THREATOPS
THREAT OPSThreat News › The Red Agent POV: Exploiting Broken Object-Level Authorization in an Airline GraphQL API

The Red Agent POV: Exploiting Broken Object-Level Authorization in an Airline GraphQL API

lowwiz_researchPublished 2026-06-29

Part 2: How the Red Agent bypassed backend resolvers to expose an entire airline booking database in fifteen minutes

Original source: https://www.wiz.io/blog/red-agent-pov-bola