Broken Object Level Authorization

Broken Object Level Authorization in Go (Gin) [June 2026] [GHSA-x744-4wpc-v9h2]

[June 2026] Updated GHSA-x744-4wpc-v9h2

Overview

Broken Object Level Authorization (BOLA) vulnerabilities in Go with the Gin framework allow an authenticated user to access or modify resources that belong to another user by manipulating object identifiers in request paths (for example, /users/:id or /orders/:order_id). If an API relies solely on a token-based identity and omits per-object ownership checks in route handlers or the service layer, attackers can read or mutate data they should not access, leading to data leakage and potential privilege escalation. In Gin-based services, BOLA often appears when handlers fetch resources by ID from the URL without validating ownership, or when business logic is shared across resources without centralized access-control checks. No CVEs are provided in this request, but the vulnerability class aligns with common patterns seen in similar frameworks.

Code Fix Example

Go (Gin) API Security Remediation 
VULNERABLE:
package main

import (
  "net/http"
  "github.com/gin-gonic/gin"
)

type User struct { ID string; Email string }

var store = map[string]User{
  "1": {ID: "1", Email: "[email protected]"},
  "2": {ID: "2", Email: "[email protected]"},
}

// Insecure: returns user by path param without verifying ownership
func vulnerableGetUser(c *gin.Context) {
  id := c.Param("id")
  if u, ok := store[id]; ok {
    c.JSON(http.StatusOK, u)
    return
  }
  c.Status(http.StatusNotFound)
}

// FIX: verify ownership using authenticated user id from context
func fixedGetUser(c *gin.Context) {
  authID, exists := c.Get("userID")
  if !exists {
    c.JSON(http.StatusUnauthorized, gin.H{"error": "unauthorized"})
    return
  }
  id := c.Param("id")
  if id != authID {
    c.JSON(http.StatusForbidden, gin.H{"error": "forbidden"})
    return
  }
  if u, ok := store[id]; ok {
    c.JSON(http.StatusOK, u)
    return
  }
  c.Status(http.StatusNotFound)
}

func main() {
  r := gin.Default()
  // simple auth middleware: expects X-User-ID header and stores it as userID
  r.Use(func(c *gin.Context) {
    u := c.GetHeader("X-User-ID")
    if u == "" {
      c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "unauthorized"})
      return
    }
    c.Set("userID", u)
    c.Next()
  })

  r.GET("/vuln/users/:id", vulnerableGetUser) // vulnerable pattern
  r.GET("/fix/users/:id", fixedGetUser)       // fixed pattern
  r.Run()
}

CVE References

More Go (Gin) API Security Remediation Guides

View all →

Manage cookie preferences

Choose which optional cookies to allow. You can change this any time.