The correct fix — server-side role verification on every endpoint:
Every API endpoint checks the authenticated session role before processing the request. Middleware approach: a single function wraps every protected route and returns 403 Forbidden if the role does not match.
Code example (Node.js middleware):
function requireRole(role) {
return (req, res, next) => {
if (req.session.role !== role) return res.status(403).json({error: 'Forbidden'});
next();
};
}
app.post('/api/admin/transfer', requireRole('admin'), handler);
Defence in depth:
Log all access denials — they indicate probing
Rate limit repeated 403 responses from the same IP
Use an allowlist approach: default deny, explicitly allow
Regular access control audits — check every endpoint
Notable CVEs:
CVE-2019-5736 — runc container escape, broken access to host
CVE-2021-41773 — Apache HTTP Server path traversal, CVSS 9.8
CVE-2022-0492 — Linux cgroups privilege escalation
2023 — MOVEit Transfer: A broken access control vulnerability allowed unauthenticated users to access the admin API. Over 2,000 organisations affected. 95 million individuals had data exposed. Total damages estimated at $10 billion. One missing role check on one API endpoint.