Also requires that you build specific kind of logic in your access control. So it really depends on implementation. Some codebases are vulnerable where as others are not.