VBS-2026-0008HIGHCVSS 7.7CWE-639AI tools generate CRUD endpoints that accept user-supplied IDs but do not verify ownership. Any authenticated user can read, modify, or delete another user's records by guessing or enumerating sequential/UUID IDs.
// app/api/posts/[id]/route.ts
export async function GET(req, { params }) {
const post = await db.posts.findUnique({ where: { id: params.id } })
// ↑ No check that post.userId === currentUser.id
return NextResponse.json(post)
}Always filter by both the resource ID and the authenticated user's ID: WHERE id = $1 AND user_id = $2. Never trust a client-supplied ID without verifying ownership.
How do I check if my Next.js + Express app is affected by insecure direct object reference on AI-generated CRUD endpoints?
AI tools generate CRUD endpoints that accept user-supplied IDs but do not verify ownership. Search your codebase for Next.js, Express, Prisma, Drizzle patterns and verify the remediation has been applied.
Why does Lovable and Bolt.new generate code with CWE-639 (high severity)?
AI tools generate CRUD endpoints that accept user-supplied IDs but do not verify ownership. Any authenticated user can read, modify, or delete another user's records by guessing or enumerating sequential/UUID IDs.
How do I fix insecure direct object reference on AI-generated CRUD endpoints?
Always filter by both the resource ID and the authenticated user's ID: WHERE id = $1 AND user_id = $2. Never trust a client-supplied ID without verifying ownership.
What can an attacker do if my app contains VBS-2026-0008?
With CVSS 7.7 (high), this vulnerability is high risk — significant data or functionality can be compromised. Any authenticated user can read, modify, or delete another user's records by guessing or enumerating sequential/UUID IDs..