APIs are the modern doorway for systems to share data, but this common pathway is often unlocked. As a result, over the past two years, we’ve witnessed a string of API security incidents, including headline-worthy API exploits at 23andMe, Avelo Airlines, Authy, Optus, Trello, Volkswagen, WhatsApp, and others.

42Crunch recently released its State of API Security 2026 report, which offers a data-driven analysis of these vulnerabilities and many others, totaling 200 real-world production vulnerabilities.

The data helps paint the picture of what the root causes are behind some of the biggest cybersecurity breaches in recent years. Below, we’ll look at the topmost common risks throughout all reports and highlight the security recommendations for API developers going forward.

About the Report

The State of API Security 2026 report draws on API vulnerabilities reported from 2024–2025 in the APIsecurity.io newsletter, which routinely features the latest API breaches and exploits throughout the industry.

Interestingly, the kinds of vulnerabilities are largely consistent across sectors. Although API breaches are most common at cloud and developer platforms, making up about 20% of reports, this is closely followed by reports within other industries, too, like e-commerce, IoT, security and identity, and social apps.

By leveraging these common API access-related vulnerabilities below, attackers have been able to expose a range of sensitive data and credentials or enumerate user information, which has led to the exposure of millions of customer records.

1. Broken Authentication

Broken authentication was the most common type of API vulnerability, found within 23.5% of all vulnerabilities reported by APISecurity.io. Broken authentication means that endpoints do not appropriately apply authentication, in the form of credentials, tokens, or keys, to protect access.

Of the API vulnerabilities related to authentication, over half the reports were due to missing authentication entirely, with the rest either having weak authentication or allowing some sort of authentication bypass.

The UK healthcare system and Intel have been subject to this flaw recently. Many accounts simply arise from attackers enumerating different URL strings for commonly used API paths.

2. Broken Object-Level Authorization (BOLA)

Next up is broken object-level authorization (BOLA), which was found in 12.5% of API vulnerability reports. BOLA means that APIs do not verify whether a caller has the permissions to access a specific object.

Exploiting BOLA has recently become a very popular attack strategy due to the ease of simply changing identifiers in API requests, like user IDs or account numbers, when making API requests.

One example of a BOLA attack that APISecurity.io covered was a researcher reporting a BOLA vulnerability in an Indian Goods and Services Tax website to access private tax records.

3. Broken Object Property-Level Authorization (BOPLA)

Tied for second place is broken object property-level authorization (BOPLA), which was also found in 12.5% of cases. BOPLA is similar to BOLA and has to do with a lack of proper authorization at the property level.

This means that APIs expose specific fields that can be accessed and manipulated. This could be leveraged to accept malicious payloads or edit properties to take advantage of systems. In its 2023 list, OWASP lumped excessive data exposure and mass assignment into BOPLA.

4. Broken Functional-Level Authorization (BFLA)

The fourth most common API vulnerability is broken functional-level authorization (BFLA), at 10.5%. BFLA occurs when operation-level functions are accessible by those who should not have that level of access. One example in practice was with Securden, in which users with less privilege could access a sensitive administrative function.

5. Security Misconfiguration

Another top API vulnerability was security misconfiguration, at 5% of reports. The report found that missing rate limits is a leading contributor to misconfigurations that directly weaken API security, followed by unenforced HTTPS and insecure frameworks or third-party libraries.

Additional Vulnerabilities

Following these top five API areas are broken access control, injection, and unrestricted resource consumption, with other vulnerability types sharing a smaller share of the total percentage.

APISecurity.io vulnerabilities from 2024–2025 and their corresponding OWASP categories.

The report also notes that a range of malicious inputs are commonly used, with path traversal, SQL injection, server-side request forgery (SSRF), and denial of service (DoS) being the topmost malicious inputs used within attacks.

API Security Recommendations

In order to respond to these risks, the report authors recommend a number of best practices. One is to enforce strong authentication using OAuth rather than weak authentication like Basic HTTP Auth or relying solely on API keys.

Another recommendation is to document all endpoints and regularly maintain an active API inventory with clearly marked security schemes, and an indication of which should be public or remain private.

In order to fix authorization-related threats, they recommend having API developers implement proper checks per endpoint to ensure the requester can verify ownership or permission to access the object or resource being requested. Using a least-privilege approach will be key to avoiding data overexposure.

Greater use of approval-listing and input validation will also be necessary to make sure data and payloads conform to the specified constraints.

Agentic AI Set to Evolve the API Industry

The top threats found within the report closely align with the top risks found on OWASP’s most recent list of top API security threats. And, the top threats nearly all involve a different kind of broken access control, with broken authorization being a pervasive issue.

It should be noted that while this research showcases the prevalence of common breaches, it does not showcase the severity level of vulnerabilities. Certain vulnerabilities with a lower count may appear slimmer as they are challenging for attackers to exploit. However, they might introduce a higher degree of risk for business logic abuse, account takeover, or remote control execution.

Looking to the future, AI agents are set to continue to alter the overall API security dynamic, introducing another threat vector as their automated actions can undermine the above vulnerabilities in a highly automated and autonomous way.