What it is
An Authorization Bypass occurs when an attacker accesses restricted functionality or data without proper permission checks, even though authentication may still be in place.
This differs from broken authentication; the user is known, but authorization logic fails.
Why it matters
Authorization bypass vulnerabilities can result in:
- Access to sensitive data
- Account or tenant takeover
- Full application compromise
They are among the most critical and frequently exploited application security issues.
How to reduce risk
- Enforce authorization checks server-side for every request
- Avoid relying on client-side controls
- Use role- and attribute-based access control (RBAC / ABAC)
- Regularly test for horizontal and vertical privilege escalation