1. Critical Authorization Bypass: DELETE /stream/schedules/:id Allows Any Authenticated User to Cancel Other Users' Recurring Donations
A critical broken object-level authorization (BOLA/IDOR) vulnerability has been identified in the `DELETE /stream/schedules/:id` endpoint, allowing any authenticated user with the `stream:delete` permission to cancel recurring donation schedules belonging to other users. The endpoint fails to verify that the requesting...