TL;DR Cursor generates authenticated API routes with no ownership verification by default This creates IDOR (CWE-639) -- any logged-in user can read or delete any other user's data Fix is 3 lines: check resource.userId === req.user.id before returning anything I was reviewing a friend's side project last week. TypeScript, Prisma, built almost entirely in Cursor. Clean code, good structure, auth middleware on every route. I asked him to pull up his /api/documents/:id endpoint. No ownership check. User 42 could request /api/documents/1 and get user 1's private documents back with a 200. No error. No log. Just data. He had no idea -- Cursor never flagged it. The Vulnerable Code Pattern (CWE-639) Prompt Cursor with "create a GET endpoint to fetch a document by ID" and you'll get something like this: // ❌ CWE-639: No ownership verification app . get ( ' /api/documents/:id ' , authenticate , async ( req , res ) => { const doc = await prisma . document . findUnique ({ where : { id : req . params .…