Skip to content
Security & Trust

One Valid Login, Every Resource: The IDOR Gap That Scales with AI Agents

Authentication passed. Authorization was absent. How a gonic Subsonic API flaw illustrates the gap AI agents exploit at scale.

· 4 min read
Share on X LinkedIn
One Valid Login, Every Resource: The IDOR Gap That Scales with AI Agents

One Login, Every Resource

The Subsonic API implementation in gonic, an open-source music streaming server, contained a textbook authorization void: any authenticated user — regardless of privilege level — could delete or retrieve playlists belonging to any other user, including administrators. The API endpoints confirmed identity. They did not confirm ownership. Disclosed via the GitHub Advisory Database as GHSA-hmgp-w9jm-vp95, the flaw is a precise illustration of Broken Object Level Authorization — OWASP's designation for what security researchers call Insecure Direct Object Reference, or IDOR. Authentication passed. Authorization was absent. In human-paced applications, the operational gap between these two controls is often manageable. In machine-paced environments, it is not.

API1:2023 — Broken Object Level Authorization (BOLA/IDOR) — ranked as the highest-priority API vulnerability class
Top API Security Risk Category
Source: OWASP API Security Top 10 (2023)

The Authorization Architecture Gap

Authentication and authorization are architecturally separate controls. Authentication answers: who are you? Authorization answers: what are you permitted to access? Systems that implement the first without enforcing the second at the resource level are vulnerable to IDOR regardless of how robust their login flow is. In the gonic case, the Subsonic API accepted valid sessions and routed requests to any resource ID supplied — no ownership check, no role constraint, no per-object gate. An attacker operating within this system needs only one valid account. From that position, they can traverse any resource in the database, read its contents, and delete it without elevated privilege. The vulnerability does not require credential theft beyond basic access. It requires only authentication — and authentication alone is not authorization.

Broken Access Control ranked A01:2021 — the highest-frequency web application vulnerability category, rising from #5 in OWASP's prior release cycle
Web Application Access Control
Source: OWASP Top 10 (November 2021)

The Machine Multiplier

AI agents authenticate through APIs. They hold credentials — OAuth tokens, session keys, user-delegated access — and issue requests at machine velocity. In a system with an IDOR vulnerability, the presence of an agent acting on behalf of a user changes the exposure calculus materially. A human attacker manually probing resource IDs might access dozens of records before detection becomes likely. An agent, operating against the same endpoint with the same credential, traverses the same ID space in seconds. The cross-user exposure that was theoretically possible becomes operationally routine. Organizations deploying AI agents that authenticate against internal platforms — document stores, media libraries, customer databases — should not assume that authentication enforcement at the platform level translates to resource-level isolation. The gonic flaw makes this distinction explicit: the agent is authenticated; the resources are not protected from it. Each incremental improvement in agent capability — more concurrent requests, broader API coverage, longer session lifetimes — proportionally increases the blast radius of an unguarded object reference.

1,629 entries in the CISA Known Exploited Vulnerabilities catalog
Active Exploited Vulnerabilities Tracked
Source: CISA KEV Catalog (June 25, 2026)

What the Scan Data Reflects

Across 466,000+ sites detected in the WebPulse June 2026 dataset — spanning 25 frameworks and 100+ top-level domains — API-forward architectures represent an increasing share of the detected stack. Frameworks with strong security conventions include per-request authorization middleware in their core model; others leave resource-level access control to the implementer. The gonic case illustrates the implementer gap: the Subsonic API specification did not enforce per-resource authorization, and the implementation did not add it. Detection of an API endpoint in a scan does not imply resource-level access control is present. Organizations assessing API-dependent systems should treat authentication coverage and authorization coverage as separate audit dimensions — not proxies for each other. In agentic environments, where a single authenticated session can drive thousands of API calls per minute, that distinction carries direct operational weight.

Share this insight