Broken Object Level Authorization
Broken Object Level Authorization is the API-focused version of IDOR: an API endpoint accepts an object identifier but never verifies the caller is allowed to access that object. Attackers enumerate identifiers to pull other users' records at scale. It sits at the top of the OWASP API Security Top 10 because modern apps expose so much data through APIs.