Overview
Broken Object Level Authorization (BOLA) occurs when an API returns or permits actions on a resource identified by a parameter in the request without verifying that the authenticated user has rights to that specific object. In practice, this enables an attacker to view, modify, or delete data owned by other users by altering the object identifier in the request. BOLA is a critical class of vulnerabilities in multi-tenant or role-based systems and can be exploited even when the user is authenticated.
A real-world illustration of the risk, albeit not Go, is CVE-2026-26990 in LibreNMS (Versions 25.12.0 and below) where an address parameter was used unsafely in a SQL query, allowing an authenticated attacker to influence query results via time-based blind injection. The vulnerability was fixed in version 26.2.0. Although this CVE is SQL injection, its underlying message-failure to enforce proper access boundaries in request processing-maps to BOLA: if you trust an ID from the client without authorization checks, you expose data to other users.
In Go with Gin, BOLA manifests when handlers fetch resources based on IDs in the URL without asserting ownership or access rights, or when queries concatenate IDs into SQL or data-layer calls. The remediation is twofold: ensure you bound params in database queries and enforce ownership in every resource fetch, ideally using a parameterized query that also filters by the current user's ID; and structure code so authorization runs in middleware or a dedicated service.
This guide provides a concrete Go (Gin) example showing a vulnerable pattern and a secure fix, plus steps to implement, test, and verify BOLA defenses in your codebase.
Affected Versions
LibreNMS <= 25.12.0 (patched in 26.2.0)
Code Fix Example
Go (Gin) API Security Remediation
package main
import (
"database/sql"
"log"
"net/http"
"github.com/gin-gonic/gin"
_ "github.com/mattn/go-sqlite3"
)
type Resource struct {
ID int64 `json:"id"`
OwnerID int64 `json:"owner_id"`
Data string `json:"data"`
}
type User struct {
ID int64
}
var db *sql.DB
func main() {
var err error
db, err = sql.Open("sqlite3", ":memory:")
if err != nil {
log.Fatal(err)
}
defer db.Close()
// Initialize schema and seed data
if _, err := db.Exec(`CREATE TABLE resources (id INTEGER PRIMARY KEY, owner_id INTEGER, data TEXT)`); err != nil {
log.Fatal(err)
}
if _, err := db.Exec(`INSERT INTO resources (id, owner_id, data) VALUES (1, 1, 'secret1')`); err != nil {
log.Fatal(err)
}
r := gin.Default()
r.GET("/resources/:id/vulnerable", vulnerableGetResource)
r.GET("/resources/:id/fixed", fixedGetResource)
if err := r.Run(":8080"); err != nil {
log.Fatal(err)
}
}
func currentUser(c *gin.Context) *User {
// In real apps, extract from JWT/session; here we hardcode for demonstration
return &User{ID: 1}
}
// VULNERABLE: builds SQL with concatenation and does not enforce ownership
func vulnerableGetResource(c *gin.Context) {
id := c.Param("id")
// No ownership check; potential BOLA if multiple owners exist
row := db.QueryRow("SELECT id, owner_id, data FROM resources WHERE id = " + id)
var res Resource
if err := row.Scan(&res.ID, &res.OwnerID, &res.Data); err != nil {
c.JSON(http.StatusNotFound, gin.H{"error": "not found"})
return
}
c.JSON(http.StatusOK, res)
}
// FIXED: parameterized query and enforced ownership
func fixedGetResource(c *gin.Context) {
id := c.Param("id")
user := currentUser(c)
row := db.QueryRow("SELECT id, owner_id, data FROM resources WHERE id = ? AND owner_id = ?", id, user.ID)
var res Resource
if err := row.Scan(&res.ID, &res.OwnerID, &res.Data); err != nil {
if err == sql.ErrNoRows {
c.JSON(http.StatusNotFound, gin.H{"error": "not found"})
return
}
c.JSON(http.StatusInternalServerError, gin.H{"error": "internal"})
return
}
c.JSON(http.StatusOK, res)
}