APIs are the backbone of modern software, and therefore a central attack target. Three findings from current primary sources sum up the problem: incidents are widespread, attackers deliberately follow the known API vulnerabilities, and a data breach remains expensive.

99%
of organizations had API security problems in the last year
Salt Security, 2025
32%
experienced a concrete API security incident
Salt Security, 2026
78%
of attack attempts use OWASP API Top 10 methods
Salt Security, 2026
$4.4M
is the global average cost of a data breach
IBM, 2025

Why a Valid Login Isn't Enough

The most common API risk is Broken Object Level Authorization (BOLA): the API doesn't check whether a logged-in user is allowed to access precisely this object. It takes no exploit, just an incremented ID. That fits the finding that, according to Salt Labs, nearly all analyzed attack attempts originate from authenticated sources, meaning the attacker is logged in.

Login as User Avalid loginallowed
GET /invoices/1001own invoice200 OK
GET /invoices/1002someone else's invoice200 OK · BOLA

Broken Object Level Authorization: the same valid login, an incremented ID, someone else's data. Classic login and perimeter controls don't catch this.

The Attack Surface Grows Along With It

The more business logic runs over APIs, the more the attack activity shifts there too. As far back as late 2021, API calls made up 54% of Cloudflare's entire request volume and grew roughly twice as fast as classic web traffic. 66% of organizations report that their number of APIs grew by more than 50% in the last year.

And the trend is accelerating through AI-assisted development: tools like Copilot or Cursor, and increasingly autonomous AI agents, generate code, and with it endpoints, faster than reviews and governance can keep up. That produces more and more undocumented or never-reviewed routes (phantom and shadow APIs), and AI agents together with their tool interfaces form an entirely new API attack surface. How to stay on top of it anyway is covered under Implementing API Security.

Authorization Errors Dominate

Three of the five highest OWASP API risks are pure authorization flaws: API1 (BOLA), API3 (BOPLA), and API5 (BFLA). They can't be detected by a signature, only by actually walking through the logic. That's exactly what makes them so dangerous, and at the same time so hard for classic scanners.

Key Takeaway

API attacks mostly run through valid logins and missing authorization checks, not through classic exploits. Anyone who wants to secure APIs has to test the logic, not just scan for patterns.

Why These Gaps Are So Dangerous

What is actually alarming is not the sheer number of API gaps, but how trivial they are to exploit, often without specialized knowledge and without a valid account.

97%
of API vulnerabilities are exploitable with a single request
Wallarm, 2026
59%
don't even require authentication to do so
Wallarm, 2026
17%
of all reported vulnerabilities now fall on APIs
Wallarm, 2026
+44%
more exploitation of publicly reachable applications year over year
IBM X-Force, 2026

What that means in practice: it takes no sophisticated exploit. A single, completely normal-looking request with an incremented ID, in other words a BOLA gap like GET /orders/124 instead of your own 123, is enough to grab someone else's records. No malicious code, often no login, and to a pattern-based protection system the request looks entirely legitimate.

Defense is lagging behind: while APIs are becoming the dominant attack surface, according to Salt only 18% of organizations trust themselves to even detect AI-assisted attacks (H1 2026). Anyone who doesn't continuously check their own API inventory and authorization logic often only notices an incident once it's in the news.

Frequently Asked Questions

Why doesn't a classic scanner detect BOLA?

Because a BOLA request is technically completely legitimate, and only the manipulated object ID reveals the abuse. A signature- or pattern-based scanner sees no suspicious pattern. Only the application logic, in the context of the user, knows whether the access is allowed.

Is an annual pentest or a WAF enough?

No. APIs change with every deploy, and a finding from twelve months ago says nothing about the current state. A WAF filters patterns, not logic flaws. What works is continuous, logic-based testing.

Does AI increase the attack surface?

Yes. AI code generators produce more endpoints faster than governance can track, including phantom routes that were never planned. That increases the number of untested interfaces.

Sources

Keep reading