BugForge - Daily - Cafe Club (Repeat)

Daily - Cafe Club (Repeat)

This is a repeat of the daily challenge from February 8th, 2026.

---

Vulnerability Overview

The Cafe Club application contains an Insecure Direct Object Reference (IDOR) vulnerability in the profile password update functionality. The password change request includes the user’s ID as a parameter in the payload, and the server uses this client-supplied ID to determine which account to update without verifying that the authenticated user is authorized to modify that account. By intercepting the request with Caido and changing the user ID parameter to 1 (the admin account), an attacker can overwrite the administrator’s password and gain full access, revealing the flag.

Key Issues:

• The server accepts a user-supplied ID in the password change request instead of deriving it from the authenticated session
• No object-level authorization check verifies ownership between the session identity and the target user ID
• Any authenticated user can modify any other user’s password by simply changing the ID parameter

---

Vulnerabilities Covered

• Insecure Direct Object Reference (IDOR)
• Broken Access Control

---

Classification

• OWASP Top 10: A01:2021 - Broken Access Control
• Vulnerability Type: Insecure Direct Object Reference (IDOR)
• Attack Surface: Profile password update API endpoint
• CWE: CWE-639 - Authorization Bypass Through User-Controlled Key

---