderId, userId },
  });
  if (!order) return new Response("Not found", { status: 404 });
  return Response.json(order);
}

About A01:2021Broken Access Control

Access-control bugs let users do things they shouldn't — view another user's data, modify records they don't own, or hit admin-only endpoints without admin rights. This class moved to #1 in the 2021 OWASP Top 10 because 94% of audited apps had at least one access-control flaw.

Impact: An attacker who finds an access-control bug typically gets a much bigger blast radius than other vulnerability classes. Examples we've seen in AI-generated code: a /api/user/[id] route that returns any user's profile, a delete endpoint that doesn't check ownership, an admin dashboard with no role check.

How to fix it: Check authentication AND authorization on every server-side route. Never rely on the client to enforce permissions. Default to deny. For per-resource checks, fetch the resource and verify the requesting user owns it before returning or modifying it.

Common patterns in this category:

  • Missing auth check on API routes (the resource is returned to anyone with the URL)
  • Authorization based on a parameter the client controls (e.g. trusting `?userId=` in the URL)
  • Direct object references where the resource ID isn't validated against the requesting user
  • Public access to administrative or internal endpoints
  • Privilege escalation via mass assignment (user POSTs `{role: 'admin'}` and the ORM accepts it)

Compliance coverage

Findings from this rule map to the following framework controls:

SOC 2
CC6.1, CC6.3
ISO 27001
A.8.3, A.8.5
OWASP Top 10
A01:2021Broken Access Control
CWE
CWE-862

See the full compliance coverage page for how XploitScan maps every rule to SOC 2, ISO 27001, and OWASP Top 10 controls.

Scan your code for VC010 and 157 other rules

Free, no signup. Drag and drop a zip or run npx xploitscan scan .

Scan Your Code →

Related rules in A01:2021

← All security rules
VC010: Missing authorization checks | XploitScan Rules