Broken Object Level Authorization

Broken Object Level Authorization in Go (Gin) [May 2026] [GHSA-jrc5-w569-h7h5]

[Updated May 2026] Updated GHSA-jrc5-w569-h7h5

Overview

Broken Object Level Authorization (BOLOA) occurs when an API reveals or manipulates a resource simply by changing an object identifier, without confirming the caller's rights. In Gin-based services that expose endpoints like /documents/:id or /orders/:orderId, attackers can enumerate IDs and access data they should not see, leading to data leakage and privacy violations. In Go with Gin, this vulnerability often shows up when a handler fetches a resource by ID and returns it without verifying ownership. The risk is amplified if authentication is assumed from a token but the resource check is missing, or if different endpoints fail to consistently enforce the same policy. Mitigation focuses on enforcing object-level authorization at the API boundary. Require that the resource owner or an access policy permits the operation before returning data or applying changes. Implement this via explicit checks in handlers, centralized middleware, or database constraints, and accompany with tests that simulate unauthorized access.

Code Fix Example

Go (Gin) API Security Remediation 
package main

import (
  "net/http"
  "github.com/gin-gonic/gin"
)

type Document struct { ID string; OwnerID string; Content string }

var documents = []Document{
  {ID: "1", OwnerID: "alice", Content: "Top secret A"},
  {ID: "2", OwnerID: "bob", Content: "Confidential B"},
}

func main() {
  r := gin.Default()
  r.Use(authMiddleware())
  r.GET("/documents/:id", vulnerableGetDocument)
  r.GET("/secure-documents/:id", fixedGetDocument)
  r.Run(":8080")
}

func authMiddleware() gin.HandlerFunc {
  return func(c *gin.Context) {
    user := c.GetHeader("X-User")
    if user == "" {
      user = "anonymous"
    }
    c.Set("userID", user)
    c.Next()
  }
}

func vulnerableGetDocument(c *gin.Context) {
  id := c.Param("id")
  doc, ok := findDocByID(id)
  if !ok {
    c.JSON(http.StatusNotFound, gin.H{"error": "not found"})
    return
  }
  // Vulnerable: no ownership check
  c.JSON(http.StatusOK, gin.H{"doc": doc.Content})
}

func fixedGetDocument(c *gin.Context) {
  id := c.Param("id")
  doc, ok := findDocByID(id)
  if !ok {
    c.JSON(http.StatusNotFound, gin.H{"error": "not found"})
    return
  }
  userVal, _ := c.Get("userID")
  userID, _ := userVal.(string)
  if doc.OwnerID != userID {
    c.JSON(http.StatusForbidden, gin.H{"error": "forbidden"})
    return
  }
  c.JSON(http.StatusOK, gin.H{"doc": doc.Content})
}

func findDocByID(id string) (Document, bool) {
  for _, d := range documents {
    if d.ID == id {
      return d, true
    }
  }
  return Document{}, false
}

CVE References

More Go (Gin) API Security Remediation Guides

View all →

Manage cookie preferences

Choose which optional cookies to allow. You can change this any time.