Broken Object Property Level Authorization Node.js (Express) [CVE-2026-7381]

Broken Object Property Level Authorization occurs when a service uses user-supplied object identifiers to retrieve or modify resources without verifying that the requesting user has permission to access that specific object. In real-world Node.js (Express) apps, REST endpoints may fetch documents or records by ID from req.params (for example, /api/users/:id or /api/projects/:id) and return them to the client without confirming ownership or scope. This can leak sensitive data to other users and enables privilege escalation if higher-privilege users can access resources they should not touch. In Express, this manifests when developers rely on the client-provided ID to fetch the resource and respond without checking the requester's rights. Multi-tenant applications must ensure resources are scoped to the caller; failure to do so allows an attacker to enumerate IDs and access unrelated data. Common patterns include returning a user, document, or order by ID without validating ownership, tenant, or role, which often leads to data exposure across tenants or users. Mitigation requires enforcing object-level authorization consistently. Store and enforce per-object metadata (ownerId, tenantId, or an ACL) and implement a policy check before sending data. Use middleware or a centralized policy engine to verify that req.user has access to the specific resource after the resource lookup, or alternatively scope queries to the current user’s permitted set. Never rely solely on client-supplied IDs for access decisions. Ensure all endpoints that expose object data include robust ownership or permission checks and revert with appropriate HTTP status codes (403/404) when access is denied. Additional best practices include adding automated tests for all routes that return object data, auditing access patterns, logging authorization decisions, and auditing query paths to prevent inadvertent leaks in future changes. Be mindful of error messages that could reveal resource existence and apply uniform error responses to avoid information leakage.