IDOR in Purchase Order Cancellation Allows Unauthorized Users to Cancel Other Users' POs

An Insecure Direct Object Reference (IDOR) vulnerability exists in the Purchase Order cancellation endpoint at service-goauth.mokapos.com.

Abu Idris Al-Muhaqqiq

~2 min read · February 8, 2026 (Updated: February 8, 2026) · Free: Yes

Summary

An Insecure Direct Object Reference (IDOR) vulnerability exists in the Purchase Order cancellation endpoint at service-goauth.mokapos.com. An authenticated user can cancel another user's Purchase Order by replacing the PO ID in the cancellation request.

The server does not verify ownership or authorization of the targeted PO resource.

Affected Endpoint

PUT /purchase-order/v1/ingredient-purchase-order/{PO_ID}/cancel

Users

User A — Victim
User B — Attacker

Steps to Reproduce

1. User A logs in to https://backoffice.mokapos.com 2. Navigate to INVENTORY → Purchase Order (PO) 3. Create a new Purchase Order and note the PO ID 4. User B logs in to https://backoffice.mokapos.com 5. Navigate to INVENTORY → Purchase Order (PO) 6. Create a PO 7. Open the PO detail page → Click More → Cancel PO while intercepting the request 8. The following request is captured:

PUT /purchase-order/v1/ingredient-purchase-order/USER_B_PO_ID/cancel HTTP/2
Host: service-goauth.mokapos.com
Authorization: ATTACKER_TOKEN
Outlet-Id: 1141719
Content-Length: 0

9. Replace USER_B_PO_ID with User A's PO ID 10. Send the modified request 11. Server responds with:

200 OK

12. When User A refreshes the page, the PO status changes from "Waiting for Fulfillment" → "Cancelled"

Impact

Unauthorized cancellation of other users' Purchase Orders
Business logic abuse and operational disruption
Potential financial loss due to cancelled procurement workflows

Timeline

February 5, 2026: Submit Report February 5, 2026: Under Review February 8, 2026: Out of Scope

#idor #idor-vulnerability #broken-access-control