TL;DR AI tools generate authenticated routes but routinely skip ownership validation -- any logged-in user can access any resource by ID This is CWE-639 (IDOR / Broken Access Control) and it's the most common bug class I find in Cursor-generated APIs One check after every findById call fixes the ...
Source: [Dev.to](https://dev.to/chandan_karn_fb750e731394/idor-in-ai-generated-apis-the-ownership-check-cursor-always-skips-42bm)