VYPR

CWE-639

Authorization Bypass Through User-Controlled Key

BaseIncompleteLikelihood: High

Description

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Hierarchy (View 1000)

Parents

Children

CVEs mapped to this weakness (1,068)

page 20 of 54
  • CVE-2025-15106MedDec 27, 2025
    risk 0.41cvss 6.3epss 0.00

    A weakness has been identified in getmaxun maxun up to 0.0.28. The affected element is the function router.get of the file server/src/routes/auth.ts of the component Authentication Endpoint. Executing manipulation can lead to improper authorization. The attack can be executed…

  • CVE-2025-0642MedOct 2, 2025
    risk 0.41cvss 6.3epss 0.00

    Use of Hard-coded Credentials, Authorization Bypass Through User-Controlled Key vulnerability in PosCube Hardware Software and Consulting Ltd. Co. Assist allows Excavation, Authentication Bypass. This issue affects Assist: through 10.02.2025.

  • CVE-2025-6765MedJun 27, 2025
    risk 0.41cvss 6.3epss 0.00

    A vulnerability, which was classified as critical, has been found in Intelbras InControl 2.21.60.9. This issue affects some unknown processing of the file /v1/operador/ of the component HTTP PUT Request Handler. The manipulation leads to permission issues. The attack may be…

  • CVE-2025-4210HigMay 2, 2025
    risk 0.41cvss 7.3epss 0.02

    A vulnerability classified as critical was found in Casdoor up to 1.811.0. This vulnerability affects the function HandleScim of the file controllers/scim.go of the component SCIM User Creation Endpoint. The manipulation leads to authorization bypass. The attack can be initiated…

  • CVE-2017-0882MedMar 28, 2017
    risk 0.41cvss 6.3epss 0.01

    Multiple versions of GitLab expose sensitive user credentials when assigning a user to an issue or merge request. A fix was included in versions 8.15.8, 8.16.7, and 8.17.4, which were released on March 20th 2017 at 23:59 UTC.

  • CVE-2026-35489HigApr 7, 2026
    risk 0.40cvss 7.3epss 0.00

    Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, the POST /api/food/{id}/shopping/ endpoint reads amount and unit directly from request.data and passes them without validation to…

  • CVE-2025-8887MedOct 10, 2025
    risk 0.40cvss 6.1epss 0.00

    Authorization Bypass Through User-Controlled Key, Missing Authorization, Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Usta Information Systems Inc. Aybs Interaktif allows Forceful Browsing, Parameter Injection, Input Data Manipulation. This issue…

  • CVE-2026-53863HigJun 16, 2026
    risk 0.39cvss 7.1epss 0.00

    OpenClaw before 2026.4.25 contains an input validation vulnerability in tool group policy callers that accept unvalidated group IDs. Attackers who can supply a group ID to the policy resolver could trigger incorrect group-policy decisions for tool invocations, potentially…

  • CVE-2026-54097higJun 12, 2026
    risk 0.39cvss epss 0.00

    ### Summary A low-privileged authenticated user of filebrowser (with `create` + `delete` permissions in their own isolated scope) can silently destroy share-link records belonging to any other user — including the administrator — by performing a legitimate DELETE on a file…

  • CVE-2026-8406HigJun 11, 2026
    risk 0.39cvss epss 0.00

    openSIS Classic 9.3 contains an insecure direct object reference vulnerability in the messaging module. Any authenticated user with access to the messaging module can request sent-message details from modules/messaging/SentMail.php by supplying an arbitrary mail_id value.

  • CVE-2026-49141HigJun 8, 2026
    risk 0.39cvss 7.1epss 0.00

    WACRM prior to commit 73041bf contain an authorization bypass vulnerability in the automation engine that allows authenticated attackers to access and modify contacts belonging to other tenants by supplying an arbitrary caller-controlled contact_id in the POST request body…

  • CVE-2026-45342HigMay 28, 2026
    risk 0.39cvss epss 0.00

    LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, LinkAce contains an Insecure Direct Object Reference vulnerability in the authorization policy layer that allows any authenticated user to modify resources owned by other users. The affected resource…

  • CVE-2026-39968HigMay 22, 2026
    risk 0.39cvss 7.1epss 0.00

    TypeBot is a chatbot builder tool. In versions 3.15.2 and prior, the fix for GHSA-4xc5-wfwc-jw47 ("Credential Theft via Client-Side Script Execution and API Authorization Bypass") is incomplete. While the builder's getCredentials tRPC endpoint was patched with workspace…

  • CVE-2026-45349HigMay 15, 2026
    risk 0.39cvss 7.1epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, a user just needs to use the API endpoint: /api/chat/completions with their own API key (generated in OWUI) and the Chat ID of another user to continue the…

  • CVE-2026-41906HigMay 7, 2026
    risk 0.39cvss 7.1epss 0.00

    FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.214, the Change Customer modal correctly hides out-of-scope customers through the mailbox-filtered search endpoint, but the backend conversation_change_customer action accepts…

  • CVE-2026-40591HigApr 21, 2026
    risk 0.39cvss 7.1epss 0.00

    FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the phone-conversation creation flow accepts attacker-controlled `customer_id`, `name`, `to_email`, and `phone` values and resolves the target customer in the backend without enforcing…

  • CVE-2026-40480HigApr 18, 2026
    risk 0.39cvss epss 0.00

    ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the GET /api/person/{personId} endpoint loads and returns person records without performing object-level authorization checks. Although the legacy PersonView.php page enforces canEditPerson()…

  • CVE-2026-34602HigApr 14, 2026
    risk 0.39cvss 7.1epss 0.00

    Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the /api/course_rel_users endpoint is vulnerable to Insecure Direct Object Reference (IDOR), allowing an authenticated attacker to modify the user parameter in the request body to enroll…

  • CVE-2026-33702HigApr 10, 2026
    risk 0.39cvss 7.1epss 0.00

    Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an Insecure Direct Object Reference (IDOR) vulnerability in the Learning Path progress saving endpoint. The file lp_ajax_save_item.php accepts a uid (user ID) parameter directly…

  • CVE-2026-32930HigApr 10, 2026
    risk 0.39cvss 7.1epss 0.00

    Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook evaluation edit page allows any authenticated teacher to view and modify the settings (name, max score, weight) of evaluations…