The correct answer is 'Broken Access Control', which is a category in the OWASP Top 10 that includes failures in restrictions on what authenticated users are allowed to do. Attackers can exploit these flaws to access unauthorized functionality or data, such as access other users' accounts, view sensitive files, modify other users’ data, change access rights, etc. 'A04:2021-Insecure Direct Object References' refers to a subcategory that was a part of earlier editions of the OWASP Top 10, which has been merged under 'Broken Access Control' in recent versions. 'Sensitive Data Exposure' deals with the actual exposure of sensitive data due to inadequate protection, which does not directly relate to the described scenario. 'Insufficient Logging & Monitoring' is about the lack of sufficient tracking and auditing, which may allow breaches to go unnoticed, but is not directly relevant to the issue of failing to restrict URL access.