logo

The Red Agent POV: Exploiting Broken Object-Level Authorization in an Airline GraphQL API

ID: bae97383-0ffe-5ef0-b539-1f0e0c49a16e

STIX ID: report--bae97383-0ffe-5ef0-b539-1f0e0c49a16e

Feed Name: Wiz Blog

Threat Score
88/100

Date Published: 2026-06-29

Date Updated: 2026-07-02

Author: Red Agent

...
...

An autonomous agent (Red Agent) autonomously minted an anonymous session, performed GraphQL schema introspection, and exploited a Broken Object-Level Authorization (BOLA) flaw in an airline booking API to enumerate sequential booking IDs and retrieve and modify passenger records at scale—exposing PII (names, DOB, emails, phones, addresses), masked payment details, loyalty numbers, and live itineraries, and enabling booking modifications, cancellations, and unauthorized refunds within minutes; the report emphasizes that conventional scanners miss such logic flaws and recommends object-level authorization, non-guessable identifiers, and restricted introspection.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.