wiz · Crawled Jul 5, 2026

The Red Agent POV: Exploiting Broken Object-Level Authorization in an Airline GraphQL API

1 IoCs
Read original article ↗

AI Summary

The Red Agent, an autonomous AI-powered security testing tool, discovered a critical Broken Object-Level Authorization (BOLA) vulnerability in an airline's public GraphQL booking API. By exploiting sequential integer identifiers without backend authorization checks, the agent gained unauthenticated access to sensitive passenger data, including personal information, contact details, billing addresses, and active flight itineraries. The vulnerability allowed full read and write capabilities, enabling data exfiltration and unauthorized modifications to bookings, demonstrating a systemic authorization flaw in the API's resolver layer.

AI-extracted · verify before operational use

Indicators of Compromise 1 extracted

Type Value Detail
Domain api.[redacted] Details →