One Login, Every Resource
The Subsonic API implementation in gonic, an open-source music streaming server, contained a textbook authorization void: any authenticated user — regardless of privilege level — could delete or retrieve playlists belonging to any other user, including administrators. The API endpoints confirmed identity. They did not confirm ownership. Disclosed via the GitHub Advisory Database as GHSA-hmgp-w9jm-vp95, the flaw is a precise illustration of Broken Object Level Authorization — OWASP's designation for what security researchers call Insecure Direct Object Reference, or IDOR. Authentication passed. Authorization was absent. In human-paced applications, the operational gap between these two controls is often manageable. In machine-paced environments, it is not.
The Authorization Architecture Gap
Authentication and authorization are architecturally separate controls. Authentication answers: who are you? Authorization answers: what are you permitted to access? Systems that implement the first without enforcing the second at the resource level are vulnerable to IDOR regardless of how robust their login flow is. In the gonic case, the Subsonic API accepted valid sessions and routed requests to any resource ID supplied — no ownership check, no role constraint, no per-object gate. An attacker operating within this system needs only one valid account. From that position, they can traverse any resource in the database, read its contents, and delete it without elevated privilege. The vulnerability does not require credential theft beyond basic access. It requires only authentication — and authentication alone is not authorization.
The Machine Multiplier
AI agents authenticate through APIs. They hold credentials — OAuth tokens, session keys, user-delegated access — and issue requests at machine velocity. In a system with an IDOR vulnerability, the presence of an agent acting on behalf of a user changes the exposure calculus materially. A human attacker manually probing resource IDs might access dozens of records before detection becomes likely. An agent, operating against the same endpoint with the same credential, traverses the same ID space in seconds. The cross-user exposure that was theoretically possible becomes operationally routine. Organizations deploying AI agents that authenticate against internal platforms — document stores, media libraries, customer databases — should not assume that authentication enforcement at the platform level translates to resource-level isolation. The gonic flaw makes this distinction explicit: the agent is authenticated; the resources are not protected from it. Each incremental improvement in agent capability — more concurrent requests, broader API coverage, longer session lifetimes — proportionally increases the blast radius of an unguarded object reference.
What the Scan Data Reflects
Across 466,000+ sites detected in the WebPulse June 2026 dataset — spanning 25 frameworks and 100+ top-level domains — API-forward architectures represent an increasing share of the detected stack. Frameworks with strong security conventions include per-request authorization middleware in their core model; others leave resource-level access control to the implementer. The gonic case illustrates the implementer gap: the Subsonic API specification did not enforce per-resource authorization, and the implementation did not add it. Detection of an API endpoint in a scan does not imply resource-level access control is present. Organizations assessing API-dependent systems should treat authentication coverage and authorization coverage as separate audit dimensions — not proxies for each other. In agentic environments, where a single authenticated session can drive thousands of API calls per minute, that distinction carries direct operational weight.


