Broken Object Level Authorization

Broken Object Level Authorization in Go (Gin) [Apr 2026] [GHSA-g8p8-94f2-28gr]

[Updated Apr 2026] Updated GHSA-g8p8-94f2-28gr

Overview

Broken Object Level Authorization (BOLA) vulnerabilities in API servers occur when programs fail to enforce ownership checks on resources accessed via IDs. This can lead to attackers accessing or modifying data belonging to other users. In real-world Go (Gin) APIs, endpoints that return resources by ID, such as /items/:id or /orders/:id, are especially susceptible when the resource owner is determined by the client-provided ID and not validated against the authenticated user. Note: No CVE IDs are provided for this guide. In Go Gin, BOLA often happens when a handler queries a resource by ID and returns it without verifying that resource.OwnerID matches the current user. Attackers can enumerate IDs and exfiltrate data or perform unauthorized actions. If there is no RBAC or ABAC in place, the risk scales with the number of endpoints exposing object IDs. Remediation strategy overview: enforce ownership checks in the application logic, perform authorization checks at the service/repository boundary, use owner-based filters in queries, implement RBAC/ABAC, avoid exposing IDs without authorization, and add tests.

Code Fix Example

Go (Gin) API Security Remediation 
package main

import (
  "net/http"
  "github.com/gin-gonic/gin"
)

type Item struct {
  ID string `json:\"id\"`
  OwnerID string `json:\"owner_id\"`
  Data string `json:\"data\"`
}

var items = []Item{
  {ID: "1", OwnerID: "alice", Data: "secret A"},
  {ID: "2", OwnerID: "bob", Data: "secret B"},
}

// Vulnerable handler: does not verify ownership
func getItemVulnerable(c *gin.Context) {
  id := c.Param("id")
  for _, it := range items {
     if it.ID == id {
        c.JSON(http.StatusOK, it)
        return
     }
  }
  c.Status(http.StatusNotFound)
}

// Secure handler: enforces ownership
func getItemSecure(c *gin.Context) {
  id := c.Param("id")
  userID, _ := c.Get("userID")
  for _, it := range items {
     if it.ID == id {
        if it.OwnerID != userID {
           c.Status(http.StatusForbidden)
           return
        }
        c.JSON(http.StatusOK, it)
        return
     }
  }
  c.Status(http.StatusNotFound)
}

func main() {
  r := gin.Default()

  r.Use(func(c *gin.Context){
     if u := c.GetHeader("X-User"); u != "" {
        c.Set("userID", u)
     }
     c.Next()
  })

  r.GET("/vulnerable/items/:id", getItemVulnerable)
  r.GET("/secure/items/:id", getItemSecure)

  r.Run(":8080")
}

CVE References

More Go (Gin) API Security Remediation Guides

View all →

Manage cookie preferences

Choose which optional cookies to allow. You can change this any time.