wiz · Crawled Jul 5, 2026
The Red Agent POV: Exploiting Broken Object-Level Authorization in an Airline GraphQL API
1 IoCs
Read original article ↗
AI Summary
The Red Agent, an autonomous AI-powered security testing tool, discovered a critical Broken Object-Level Authorization (BOLA) vulnerability in an airline's public GraphQL booking API. By exploiting sequential integer identifiers without backend authorization checks, the agent gained unauthenticated access to sensitive passenger data, including personal information, contact details, billing addresses, and active flight itineraries. The vulnerability allowed full read and write capabilities, enabling data exfiltration and unauthorized modifications to bookings, demonstrating a systemic authorization flaw in the API's resolver layer.
AI-extracted · verify before operational use
Indicators of Compromise 1 extracted
| Type | Value | Detail |
|---|---|---|
| Domain | api.[redacted] | Details → |