A fully autonomous AI agent exposed the complete passenger database of a major airline’s booking system in 15 minutes by exploiting a Broken Object-Level Authorization (BOLA) flaw, cloud security firm Wiz reported.
According to Wiz, its “Red Agent” tool started with nothing but a root URL — no credentials, no API documentation — and reverse-engineered the airline’s authentication flow from client-side JavaScript.
It minted a valid anonymous session token, then ran a GraphQL introspection query that revealed 514 queries and 428 mutations exposed to that unauthenticated session. The agent flagged mutations accepting simple sequential integer IDs, tested 20 consecutive booking numbers, and pulled back a distinct, fully identifiable customer record — name, date of birth, billing address, masked card number and live itinerary — for every single request.
Beyond read access, the exposed mutations also permitted write actions: altering contact emails to hijack accounts, deleting flight segments, zeroing out fares through a price-override function, and issuing unauthorized refunds, per Wiz’s published mutation table.
BOLA has held the No. 1 spot on the OWASP API Security Top 10 since the list’s 2019 inception, according to OWASP’s published ranking. That means the underlying flaw class predates this incident by years even as autonomous exploitation speed is new.
Separately, IBM’s 2025 Cost of a Data Breach Report found that breaches involving compromised credentials and access-control gaps remain among the costliest categories industry-wide, with the global average breach now costing $4.44 million and U.S. breaches averaging $10.22 million — context for the stakes of the access-control failure Wiz describes, even though IBM’s report does not break out airline-specific figures.
Wiz’s account is notable less for the vulnerability class — a missing backend authorization check on predictable IDs is a known, common flaw — than for the absence of human steering.
The company says the agent independently formed and tested hypotheses across multiple phases: client-side reconnaissance, token-flow replay, schema introspection and exploit confirmation, without a human directing each step.
The disclosure is in line with agentic AI’s dual-use security implications, including Microsoft’s own production data on autonomous threat-hunting agents at and prior reporting on API and cloud exposure tied to Microsoft’s own advisories.
The common theme: automation is accelerating on offense and defense simultaneously, and basic object-level access controls remain the most common gap attackers — human or automated — continue to find.
Wiz’s full technical writeup includes curl-based reproduction steps and its mutation impact table.
Photo by Anete Lūsiņa on Unsplash