# IDOR Insecure Direct Object Reference — the authorization-boundary class the agent ultimately hunts. But it can't test object ownership until it first becomes a legitimate user. ## Mentioned in - [[2026-06-06]]