BAC is always my favorite and most of my bounties come from this vulnerability. It always fascinates me to bypass the intended flow and think creatively from a full 360° perspective.

I have found one simple but yet impactful BAC in a popular SAAS application

after selecting the target, enabled burp proxy, not rush to find bugs just manually checking the site and noting what are the role, restrictions, etc.

I always start with assigning the lowest role to a user and checking what are the restrictions for him and how I can bypass (off course impact matters).

Steps to Reproduce:

1. From owner account create two projects project1 & project2
2. invite a user to project1
3. he does not have any access to project2 (as expected)
4. but when I navigate to all project section it has a search bar
5. I simply type p and I got the project2 name visible as well
6. checked the burp response it exposes other metadata and important information related to the project2

This behavior results in exposure of project metadata and sensitive information, ultimately leading to unauthorized project access.

Timeline:

Reported: 14/02/2026 — Valentine's Day 😅

Triaged: 18/02/2026

Fixed & Retest: 24/02/2026

Rewarded: 01/04/2026