VYPR

CWE-639

Authorization Bypass Through User-Controlled Key

BaseIncompleteLikelihood: High

Description

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Hierarchy (View 1000)

Parents

Children

CVEs mapped to this weakness (1,068)

page 23 of 54
  • CVE-2026-28444MedMay 22, 2026
    risk 0.35cvss 6.5epss 0.00

    Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the getResultLogs API endpoint authorizes the caller against the provided typebotId but fetches logs solely by resultId without verifying that the result belongs to the authorized typebot, leading to IDOR. An…

  • CVE-2026-9136MedMay 20, 2026
    risk 0.35cvss 6.5epss 0.00

    A vulnerability was identified in the ShadowAttribute proposal creation workflow. The add action accepted user-controlled ShadowAttribute request data without removing the id field before saving the record. Because the underlying framework treats a supplied primary key as an…

  • CVE-2026-9087MedMay 20, 2026
    risk 0.35cvss 6.4epss 0.00

    A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId, idpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get linked to the victim's local…

  • CVE-2026-45666MedMay 15, 2026
    risk 0.35cvss 6.5epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.11, the API /api/v1/notes/{note_id} endpoint lacks proper authorization checks, allowing authenticated users to retrieve notes belonging to other users by guessing or…

  • CVE-2026-44426MedMay 13, 2026
    risk 0.35cvss 6.5epss 0.00

    ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/namespaces/:tenant returns the full namespace object — including the members list (user IDs, e-mails, roles), settings, and device counts — to any caller authenticated by an API Key, for any tenant, regardless…

  • CVE-2026-44424MedMay 13, 2026
    risk 0.35cvss 6.5epss 0.00

    ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/devices/:uid returns the full device object whenever the caller is authenticated, without verifying that the device belongs to the caller's namespace (tenant). Any authenticated user (JWT or API Key) who knows or…

  • CVE-2026-44423MedMay 13, 2026
    risk 0.35cvss 6.5epss 0.00

    ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/sessions/:uid returns the full session object for any authenticated caller, without scoping by the caller's tenant. An authenticated user can read session records (SSH username, device UID, remote IP, terminal…

  • CVE-2023-30059MedMay 12, 2026
    risk 0.35cvss 5.4epss 0.00

    An insecure direct object reference in MK-Auth 23.01K4.9 allows attackers to access and send support calls for other users via manipulation of the chamado parameter through a crafted GET request.

  • CVE-2026-42277MedMay 8, 2026
    risk 0.35cvss 6.5epss 0.00

    Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, and 3.2.6, the GET /chat/file/{file_id} endpoint allows any authenticated user to download any other user's uploaded files by providing the file UUID. The endpoint verifies the caller is authenticated but never…

  • CVE-2026-20219MedMay 6, 2026
    risk 0.35cvss 5.4epss 0.00

    A vulnerability in the REST API of Cisco Slido could have allowed an authenticated, remote attacker to access the social profile data of other users or affect quiz and poll results. Cisco has addressed this vulnerability in Cisco Slido and no customer action is needed. This…

  • CVE-2026-41950MedMay 5, 2026
    risk 0.35cvss 6.5epss 0.00

    Dify before version 1.14.0 contains an authorization bypass vulnerability that allows authenticated users to read the full contents of files uploaded by other users within the same tenant by supplying an arbitrary file UUID in the files array of a chat-messages request.…

  • CVE-2026-6542MedApr 30, 2026
    risk 0.35cvss 6.5epss 0.00

    IBM Langflow OSS 1.0.0 through 1.8.4 could allow any user to supply a flow_id to read transaction logs and vertex build data belonging to other users, and to delete persisted vertex build data for another user's flow.

  • CVE-2026-7145MedApr 27, 2026
    risk 0.35cvss 5.4epss 0.00

    A weakness has been identified in mettle sendportal up to 3.0.1. Affected is the function destroy of the file app/Http/Controllers/Workspaces/WorkspaceInvitationsController.php of the component Invitation Handler. This manipulation of the argument invitation causes authorization…

  • CVE-2026-41127MedApr 22, 2026
    risk 0.35cvss 6.5epss 0.00

    BigBlueButton is an open-source virtual classroom. Versions prior to 3.0.24 have a missing authorization that allows viewers to inject/overwrite captions Version 3.0.24 tightened the permissions on who is able to submit captions. No known workarounds are available.

  • CVE-2026-40907MedApr 21, 2026
    risk 0.35cvss 6.5epss 0.00

    WWBN AVideo is an open source video platform. In versions 29.0 and prior, the endpoint `plugin/Live/view/Live_restreams/list.json.php` contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user with streaming permission to retrieve other…

  • CVE-2026-40896MedApr 20, 2026
    risk 0.35cvss 6.5epss 0.00

    OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with `manage_agendas` permission in any project can inject agenda items into meetings belonging to any other project on the instance — even projects they have no access to. No…

  • CVE-2026-6585MedApr 20, 2026
    risk 0.35cvss 5.4epss 0.00

    A vulnerability was determined in TransformerOptimus SuperAGI up to 0.0.14. This issue affects the function update_organisation of the file superagi/controllers/organisation.py of the component Organisation Update Endpoint. This manipulation of the argument organisation_id…

  • CVE-2026-6584MedApr 20, 2026
    risk 0.35cvss 5.4epss 0.00

    A vulnerability was found in TransformerOptimus SuperAGI up to 0.0.14. This vulnerability affects the function update_user of the file superagi/controllers/user.py of the component User Update Endpoint. The manipulation of the argument user_id results in authorization bypass.…

  • CVE-2026-6583MedApr 19, 2026
    risk 0.35cvss 5.4epss 0.00

    A vulnerability has been found in TransformerOptimus SuperAGI up to 0.0.14. This affects the function delete_api_key/edit_api_key of the file superagi/controllers/api_key.py of the component API Key Management Endpoint. The manipulation leads to authorization bypass. The attack…

  • CVE-2026-34370MedApr 14, 2026
    risk 0.35cvss 6.5epss 0.00

    Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the notebook module contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated student to read the private course notes of any other user on the…