TL;DR AI editors generate routes that fetch resources by ID with no ownership check -- classic IDOR (CWE-639) The pattern is everywhere in vibe-coded apps: any authenticated user can read any other user's data One extra condition in the DB query fixes it -- the problem is AI doesn't add it unless you ask I reviewed a side project last month. Node/Express backend, Cursor-generated, clean structure, well-commented. The developer was proud of their auth setup -- JWT tokens, bcrypt passwords, protected routes. Proper stuff. Then I hit /api/orders/1. Logged in as user 847, I got back user 1's order. All of it. Name, address, items, total. Switched to /api/orders/2. Same result. The API was authenticated -- you needed a valid JWT to reach it. But it didn't care whose JWT you had. This is IDOR: Insecure Direct Object Reference. OWASP ranks it #1 in the API Security Top 10. And AI editors reproduce it on every resource endpoint they generate.…