What is broken access control?

Last reviewed June 2, 2026

Broken access control is a category of flaws where an application fails to enforce what authenticated or anonymous users are allowed to do, letting them access data or actions outside their intended permissions. It ranks as A01 in the OWASP Top 10 2021 and covers issues such as IDOR, privilege escalation, and missing function-level checks. The fix is to deny by default and enforce authorization on the server for every request.

What broken access control is

Access control, also called authorization, decides which users may perform which actions on which resources. Broken access control means those rules are missing, incomplete, or enforced in the wrong place, so users can read or change data and invoke functionality they should not be able to.

It became the number one risk in the OWASP Top 10 2021 because it is widespread and high impact. It maps to weaknesses such as CWE-285 for improper authorization and CWE-862 for missing authorization.

Common forms of broken access control

Horizontal escalation, where a user accesses another user's resources at the same privilege level, such as viewing someone else's account by changing an identifier.
Vertical escalation, where a normal user gains higher privileges, such as reaching administrative functions.
Insecure direct object references, or IDOR, where object identifiers in requests are not checked against the current user.
Forced browsing, where an attacker visits URLs or endpoints directly without following the intended navigation.
Missing function-level access control, where the user interface hides an action but the underlying endpoint does not verify permission.

Impact of broken access control

The consequences depend on what the unauthorized access exposes, but they are frequently serious. Attackers can read or modify other users' records, escalate to administrative control, and bypass business rules that protect funds, data, or workflows.

Unauthorized disclosure or modification of other users' data.
Privilege escalation to administrative or superuser capabilities.
Bypass of business logic such as payment, approval, or quota limits.
Mass data exposure when an identifier can be enumerated across records.

How to prevent broken access control

Deny by default, granting access only through explicit allow rules.
Enforce authorization on the server for every request, never relying on hidden UI elements or client-side checks.
Check ownership and permission for each object reference rather than trusting identifiers supplied by the client.
Centralize access control logic in a single, well tested mechanism instead of scattering checks across the codebase.
Log access control failures, alert on anomalies, and include authorization tests in the development pipeline.

Keep exploring

Frequently asked questions

What is the difference between horizontal and vertical privilege escalation?: Horizontal escalation means accessing resources belonging to another user at the same privilege level. Vertical escalation means gaining a higher privilege level, such as a standard user reaching administrator functions.
How does IDOR relate to broken access control?: IDOR is a specific instance of broken access control. It occurs when an application exposes a reference to an object and fails to verify that the current user is authorized for it, allowing access by changing the identifier.
Why is broken access control ranked first in the OWASP Top 10 2021?: It moved to A01 because it was found in a large share of tested applications and because the impact is high. Authorization mistakes are easy to introduce and often expose sensitive data or privileged actions.
Can access control be enforced on the client side?: No. Client-side checks improve usability but are trivially bypassed. Authorization must be enforced on the server for every request, since the client is fully under the attacker's control.