CWE-639
Authorization Bypass Through User-Controlled Key
BaseIncompleteLikelihood: High
Description
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Hierarchy (View 1000)
CVEs mapped to this weakness (680)
page 2 of 34| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-13615 | Cri | 0.64 | 9.8 | 0.00 | Nov 30, 2025 | The StreamTube Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 4.78. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. Note: This can only be exploited if the 'registration password fields' enabled in theme options. | |
| CVE-2025-58627 | Cri | 0.64 | 9.8 | 0.00 | Nov 6, 2025 | Authorization Bypass Through User-Controlled Key vulnerability in kamleshyadav Miraculous Core Plugin miraculouscore allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Miraculous Core Plugin: from n/a through < 2.0.9. | |
| CVE-2025-0987 | Cri | 0.64 | 9.9 | 0.00 | Nov 3, 2025 | Authorization Bypass Through User-Controlled Key vulnerability in CB Project Ltd. Co. CVLand allows Parameter Injection.This issue affects CVLand: from 2.1.0 through 20251103. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |
| CVE-2025-10742 | Cri | 0.64 | 9.8 | 0.00 | Oct 16, 2025 | The Truelysell Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.8.6. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. Note: This can only be exploited unauthenticated if the attacker knows which page contains the 'truelysell_edit_staff' shortcode. | |
| CVE-2025-5948 | Cri | 0.64 | 9.8 | 0.00 | Sep 19, 2025 | The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 6.0. This is due to the plugin not properly validating a user's identity prior to claiming a business when using the claim_business AJAX action. This makes it possible for unauthenticated attackers to login as any user including admins. Please note that subscriber privileges or brute-forcing are needed when completing the business takeover. The claim_id is needed to takeover the admin account, but brute-forcing is a practical approach to obtaining valid IDs. | |
| CVE-2025-9114 | Cri | 0.64 | 9.8 | 0.00 | Sep 8, 2025 | The Doccure theme for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.5.0. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. | |
| CVE-2024-9263 | Cri | 0.64 | 9.8 | 0.02 | Oct 17, 2024 | The WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin plugin for WordPress is vulnerable to Account Takeover/Privilege Escalation via Insecure Direct Object Reference in all versions up to, and including, 1.0.25 via the save() due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to reset the emails and passwords of arbitrary user accounts, including administrators, which makes account takeover and privilege escalation possible. | |
| CVE-2024-8485 | Cri | 0.64 | 9.8 | 0.00 | Sep 25, 2024 | The REST API TO MiniProgram plugin for WordPress is vulnerable to privilege escalation via account takeovr in all versions up to, and including, 4.7.1 via the updateUserInfo() due to missing validation on the 'openid' user controlled key that determines what user will be updated. This makes it possible for unauthenticated attackers to update arbitrary user's accounts, including their email to a @weixin.com email, which can the be leveraged to reset the password of the user's account, including administrators. | |
| CVE-2024-39223 | Cri | 0.64 | 9.8 | 0.00 | Jul 3, 2024 | An authentication bypass in the SSH service of gost v2.11.5 allows attackers to intercept communications via setting the HostKeyCallback function to ssh.InsecureIgnoreHostKey | |
| CVE-2023-2276 | Cri | 0.64 | 9.8 | 0.00 | May 20, 2023 | The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 2.10.7. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. | |
| CVE-2026-5845 | Cri | 0.62 | 9.6 | 0.00 | Apr 21, 2026 | An improper authorization vulnerability in scoped user-to-server (ghu_) token authorization in GitHub Enterprise Server allows an authenticated attacker to access private repositories outside the intended installation scope, which can include write operations, via an authorization fallback that treated a revoked/deleted installation as a global installation context, which could be chained with token revocation timing and SSH push attribution to obtain and reuse a victim-scoped token. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, and 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program. | |
| CVE-2026-30884 | Cri | 0.62 | 9.6 | 0.00 | Mar 18, 2026 | mdjnelson/moodle-mod_customcert is a Moodle plugin for creating dynamically generated certificates with complete customization via the web browser. Prior to versions 4.4.9 and 5.0.3, a teacher who holds `mod/customcert:manage` in any single course can read and silently overwrite certificate elements belonging to any other course in the Moodle installation. The `core_get_fragment` callback `editelement` and the `mod_customcert_save_element` web service both fail to verify that the supplied `elementid` belongs to the authorized context, enabling cross-course information disclosure and data tampering. Versions 4.4.9 and 5.0.3 fix the issue. | |
| CVE-2024-5619 | Cri | 0.62 | 9.6 | 0.00 | Jul 18, 2024 | Authorization Bypass Through User-Controlled Key vulnerability in PruvaSoft Informatics Apinizer Management Console allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Apinizer Management Console: before 2024.05.1. | |
| CVE-2026-1201 | Cri | 0.61 | — | 0.00 | Jan 22, 2026 | An Authorization Bypass Through User-Controlled Key vulnerability in Hubitat Elevation home automation controllers prior to version 2.4.2.157 could allow a remote authenticated user to control connected devices outside of their authorized scope via client-side request manipulation. | |
| CVE-2025-42605 | Cri | 0.61 | — | 0.01 | Apr 23, 2025 | This vulnerability exists in Meon Bidding Solutions due to improper authorization controls on certain API endpoints for the initiation, modification, or cancellation operations. An authenticated remote attacker could exploit this vulnerability by manipulating parameter in the API request body to gain unauthorized access to other user accounts. Successful exploitation of this vulnerability could allow remote attacker to perform authorized manipulation of data associated with other user accounts. | |
| CVE-2025-10910 | Cri | 0.60 | — | 0.00 | Dec 18, 2025 | A flaw in the binding process of Govee’s cloud platform and devices allows a remote attacker to bind an existing, online Govee device to the attacker’s account, resulting in full control of the device and removal of the device from its legitimate owner’s account. The server‑side API allows device association using a set of identifiers: "device", "sku", "type", and a client‑computed "value", that are not cryptographically bound to a secret originating from the device itself. The vulnerability has been verified for the Govee H6056 - lamp device in firmware version 1.08.13, but may affect also other Govee cloud‑connected devices. The vendor is investigating other potentially affected models. The vendor has deployed server-side security enhancements and automatic firmware updates for model H6056. Most of H6056 devices have been successfully patched through automatic updates. Remaining H6056 users with upgradeable hardware versions must manually update firmware through the Govee Home app while keeping their device WiFi-connected. Users should open the Govee Home app, tap their H6056 device card to enter the device details page, tap the settings icon in the upper right corner, navigate to Device Information section (Firmware Version), and tap the Update button to install the security patch immediately. Govee H6056 devices with hardware versions 1.00.10 or 1.00.11 cannot receive firmware update due to hardware limitations. | |
| CVE-2026-42889 | Cri | 0.59 | 9.1 | 0.00 | May 12, 2026 | Relay adds real-time collaboration to Obsidian. Relay Server versions 0.9.0 through 0.9.6 contain an authentication bypass in the multi-document WebSocket endpoints. When authentication is configured, WebSocket connections without a token query parameter were incorrectly treated as having full server permissions. An unauthenticated network attacker who knows or guesses a document ID could connect to the document sync WebSocket and read or modify document contents without a valid document token. This vulnerability is fixed in 0.9.7. | |
| CVE-2026-29204 | Cri | 0.59 | 9.1 | 0.00 | May 12, 2026 | Insufficient ownership check in `clientarea.php` allows an authenticated client area user to submit requests using another user’s `addonId` without any ownership validation leading to unauthorized access to the victim's account. | |
| CVE-2026-5652 | Cri | 0.59 | 9.0 | 0.00 | Apr 21, 2026 | An insecure direct object reference vulnerability in the Users API component of Crafty Controller allows a remote, authenticated attacker to perform user modification actions via improper API permissions validation. | |
| CVE-2026-25197 | Cri | 0.59 | 9.1 | 0.00 | Apr 3, 2026 | A specific endpoint allows authenticated users to pivot to other user profiles by modifying the id number in the API call. |