VYPR

CWE-639

Authorization Bypass Through User-Controlled Key

BaseIncompleteLikelihood: High

Description

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Hierarchy (View 1000)

Parents

Children

CVEs mapped to this weakness (1,068)

page 13 of 54
  • CVE-2026-44570HigMay 15, 2026
    risk 0.47cvss 8.3epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.19, authorization controls surrounding the memories API were inconsistent, resulting in the ability of a standard user to delete, restore, and view the contents of…

  • CVE-2026-29002HigApr 10, 2026
    risk 0.47cvss 7.2epss 0.00

    CouchCMS contains a privilege escalation vulnerability that allows authenticated Admin-level users to create SuperAdmin accounts by tampering with the f_k_levels_list parameter in user creation requests. Attackers can modify the parameter value from 4 to 10 in the HTTP request…

  • CVE-2026-5842HigApr 9, 2026
    risk 0.47cvss 7.3epss 0.00

    A security vulnerability has been detected in decolua 9router up to 0.3.47. The impacted element is an unknown function of the file /api of the component Administrative API Endpoint. The manipulation leads to authorization bypass. The attack is possible to be carried out…

  • CVE-2026-35478HigApr 8, 2026
    risk 0.47cvss 8.3epss 0.00

    InvenTree is an Open Source Inventory Management System. From 0.16.0 to before 1.2.7, any authenticated InvenTree user can create a valid API token attributed to any other user in the system — including administrators and superusers — by supplying the target's user ID in the…

  • CVE-2025-9062HigFeb 19, 2026
    risk 0.47cvss 7.3epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in MeCODE Informatics and Engineering Services Ltd. Envanty allows Parameter Injection. This issue affects Envanty: before 1.0.6.   NOTE: The vendor was contacted early about this disclosure but did not respond…

  • CVE-2026-39518HigJun 15, 2026
    risk 0.46cvss 7.1epss 0.00

    Subscriber Insecure Direct Object References (IDOR) in EventPrime <= 4.3.0.0 versions.

  • CVE-2026-53673HigJun 10, 2026
    risk 0.46cvss 8.1epss 0.00

    BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the messages REST API that allows authenticated attackers to access arbitrary private message threads by supplying a user_id parameter in the request. Attackers can pass another user's identifier to…

  • CVE-2026-42863HigJun 8, 2026
    risk 0.46cvss 8.1epss 0.00

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the chatflow update endpoint of FlowiseAI. The endpoint allows clients to modify server-controlled properties such as…

  • CVE-2026-11369HigJun 5, 2026
    risk 0.46cvss epss 0.00

    The Comment API (GET /api/Comment and POST /api/Comment) in the affected application fails to perform authorization checks to verify that the requesting user has access to the object identified by the relatedObjectId. This Insecure Direct Object Reference (IDOR) vulnerability…

  • CVE-2026-45281HigJun 1, 2026
    risk 0.46cvss 8.1epss 0.00

    Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, with the knowledge of other users’ principal URL an attacker could possibly send a request to gain full access to their calendar.…

  • CVE-2026-8890HigMay 26, 2026
    risk 0.46cvss 8.2epss 0.00

    code100x contains an authentication bypass vulnerability in the Mobile API that allows unauthenticated attackers to impersonate arbitrary users by supplying a crafted JSON payload in the 'g' HTTP header. The middleware in middleware.ts skips identity header generation when an…

  • CVE-2026-45760HigMay 21, 2026
    risk 0.46cvss 8.1epss 0.00

    (Externally Controlled Reference to a Resource in Another Sphere), (Authorization Bypass Through User-Controlled Key) vulnerability in Apache Camel K. Authorized users in a Kubernetes namespace can create a Build resource, controlling the Pod generation in a namespace of their…

  • CVE-2026-45402HigMay 15, 2026
    risk 0.46cvss 8.1epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, multiple endpoints accept a user-supplied file_id and attach the referenced file to a resource the caller controls (folder knowledge, knowledge-base contents)…

  • CVE-2026-46407HigMay 15, 2026
    risk 0.46cvss 8.1epss 0.00

    Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the backend admin/auth-token endpoint allows an authenticated administrator to load another administrator's REST API token list by supplying that user's…

  • CVE-2026-44678HigMay 14, 2026
    risk 0.46cvss epss 0.00

    Tuist is a virtual platform team for Swift app devs. In 1.180.8 and earlier, the DELETE /api/projects/{account_handle}/{project_handle}/previews/{preview_id} endpoint loads the preview by its UUID without verifying that the preview belongs to the project resolved from the URL…

  • CVE-2026-8629HigMay 14, 2026
    risk 0.46cvss 8.1epss 0.00

    Crabbox prior to v0.12.0 contains a privilege escalation vulnerability that allows users with shared visibility-only access to obtain Code, WebVNC, and Egress agent tickets by sending POST requests to ticket endpoints. Attackers can exploit insufficient access control checks on…

  • CVE-2026-5798HigMay 14, 2026
    risk 0.46cvss epss 0.00

    Unsafe object reference (IDOR) in Stel Order v3.25.1 and earlier versions, specifically in the ‘/app/FrontController’ endpoint, through manipulation of the ‘employeeID’ parameter. An authenticated attacker could exploit this vulnerability to access information about any…

  • CVE-2026-5395HigMay 14, 2026
    risk 0.46cvss 8.2epss 0.00

    The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.2.0 via the exportEntries function due to missing validation on a user…

  • CVE-2026-42609HigMay 11, 2026
    risk 0.46cvss 8.1epss 0.00

    Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a business logic vulnerability in the Grav Admin Panel allows a low-privileged user (with only user creation permissions) to overwrite existing accounts, including the primary administrator. By creating a new user with a…

  • CVE-2026-2554HigMay 2, 2026
    risk 0.46cvss 8.1epss 0.00

    The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via the 'wcfm_delete_wcfm_customer' due to missing validation on…