TL;DR AI-generated CRUD endpoints routinely skip ownership checks (CWE-639) Any authenticated user can read, modify, or delete another user's data Fix: one ownership check before every data access, no exceptions I've been reviewing AI-assisted codebases for a while now, and one pattern keeps showing up more than any other. Not SQL injection, not hardcoded secrets -- those get caught. The one that slips through is IDOR: Insecure Direct Object Reference. Here's what it looks like. You ask Cursor to build a task detail endpoint. It generates this: // ❌ CWE-639: No ownership check app . get ( ' /api/tasks/:id ' , authenticate , async ( req , res ) => { const task = await Task . findById ( req . params . id ); if ( ! task ) return res . status ( 404 ). json ({ error : ' Not found ' }); res . json ( task ); }); The authenticate middleware runs. JWT is validated. The user is "authenticated." But the handler fetches whatever ID was in the URL and returns it -- no check that task.userId === req.user.id .…