TL;DR AI editors generate authenticated endpoints with no ownership verification Any valid JWT holder can read any other user's data by guessing an ID Fix: scope the query to the requesting user, or check ownership immediately after fetch I've been reviewing side-project codebases for the past few weeks. The stack varies -- Express, FastAPI, Rails, doesn't matter. The bug is always the same. Someone asked Cursor or Claude Code to add an API endpoint to fetch user data. The AI wrote working code. Correct query, correct response shape, even a 404 handler. What it skipped was the line that checks whether the person asking actually owns the record they're asking for. This is IDOR -- Insecure Direct Object Reference. CWE-862. OWASP Top 10. The reason it keeps showing up in AI-generated code isn't random. The Vulnerable Endpoint Here's the pattern: // CWE-862 -- Missing Authorization app . get ( ' /api/documents/:id ' , authenticateToken , async ( req , res ) => { const doc = await Document . findById ( req .…