CWE-285
Improper Authorization
Description
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-1 · CAPEC-104 · CAPEC-127 · CAPEC-13 · CAPEC-17 · CAPEC-39 · CAPEC-402 · CAPEC-45 · CAPEC-5 · CAPEC-51 · CAPEC-59 · CAPEC-60 · CAPEC-647 · CAPEC-668 · CAPEC-76 · CAPEC-77 · CAPEC-87
CVEs mapped to this weakness (812)
page 29 of 41| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-32532 | — | 0.07 | — | 0.25 | Jun 28, 2022 | Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass. | ||
| CVE-2022-22978 | 0.07 | — | 0.10 | May 19, 2022 | In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly… | |||
| CVE-2026-47713 | Low | 0.06 | 2.0 | 0.00 | May 28, 2026 | AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, an approved mobile device token created in single-user mode can survive single-user -> multi-user migration even when the device record… | ||
| CVE-2024-8181 | 0.05 | — | 0.46 | Aug 27, 2024 | An Authentication Bypass vulnerability exists in Flowise version 1.8.2. This could allow a remote, unauthenticated attacker to access API endpoints as an administrator and allow them to access restricted functionality. | |||
| CVE-2025-29927 | 0.04 | — | 1.00 | Mar 21, 2025 | Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in… | |||
| CVE-2026-24421 | — | 0.03 | — | 0.02 | Jan 24, 2026 | phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below have flawed authorization logic which exposes the /api/setup/backup endpoint to any authenticated user despite their permissions. SetupController.php uses userIsAuthenticated() but does not verify that the… | ||
| CVE-2014-9357 | 0.01 | — | 0.06 | Dec 16, 2014 | Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build in a Dockerfile in an LZMA (.xz) archive, related to the chroot for archive extraction. | |||
| CVE-2014-0107 | 0.01 | — | 0.14 | Apr 15, 2014 | The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a… | |||
| CVE-2026-55519 | low | 0.00 | — | — | Jun 23, 2026 | ### Impact A vulnerability was identified in Snipe-IT v8.4.0 (build 21280-g91a95dbc6) that allows any authenticated user with generic asset edit permissions to delete files attached to any asset in the system, regardless of ownership or company assignment. This constitutes an… | ||
| CVE-2026-55775 | low | 0.00 | — | — | Jun 19, 2026 | ### Summary A user that is granted namespace management (`/sys/namespaces`) capabilities within a non-root namespace ("the victim namespace") can abuse special handling of the literal path `"root"` in namespace path canonicalization to manage the victim namespace itself. ###… | ||
| CVE-2026-54683 | 0.00 | — | — | Jun 18, 2026 | ## Summary A previous advisory (CVE-2026-49463 / GHSA-qpm9-h556-mwxm) reported that any logged-in user could download any document by its identifier, and stated this was fixed in 3.0.1. For the document-content part that fix was **incomplete**: documents remained downloadable… | |||
| CVE-2026-46552 | 0.00 | — | 0.00 | May 21, 2026 | ### Summary Shared-base sessions were granted the same base-member capabilities as authenticated viewers. Using only the shared-base UUID (`xc-shared-base-id`), an attacker could enumerate base members and invite an arbitrary email into the base as a real member. The invited… | |||
| CVE-2026-33222 | 0.00 | — | 0.00 | Mar 25, 2026 | NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected… | |||
| CVE-2026-33162 | 0.00 | — | 0.00 | Mar 24, 2026 | Craft CMS is a content management system (CMS). From version 5.3.0 to before version 5.9.14, an authenticated control panel user with only accessCp can move entries across sections via POST /actions/entries/move-to-section, even when they do not have saveEntries:{sectionUid}… | |||
| CVE-2026-33680 | — | 0.00 | — | 0.00 | Mar 24, 2026 | Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.2, the `LinkSharing.ReadAll()` method allows link share authenticated users to list all link shares for a project, including their secret hashes. While `LinkSharing.CanRead()` correctly blocks… | ||
| CVE-2026-33668 | — | 0.00 | — | 0.00 | Mar 24, 2026 | Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to version 2.2.1, when a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths… | ||
| CVE-2026-32300 | — | 0.00 | — | 0.00 | Mar 23, 2026 | Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, an improper authorization issue in the My Page profile update feature may allow modification of arbitrary user… | ||
| CVE-2026-33125 | 0.00 | — | 0.00 | Mar 20, 2026 | Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In versions 0.16.2 and below, users with the viewer role can delete admin and low-privileged user accounts. Exploitation can lead to DoS and affect data integrity. This issue has been… | |||
| CVE-2026-32034 | 0.00 | — | 0.00 | Mar 19, 2026 | OpenClaw versions prior to 2026.2.21 contain an authentication bypass vulnerability in the Control UI when allowInsecureAuth is explicitly enabled and the gateway is exposed over plaintext HTTP, allowing attackers to bypass device identity and pairing verification. An attacker… | |||
| CVE-2026-32027 | 0.00 | — | 0.00 | Mar 19, 2026 | OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where DM pairing-store identities are incorrectly eligible for group allowlist authorization checks. Attackers can exploit this cross-context authorization flaw by using a sender approved via DM… |
- CVE-2022-32532Jun 28, 2022risk 0.07cvss —epss 0.25
Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
- CVE-2022-22978May 19, 2022risk 0.07cvss —epss 0.10
In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly…
- risk 0.06cvss 2.0epss 0.00
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, an approved mobile device token created in single-user mode can survive single-user -> multi-user migration even when the device record…
- CVE-2024-8181Aug 27, 2024risk 0.05cvss —epss 0.46
An Authentication Bypass vulnerability exists in Flowise version 1.8.2. This could allow a remote, unauthenticated attacker to access API endpoints as an administrator and allow them to access restricted functionality.
- CVE-2025-29927Mar 21, 2025risk 0.04cvss —epss 1.00
Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in…
- CVE-2026-24421Jan 24, 2026risk 0.03cvss —epss 0.02
phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below have flawed authorization logic which exposes the /api/setup/backup endpoint to any authenticated user despite their permissions. SetupController.php uses userIsAuthenticated() but does not verify that the…
- CVE-2014-9357Dec 16, 2014risk 0.01cvss —epss 0.06
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build in a Dockerfile in an LZMA (.xz) archive, related to the chroot for archive extraction.
- CVE-2014-0107Apr 15, 2014risk 0.01cvss —epss 0.14
The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a…
- risk 0.00cvss —epss —
### Impact A vulnerability was identified in Snipe-IT v8.4.0 (build 21280-g91a95dbc6) that allows any authenticated user with generic asset edit permissions to delete files attached to any asset in the system, regardless of ownership or company assignment. This constitutes an…
- risk 0.00cvss —epss —
### Summary A user that is granted namespace management (`/sys/namespaces`) capabilities within a non-root namespace ("the victim namespace") can abuse special handling of the literal path `"root"` in namespace path canonicalization to manage the victim namespace itself. ###…
- CVE-2026-54683Jun 18, 2026risk 0.00cvss —epss —
## Summary A previous advisory (CVE-2026-49463 / GHSA-qpm9-h556-mwxm) reported that any logged-in user could download any document by its identifier, and stated this was fixed in 3.0.1. For the document-content part that fix was **incomplete**: documents remained downloadable…
- CVE-2026-46552May 21, 2026risk 0.00cvss —epss 0.00
### Summary Shared-base sessions were granted the same base-member capabilities as authenticated viewers. Using only the shared-base UUID (`xc-shared-base-id`), an attacker could enumerate base members and invite an arbitrary email into the base as a real member. The invited…
- CVE-2026-33222Mar 25, 2026risk 0.00cvss —epss 0.00
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected…
- CVE-2026-33162Mar 24, 2026risk 0.00cvss —epss 0.00
Craft CMS is a content management system (CMS). From version 5.3.0 to before version 5.9.14, an authenticated control panel user with only accessCp can move entries across sections via POST /actions/entries/move-to-section, even when they do not have saveEntries:{sectionUid}…
- CVE-2026-33680Mar 24, 2026risk 0.00cvss —epss 0.00
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.2, the `LinkSharing.ReadAll()` method allows link share authenticated users to list all link shares for a project, including their secret hashes. While `LinkSharing.CanRead()` correctly blocks…
- CVE-2026-33668Mar 24, 2026risk 0.00cvss —epss 0.00
Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to version 2.2.1, when a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths…
- CVE-2026-32300Mar 23, 2026risk 0.00cvss —epss 0.00
Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, an improper authorization issue in the My Page profile update feature may allow modification of arbitrary user…
- CVE-2026-33125Mar 20, 2026risk 0.00cvss —epss 0.00
Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In versions 0.16.2 and below, users with the viewer role can delete admin and low-privileged user accounts. Exploitation can lead to DoS and affect data integrity. This issue has been…
- CVE-2026-32034Mar 19, 2026risk 0.00cvss —epss 0.00
OpenClaw versions prior to 2026.2.21 contain an authentication bypass vulnerability in the Control UI when allowInsecureAuth is explicitly enabled and the gateway is exposed over plaintext HTTP, allowing attackers to bypass device identity and pairing verification. An attacker…
- CVE-2026-32027Mar 19, 2026risk 0.00cvss —epss 0.00
OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where DM pairing-store identities are incorrectly eligible for group allowlist authorization checks. Attackers can exploit this cross-context authorization flaw by using a sender approved via DM…