Cyber Resilience

A01:2025 Broken Access Control

OWASP Top 10:2025 · Back to the list

Authorization decisions fail or are bypassed, letting users do or see things they shouldn't. Includes path traversal, IDOR, missing function-level access checks, and CSRF.

Related on the LLM side: OWASP Top 10 for LLMs LLM02:2025.

Member CWEs (40)

Mapped NIST 800-53 r5 controls (3)

Our two-way, human-QA’d reading of how this category and each NIST 800-53 control relate. No external body publishes an OWASP→800-53 mapping, so these are our assessment.

Direction: other covers this; this covers other (F/M/P = full / mostly / partial).

Tagged CVEs (showing 50 most recent of 59,810)

Data: OWASP Top 10:2025 (CC BY-SA 4.0) · CWE memberships from cwe-api.mitre.org (meta-category CWE-1436).