CWE-639
Authorization Bypass Through User-Controlled Key
Description
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Hierarchy (View 1000)
CVEs mapped to this weakness (1,068)
page 32 of 54| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-49812 | Med | 0.34 | 5.3 | 0.01 | Dec 19, 2023 | Authorization Bypass Through User-Controlled Key vulnerability in J.N. Breetvelt a.K.A. OpaJaap WP Photo Album Plus.This issue affects WP Photo Album Plus: from n/a through 8.5.02.005. | ||
| CVE-2023-3998 | Med | 0.34 | 5.3 | 0.00 | Oct 20, 2023 | The wpDiscuz plugin for WordPress is vulnerable to unauthorized modification of data due to a missing authorization check on the userRate function in versions up to, and including, 7.6.3. This makes it possible for unauthenticated attackers to increase or decrease the rating of… | ||
| CVE-2023-3869 | Med | 0.34 | 5.3 | 0.00 | Oct 20, 2023 | The wpDiscuz plugin for WordPress is vulnerable to unauthorized modification of data due to a missing authorization check on the voteOnComment function in versions up to, and including, 7.6.3. This makes it possible for unauthenticated attackers to increase or decrease the… | ||
| CVE-2023-3700 | — | Med | 0.34 | 6.3 | 0.00 | Jul 17, 2023 | Authorization Bypass Through User-Controlled Key in GitHub repository alextselegidis/easyappointments prior to 1.5.0. | |
| CVE-2021-36400 | Med | 0.34 | 5.3 | 0.01 | Mar 6, 2023 | In Moodle, insufficient capability checks made it possible to remove other users' calendar URL subscriptions. | ||
| CVE-2026-7573 | Med | 0.33 | 5.0 | 0.00 | May 6, 2026 | An authorization bypass (CWE-639) in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows any authenticated low-privilege user to retrieve the complete ACL policy (roles and permissions) for any user across all organizations by supplying… | ||
| CVE-2025-61876 | — | Med | 0.33 | 5.0 | 0.00 | Oct 29, 2025 | Insecure Direct Object Reference (IDOR) in /tenants/{id} API endpoint in Inforcer Platform version 2.0.153 allows an authenticated user with low privileges to enumerate and access tenant information belonging to other clients via modification of the tenant ID in the request URL. | |
| CVE-2025-7899 | Med | 0.32 | — | 0.00 | Jul 22, 2025 | The powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of arbitrary files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0 | ||
| CVE-2025-31833 | Med | 0.32 | 4.9 | 0.00 | Apr 1, 2025 | Authorization Bypass Through User-Controlled Key vulnerability in themeglow JobBoard Job listing job-board-light allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JobBoard Job listing: from n/a through <= 1.2.8. | ||
| CVE-2026-3473 | Med | 0.31 | 5.9 | 0.00 | May 22, 2026 | Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate file ownership and access control, which allows an authenticated user to access and download files belonging to other users or teams via crafted Boards API requests… | ||
| CVE-2026-41949 | Med | 0.31 | 5.9 | 0.00 | May 18, 2026 | Dify before version 1.14.2 contains an authorization bypass vulnerability in the file preview endpoint that allows any authenticated user to read up to 3,000 characters of any uploaded document across all tenants and workspaces using only the file's UUID. Attackers can access… | ||
| CVE-2026-42279 | Med | 0.31 | 5.8 | 0.00 | May 8, 2026 | solidtime is an open-source time-tracking app. In version 0.12.0, the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} API accepts a route-bound timeEntry from another organization when the caller has time-entries:update:all in the URL organization, allowing a… | ||
| CVE-2026-41372 | Med | 0.31 | 5.8 | 0.00 | Apr 28, 2026 | OpenClaw before 2026.4.2 fails to normalize trailing-dot localhost hosts in remote CDP discovery responses, allowing bypass of loopback protections. Attackers can craft hostile discovery responses returning localhost. to retarget authenticated browser control toward localhost… | ||
| CVE-2025-66286 | Med | 0.31 | 4.7 | 0.00 | Apr 23, 2026 | An API design flaw in WebKitGTK and WPE WebKit allows untrusted web content to unexpectedly perform IP connections, DNS lookups, and HTTP requests. Applications expect to use the WebPage::send-request signal handler to approve or reject all network requests. However, certain… | ||
| CVE-2026-35670 | Med | 0.31 | 5.9 | 0.00 | Apr 10, 2026 | OpenClaw before 2026.3.22 contains a webhook reply delivery vulnerability that allows attackers to rebind chat replies to unintended users by exploiting mutable username matching instead of stable numeric user identifiers. Attackers can manipulate username changes to redirect… | ||
| CVE-2026-33946 | Med | 0.31 | 5.9 | 0.00 | Mar 27, 2026 | MCP Ruby SDK is the official Ruby SDK for Model Context Protocol servers and clients. Prior to version 0.9.2, the Ruby SDK's streamable_http_transport.rb implementation contains a session hijacking vulnerability. An attacker who obtains a valid session ID can completely hijack… | ||
| CVE-2025-10493 | Med | 0.31 | 5.3 | 0.01 | Sep 18, 2025 | The Chained Quiz plugin for WordPress is vulnerable to Insecure Direct Object Reference in version 1.3.4 and below via the quiz submission and completion mechanisms due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to hijack… | ||
| CVE-2025-0670 | Med | 0.31 | 4.7 | 0.00 | Sep 2, 2025 | Authorization Bypass Through User-Controlled Key vulnerability in Akinsoft ProKuafor allows Resource Leak Exposure. This issue affects ProKuafor: from s1.02.07 before v1.02.08. | ||
| CVE-2025-0640 | Med | 0.31 | 4.7 | 0.00 | Sep 2, 2025 | Authorization Bypass Through User-Controlled Key vulnerability in Akinsoft OctoCloud allows Resource Leak Exposure. This issue affects OctoCloud: from s1.09.02 before v1.11.01. | ||
| CVE-2021-3964 | Med | 0.31 | 5.9 | 0.01 | Dec 1, 2021 | elgg is vulnerable to Authorization Bypass Through User-Controlled Key |
- risk 0.34cvss 5.3epss 0.01
Authorization Bypass Through User-Controlled Key vulnerability in J.N. Breetvelt a.K.A. OpaJaap WP Photo Album Plus.This issue affects WP Photo Album Plus: from n/a through 8.5.02.005.
- risk 0.34cvss 5.3epss 0.00
The wpDiscuz plugin for WordPress is vulnerable to unauthorized modification of data due to a missing authorization check on the userRate function in versions up to, and including, 7.6.3. This makes it possible for unauthenticated attackers to increase or decrease the rating of…
- risk 0.34cvss 5.3epss 0.00
The wpDiscuz plugin for WordPress is vulnerable to unauthorized modification of data due to a missing authorization check on the voteOnComment function in versions up to, and including, 7.6.3. This makes it possible for unauthenticated attackers to increase or decrease the…
- risk 0.34cvss 6.3epss 0.00
Authorization Bypass Through User-Controlled Key in GitHub repository alextselegidis/easyappointments prior to 1.5.0.
- risk 0.34cvss 5.3epss 0.01
In Moodle, insufficient capability checks made it possible to remove other users' calendar URL subscriptions.
- risk 0.33cvss 5.0epss 0.00
An authorization bypass (CWE-639) in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows any authenticated low-privilege user to retrieve the complete ACL policy (roles and permissions) for any user across all organizations by supplying…
- risk 0.33cvss 5.0epss 0.00
Insecure Direct Object Reference (IDOR) in /tenants/{id} API endpoint in Inforcer Platform version 2.0.153 allows an authenticated user with low privileges to enumerate and access tenant information belonging to other clients via modification of the tenant ID in the request URL.
- risk 0.32cvss —epss 0.00
The powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of arbitrary files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0
- risk 0.32cvss 4.9epss 0.00
Authorization Bypass Through User-Controlled Key vulnerability in themeglow JobBoard Job listing job-board-light allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JobBoard Job listing: from n/a through <= 1.2.8.
- risk 0.31cvss 5.9epss 0.00
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate file ownership and access control, which allows an authenticated user to access and download files belonging to other users or teams via crafted Boards API requests…
- risk 0.31cvss 5.9epss 0.00
Dify before version 1.14.2 contains an authorization bypass vulnerability in the file preview endpoint that allows any authenticated user to read up to 3,000 characters of any uploaded document across all tenants and workspaces using only the file's UUID. Attackers can access…
- risk 0.31cvss 5.8epss 0.00
solidtime is an open-source time-tracking app. In version 0.12.0, the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} API accepts a route-bound timeEntry from another organization when the caller has time-entries:update:all in the URL organization, allowing a…
- risk 0.31cvss 5.8epss 0.00
OpenClaw before 2026.4.2 fails to normalize trailing-dot localhost hosts in remote CDP discovery responses, allowing bypass of loopback protections. Attackers can craft hostile discovery responses returning localhost. to retarget authenticated browser control toward localhost…
- risk 0.31cvss 4.7epss 0.00
An API design flaw in WebKitGTK and WPE WebKit allows untrusted web content to unexpectedly perform IP connections, DNS lookups, and HTTP requests. Applications expect to use the WebPage::send-request signal handler to approve or reject all network requests. However, certain…
- risk 0.31cvss 5.9epss 0.00
OpenClaw before 2026.3.22 contains a webhook reply delivery vulnerability that allows attackers to rebind chat replies to unintended users by exploiting mutable username matching instead of stable numeric user identifiers. Attackers can manipulate username changes to redirect…
- risk 0.31cvss 5.9epss 0.00
MCP Ruby SDK is the official Ruby SDK for Model Context Protocol servers and clients. Prior to version 0.9.2, the Ruby SDK's streamable_http_transport.rb implementation contains a session hijacking vulnerability. An attacker who obtains a valid session ID can completely hijack…
- risk 0.31cvss 5.3epss 0.01
The Chained Quiz plugin for WordPress is vulnerable to Insecure Direct Object Reference in version 1.3.4 and below via the quiz submission and completion mechanisms due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to hijack…
- risk 0.31cvss 4.7epss 0.00
Authorization Bypass Through User-Controlled Key vulnerability in Akinsoft ProKuafor allows Resource Leak Exposure. This issue affects ProKuafor: from s1.02.07 before v1.02.08.
- risk 0.31cvss 4.7epss 0.00
Authorization Bypass Through User-Controlled Key vulnerability in Akinsoft OctoCloud allows Resource Leak Exposure. This issue affects OctoCloud: from s1.09.02 before v1.11.01.
- risk 0.31cvss 5.9epss 0.01
elgg is vulnerable to Authorization Bypass Through User-Controlled Key