Broken Object Level Authorization

Broken Object Level Authorization in Go (Gin) [May 2026] [GHSA-3775-99mw-8rp4]

[May 2026] Updated GHSA-3775-99mw-8rp4

Overview

Broken Object Level Authorization (BOLA) occurs when an API allows access to a resource without verifying ownership. In production Go services using Gin, this can lead to leakage of user data, unauthorized edits, or deletions when clients can guess or enumerate resource IDs and access them without proper checks. In Gin-based apps, handlers often take an object ID from the URL (e.g., /items/:id) and fetch the resource before or after authenticating the user. If ownership is not validated, an attacker can enumerate IDs and access or modify resources they do not own. This class of vulnerability is common across CRUD endpoints and can undermine access control boundaries in microservices and multi-tenant apps. Remediation patterns include performing ownership checks early via a policy layer, enforcing ownership in the database query (WHERE id = ? AND owner_id = ?), using middleware to load and validate resources, and implementing RBAC/ABAC controls. Tests should cover owner vs non-owner scenarios and ensure error responses do not reveal resource existence. No CVEs are provided for this guide; treat BOLA as a general risk. By applying these mitigations, you reduce data leakage risk and strengthen security posture.

Code Fix Example

Go (Gin) API Security Remediation 
package main

import (
  "fmt"
  "net/http"
  "strconv"
  "github.com/gin-gonic/gin"
)

type Item struct {
  ID int `json:\"id\"`
  OwnerID int64 `json:\"owner_id\"`
  Data string `json:\"data\"`
}

var items = []Item{
  {ID: 1, OwnerID: 10, Data: "secret"},
  {ID: 2, OwnerID: 11, Data: "public"},
}

func main() {
  r := gin.Default()
  // Vulnerable endpoint: returns item by id without checking ownership
  r.GET("/items/:id", vulnerableGetItem)
  // Fixed endpoint: enforces ownership before returning the item
  r.GET("/secure-items/:id", secureGetItem)
  r.Run()
}

// Vulnerable: does not verify that the requesting user owns the item
func vulnerableGetItem(c *gin.Context) {
  id := c.Param("id")
  for _, it := range items {
    if fmt.Sprint(it.ID) == id {
      c.JSON(http.StatusOK, it)
      return
    }
  }
  c.Status(http.StatusNotFound)
}

// Helper to fetch user id from header (for demonstration)
func getCurrentUserID(c *gin.Context) int64 {
  s := c.GetHeader("X-User-ID")
  if s == "" {
    return 0
  }
  id, _ := strconv.ParseInt(s, 10, 64)
  return id
}

// Fixed: verify ownership before returning
func secureGetItem(c *gin.Context) {
  id := c.Param("id")
  var it *Item
  for i := range items {
    if fmt.Sprint(items[i].ID) == id {
      it = &items[i]
      break
    }
  }
  if it == nil {
    c.Status(http.StatusNotFound)
    return
  }
  userID := getCurrentUserID(c)
  if it.OwnerID != userID {
    c.Status(http.StatusForbidden)
    return
  }
  c.JSON(http.StatusOK, it)
}

CVE References

More Go (Gin) API Security Remediation Guides

View all →

Manage cookie preferences

Choose which optional cookies to allow. You can change this any time.