Missing Authorization (CWE-862) - Security Vulnerability

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Assuming a user with a given identity, authorization is the process of determining whether that user can access a given resource. When authorization checks are completely missing, any authenticated user can access protected resources.

Prevalence

High

Frequently exploited

Impact

High

3 high-severity rules

Prevention

Documented

3 fix examples

2 Prevention

How to fix this vulnerability

Prevention strategies for Missing Authorization based on 3 Shoulder detection rules.

🐹 Go View all Go details →

LLM Excessive Agency HIGH

Require human approval for sensitive operations and limit agent loop iterations

+12 -1 go

- for _, toolCall := range resp.Choices[0].Message.ToolCalls {
+ var sensitiveOps = map[string]bool{
+     "deleteUser": true, "transferFunds": true, "sendEmail": true,
+ }
+ 
+ for i, toolCall := range resp.Choices[0].Message.ToolCalls {
+     if i >= maxIterations {
+         break
+     }
+     if sensitiveOps[toolCall.Function.Name] {
+         queueForApproval(toolCall)
+         continue
+     }
      result, _ := tools[toolCall.Function.Name](toolCall.Function.Arguments)
      results = append(results, result)
  }

3 Detection

Find vulnerabilities in your code

Use Shoulder to scan your codebase for Missing Authorization patterns. 3 rules.

terminal

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=862

# Or scan entire project
npx @shoulderdev/cli trust .

Detection Rules (3)

🐹 Go 1 rules

LLM Excessive Agency HIGH

Detects LLM implementations with excessive autonomy allowing destructive operations without human approval.

🟨 Javascript 1 rules

LLM Excessive Agency HIGH

Detects LLM implementations with excessive autonomy that can lead to unintended consequences. OWASP LLM08 - Excessive Agency. Excessive agency occurs when LLMs are granted: - Ability to perform destructive operations without confirmation - Auto-execution of LLM-generated code or commands - Direct database modifications without approval - Financial transactions without human oversight - Email/communication sending without review This rule detects: - Auto-execution of tool calls without human approval - Destructive operations (delete, update, send) without confirmation - Autonomous agent loops without termination controls - Missing human-in-the-loop for sensitive operations

🔷 Typescript 1 rules

LLM Excessive Agency HIGH

🐍 Python 1 rules

LLM Excessive Agency HIGH

4 Warning Signs

What to watch for in code reviews

These patterns indicate potential Missing Authorization vulnerabilities. Look for these during code reviews and security audits.

🟠

Excessive LLM agency detected: ... go-llm-excessive-agency

🟠

LLM implementations with excessive autonomy allowing destructive operations without human approval go-llm-excessive-agency

🔍

Scan your codebase for Missing Authorization

Shoulder CLI finds vulnerable patterns across your entire codebase.

npx shoulder trust Browse all rules