Broken Object Level Authorization
GET /api/orders/{id} returns any user's order when the
object ID is changed. No ownership check on the resource.
$ curl -H "Authorization: Bearer $TOKEN" \
https://api.acme.io/orders/1042
→ 200 OK // order belongs to another tenant Scope the query to the authenticated principal — verify the order's owner before returning it.