Missing Authorization
An endpoint enforces authentication but not authorisation — any logged-in user can access any other user's data.
GateTest coverage
Caught by: authFlaws
Example
app.get('/api/users/:id/orders', authMiddleware, async (req, res) => { res.json(await db.query('SELECT * FROM orders WHERE user_id = $1', [req.params.id])) }) — any logged-in user can read any user's orders.How to fix it
On every endpoint that returns user-owned data, compare req.user.id to the requested record's owner. Test with two real accounts.
Scan your repo for CWE-862
Free preview of findings. Pay per scan — no subscription. AI auto-fix PR included on the Scan + Fix tier.
Frequently asked questions
What is CWE-862 (Missing Authorization)?
An endpoint enforces authentication but not authorisation — any logged-in user can access any other user's data.
How do I fix missing authorization?
On every endpoint that returns user-owned data, compare req.user.id to the requested record's owner. Test with two real accounts.
Does GateTest detect missing authorization?
Yes — GateTest's authFlaws module catch this class. Findings appear in the standard scan output with file and line numbers. On Scan + Fix and Forensic Scan tiers, Claude opens a pull request with the fix.
What rank is Missing Authorization in the CWE Top 25?
Missing Authorization is ranked #11 in the MITRE 2023 CWE Top 25 Most Dangerous Software Weaknesses list. The ranking reflects both prevalence (how often it appears in real CVEs) and severity (the typical impact when it's exploited).