TL;DR AI editors add authentication middleware but skip per-resource ownership checks by default Any logged-in user can access another user's data by guessing or incrementing an ID Fix: scope ownership into the DB query -- one line before you ship, not after I was reviewing a side project built almost entirely with Cursor. Clean code. Tests passing. Already deployed. Then I spotted this: app . get ( ' /api/documents/:id ' , authenticateToken , async ( req , res ) => { const doc = await Document . findById ( req . params . id ); res . json ( doc ); }); Enter fullscreen mode Exit fullscreen mode The authenticateToken middleware ran. So the route looked protected. But there was no check that req.user.id === doc.userId . Any authenticated user could read any document by guessing the ID. That's IDOR. CWE-862. And it's in almost every AI-generated API I've reviewed. Why AI editors get this wrong AI tools are trained on tutorials and StackOverflow answers.…