Cyber Doc logo Cyber Doc
Cybersecurity Term

What is broken access control?

When users can access data or functions that should be restricted.

Web & Application Security Last reviewed: 2026-05-20

← Back to Learn Centre

What is broken access control?

Broken access control means an application allows users to view or change data or functions they should not have permission to access.

Simple example

A user changes an ID number in the URL and can view another customer’s record.

Why it matters

This can expose sensitive information and is one of the most common serious web application risks.

Common warning signs

  • The activity is unexpected or unusual for the business context.
  • The request or system behaviour creates pressure to act quickly.
  • Normal approval, verification, or security processes are bypassed.
  • There are signs of unauthorised access, data exposure, or system change.
  • Staff are unsure whether the request, message, or system behaviour is legitimate.

Cyber Doc view

This term should be understood in business context, not only as a technical issue. Good protection usually combines clear processes, appropriate technical controls, staff awareness, and a calm response plan.

What to do

Proactive steps

  • Check permissions on every sensitive request.
  • Do not rely only on hidden buttons or client-side checks.
  • Test different user roles thoroughly.
  • Use secure access-control patterns in the application.
  • Log and alert on unusual access attempts.

Reactive steps

  • Restrict access to the affected function if needed.
  • Review logs to identify exposed records or actions.
  • Fix the server-side permission checks.
  • Notify affected parties if required.
  • Retest the issue before restoring normal access.

Related terms

  • Authorisation
  • Insecure direct object reference
  • Penetration testing