Missing object-level authorization allows cross-user data access

critical

securityUpdated Mar 2, 2026(via Exa)

Sources

Common Django Security Mistakes | Django wiki | Mediummedium.com

Technologies:

Djangosubject

How to detect:

Database queries retrieve objects by ID without scoping to the current authenticated user. Attackers can access other users' data by changing ID parameters in URLs or API requests.

Recommended action:

Always scope querysets to current user. In function views: invoice = get_object_or_404(Invoice, id=invoice_id, user=request.user). In class-based views: override get_queryset() to return Model.objects.filter(user=self.request.user). Test by attempting to access another user's object ID.