A security bug where your app checks that a user is logged in but never checks whether the data they're asking for actually belongs to them. That gap lets any logged-in user read or edit someone else's records by guessing an ID.