Empty Filter Is Wildcard

An API treats an empty filter argument as 'no filter applied' and returns the full set rather than the empty set or an error. A consumer that funnels attacker-controlled input into the filter without rejecting empty values converts an exact-match query into a wildcard scan.