VYPR

CWE-639

Authorization Bypass Through User-Controlled Key

BaseIncompleteLikelihood: High

Description

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Hierarchy (View 1000)

Parents

Children

CVEs mapped to this weakness (1,068)

page 15 of 54
  • CVE-2026-45671HigMay 15, 2026
    risk 0.45cvss 8.0epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user can permanently delete files owned by other users via DELETE /api/v1/files/{id} when the target file is referenced in any shared chat. The…

  • CVE-2026-45732higMay 14, 2026
    risk 0.45cvss epss 0.00

    ## Impact The OAuth1 and OAuth2 credential reconnect endpoints authorized access using `credential:read` rather than `credential:update`. An authenticated user with read-only access to a shared credential could initiate an OAuth reconnect flow and overwrite the stored token…

  • CVE-2026-1664MedFeb 3, 2026
    risk 0.45cvss epss 0.00

    Summary An Insecure Direct Object Reference has been found to exist in `createHeaderBasedEmailResolver()` function within the Cloudflare Agents SDK. The issue occurs because the `Message-ID` and `References` headers are parsed to derive the target agentName and agentId without…

  • CVE-2024-22439MedApr 15, 2024
    risk 0.45cvss 6.9epss 0.00

    A potential security vulnerability has been identified in HPE FlexFabric and FlexNetwork series products. This vulnerability could be exploited to gain privileged access to switches resulting in information disclosure.

  • CVE-2026-8679HigMay 22, 2026
    risk 0.44cvss 7.5epss 0.02

    The AudioIgniter plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the handle_playlist_endpoint() function (hooked to template_redirect) accepting a user-controlled playlist ID via the…

  • CVE-2026-4630MedMay 19, 2026
    risk 0.44cvss 6.8epss 0.00

    A flaw was found in Keycloak. An authenticated client could exploit an Insecure Direct Object Reference (IDOR) vulnerability in the Authorization Services Protection API endpoint. By knowing or obtaining a resource's unique identifier (UUID) belonging to another Resource Server…

  • CVE-2026-6008MedMay 14, 2026
    risk 0.44cvss 6.8epss 0.00

    Authorization bypass through User-Controlled key vulnerability in Im Park Information Technology, Electronics, Press, Publishing and Advertising, Education Ltd. Co. DijiDemi allows Privilege Abuse. This issue affects DijiDemi: from v4.5.12.1 before v4.5.13.0.

  • CVE-2026-42291MedMay 8, 2026
    risk 0.44cvss 6.8epss 0.00

    SysReptor is a fully customizable pentest reporting platform. From version 2026.4 to before version 2026.27, the endpoints for reading and creating sharing links for personal notes is not properly authorized. This allows authenticated attackers who obtain the note ID of victim…

  • CVE-2026-1753MedMar 11, 2026
    risk 0.44cvss 6.8epss 0.00

    The Gutena Forms WordPress plugin before 1.6.1 does not validate option to be updated, which could allow contributors and above role to update arbitrary boolean and array options (such as users_can_register).

  • CVE-2025-12351MedOct 27, 2025
    risk 0.44cvss 6.8epss 0.00

    Honeywell S35 Series Cameras contains an authorization bypass Vulnerability through User controller key. An attacker could potentially exploit this vulnerability, leading to Privilege Escalation to admin privileged functionalities . Honeywell also recommends updating to the most…

  • CVE-2024-13063MedSep 3, 2025
    risk 0.44cvss 6.8epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in Akinsoft MyRezzta allows Forceful Browsing. This issue affects MyRezzta: from s2.02.02 before v2.05.01.

  • CVE-2021-37577MedOct 1, 2024
    risk 0.44cvss 6.8epss 0.00

    Bluetooth LE and BR/EDR Secure Connections pairing and Secure Simple Pairing using the Passkey entry protocol in Bluetooth Core Specifications 2.1 through 5.3 may permit an unauthenticated man-in-the-middle attacker to identify the Passkey used during pairing by reflection of a…

  • CVE-2026-44692HigJun 10, 2026
    risk 0.43cvss 7.7epss 0.00

    Sharp is a content management framework built for Laravel as a package. Prior to version 9.22.0, Sharp exposes a generic download endpoint that authorizes access only to the supplied Sharp entity instance, but then reads the target storage disk and path from request parameters.…

  • CVE-2026-43890HigMay 11, 2026
    risk 0.43cvss 7.7epss 0.00

    Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.7.0, the subscriptions.create API endpoint in server/routes/api/subscriptions/subscriptions.ts exhibits a broken authorization pattern. When both collectionId and documentId are supplied in the…

  • CVE-2026-41649HigApr 28, 2026
    risk 0.43cvss 7.7epss 0.00

    Outline is a service that allows for collaborative documentation. The `shares.create` API endpoint starting in version 0.86.0 and prior to version 1.7.0 has an insecure direct object reference.. When both `collectionId` and `documentId` are provided in the request, the…

  • CVE-2024-9617MedMar 20, 2025
    risk 0.43cvss 6.5epss 0.02

    An IDOR vulnerability in danswer-ai/danswer v0.3.94 allows an attacker to view any files. The application does not verify whether the attacker is the creator of the file, allowing the attacker to directly call the GET /api/chat/file/{file_id} interface to view any user's file.

  • CVE-2023-2548MedMay 16, 2023
    risk 0.43cvss 6.6epss 0.01

    The RegistrationMagic plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 5.2.0.5. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This…

  • CVE-2026-48599HigJun 15, 2026
    risk 0.42cvss epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in elixir-grpc grpc allows authenticated attackers to access or modify resources belonging to other users by smuggling a conflicting value for any path-bound field via the query string or request body. In…

  • CVE-2026-47238MedJun 11, 2026
    risk 0.42cvss 6.5epss 0.00

    ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #133, a normal authenticated user can edit another user's video subtitles because of a lack of authorization. They can upload subtitles, edit their name or delete them. This issue has been patched…

  • CVE-2026-7787HigJun 11, 2026
    risk 0.42cvss 7.5epss 0.00

    IBM Langflow OSS 1.0.0 through 1.9.1 could allow an authenticated user to read or modify sensitive information by bypassing authentication using insecure direct object references.