A01:2025 — Broken Access Control

Q: What is Broken Access Control (OWASP A01:2025)?

Broken Access Control is the #1 OWASP 2025 risk. It occurs when users can act outside their intended permissions — accessing other users' data, escalating privileges, bypassing security checks, or exploiting SSRF to access internal resources.

Verified by Precogs Threat Research

OWASP Web 2025Rank #1

What is Broken Access Control (OWASP A01:2025)?

Failures in access control enforcement that let users act outside their intended permissions. This includes bypassing access checks by modifying URLs, APIs, or internal application state; viewing or editing another user's account; privilege escalation; CORS misconfiguration; and SSRF (now consolidated into A01 from the previous A10).

Impact

The #1 risk in OWASP 2025, maintaining its top position from 2021. 94% of tested applications had some form of broken access control. Now also encompasses SSRF risks. Leads to unauthorized data disclosure, modification, or destruction.

Related CWEs

CWE-200 — View in Precogs Hub
CWE-284 ↗
CWE-285 ↗
CWE-352 ↗
CWE-639 ↗
CWE-918 — View in Precogs Hub

How Precogs AI Addresses A01

Precogs AI detects broken access control patterns in both source code and compiled applications, identifying missing authorization checks, IDOR vulnerabilities, SSRF vectors, and privilege escalation paths.

Scan for A01 Risks Book a demo

A01:2025 — Broken Access Control

What is Broken Access Control (OWASP A01:2025)?

Impact

Related CWEs

Risk Overview

Quick Links

Protect Against A01

How Precogs AI Addresses A01

A01:2025 — Broken Access Control

What is Broken Access Control (OWASP A01:2025)?

Impact

Related CWEs

Related Resources

🔍 Related CWE Entries

🛡️ Notable Vulnerabilities

🔗 External References

Risk Overview

Quick Links

Protect Against A01

How Precogs AI Addresses A01