VYPR

CWE-639

Authorization Bypass Through User-Controlled Key

BaseIncompleteLikelihood: High

Description

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Hierarchy (View 1000)

Parents

Children

CVEs mapped to this weakness (1,068)

page 41 of 54
  • CVE-2026-1291MedJun 13, 2026
    risk 0.21cvss 4.3epss 0.00

    The Meow Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/save_shortcode in all versions up to, and including, 5.4.4 This makes it possible for authenticated…

  • CVE-2026-53675MedJun 10, 2026
    risk 0.21cvss 4.3epss 0.00

    BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the friends REST API that allows any authenticated attacker to enumerate another user's complete friend list. Attackers can query the friends endpoint with an arbitrary user_id because the…

  • CVE-2026-10038MedJun 6, 2026
    risk 0.21cvss 4.3epss 0.00

    The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Insecure Direct Object Reference / Authorization Bypass leading to Arbitrary Attachment Deletion in versions up to, and including, 1.8.11.1 via…

  • CVE-2026-46764MedJun 1, 2026
    risk 0.21cvss 4.3epss 0.00

    The Event Log detail endpoint `GET /api/v2/eventLogs/{event_log_id}` in Apache Airflow fetched audit-log rows directly by numeric ID after only the generic Audit Log permission check, while the collection endpoint `GET /api/v2/eventLogs` applied per-Dag scoping. An authenticated…

  • CVE-2026-10154MedMay 31, 2026
    risk 0.21cvss 4.3epss 0.00

    A vulnerability has been found in Dolibarr ERP CRM 23.0.0/23.0.1/23.0.2. The affected element is an unknown function of the file htdocs/user/messaging.php. Such manipulation of the argument ID leads to authorization bypass. The attack can be executed remotely. Upgrading to…

  • CVE-2026-41160MedMay 28, 2026
    risk 0.21cvss 4.3epss 0.00

    EspoCRM is an open source customer relationship management application. Prior to 9.3.5, a business logic flaw (Broken Access Control) in EspoCRM 9.3.3 allows low-privileged users to pin arbitrary notes without having the required edit permissions for the parent object. Due to a…

  • CVE-2026-8347MedMay 22, 2026
    risk 0.21cvss 4.3epss 0.00

    Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in the Express association Reorder dialog.  This can cause Cross-entity state tampering with view-only permission on one entry. To be affected, a website has to be using express and relying on…

  • CVE-2026-7886MedMay 21, 2026
    risk 0.21cvss 4.3epss 0.00

    Concrete CMS 9.5.0 and below is vulnerable to IDOR in AddMessage/UpdateMessage via attachments[] parameter which can lead to file permission bypass. The `AddMessage` and `UpdateMessage` conversation controllers accept user-supplied file attachment IDs and load files directly…

  • CVE-2026-7881MedMay 21, 2026
    risk 0.21cvss 4.3epss 0.00

    Concrete CMS 9.5.0 and below is subject to Insecure Direct Object Reference (IDOR) in the Express Entry Detail block via the exEntryID parameter. This IDOR leads to unauthorized access to all Express form submissions. The Concrete CMS security team gave this vulnerability a…

  • CVE-2026-6566MedMay 20, 2026
    risk 0.21cvss 4.3epss 0.00

    The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 4.2.0. This is due to insufficient object-level authorization in the image deletion REST flow where the…

  • CVE-2026-45386MedMay 15, 2026
    risk 0.21cvss 4.3epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, Pin/Unpin is a write operation (modifies the message's is_pinned , pinned_by, pinned_at fields), but in standard channels it only checks read permission, allowing…

  • CVE-2026-45385MedMay 15, 2026
    risk 0.21cvss 4.3epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, an IDOR vulnerability exists in the Channels feature of Open WebUI, allowing any channel member to modify messages sent by other members (including administrators)…

  • CVE-2026-42456MedMay 8, 2026
    risk 0.21cvss 4.3epss 0.00

    AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, GET /api/workspace/:slug/tts/:chatId in AnythingLLM returns the text-to-speech audio for another user's chat response within the…

  • CVE-2026-42276MedMay 8, 2026
    risk 0.21cvss 4.3epss 0.00

    Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, and 3.2.6, the POST /chat/stop-chat-session/{chat_session_id} endpoint lets any authenticated user stop any other user's active chat session. The endpoint checks authentication but never verifies the session…

  • CVE-2026-31956MedApr 24, 2026
    risk 0.21cvss 4.3epss 0.00

    Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to version 4.4.1, any authenticated user can manually construct a URL to preview campaigns/regions, and export saved reports belonging to other users.…

  • CVE-2026-40590MedApr 21, 2026
    risk 0.21cvss 4.3epss 0.00

    FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the Change Customer modal exposes a “Create a new customer” flow via POST /customers/ajax with action=create. Under limited visibility, the endpoint drops unique-email validation. If the…

  • CVE-2026-4330MedApr 8, 2026
    risk 0.21cvss 4.3epss 0.01

    The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to authorization bypass through user-controlled key in all versions up to, and including, 8.8.3. This is due to the plugin's AJAX handlers failing to validate that the user-supplied 'b2s_id'…

  • CVE-2026-3139MedMar 31, 2026
    risk 0.21cvss 4.3epss 0.00

    The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.15.5 via the wppb_save_avatar_value() function due to missing validation on…

  • CVE-2026-33764MedMar 27, 2026
    risk 0.21cvss 4.3epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, the AI plugin's `save.json.php` endpoint loads AI response objects using an attacker-controlled `$_REQUEST['id']` parameter without validating that the AI response belongs to the specified video.…

  • CVE-2026-1206MedMar 26, 2026
    risk 0.21cvss 4.3epss 0.00

    The Elementor Website Builder plugin for WordPress is vulnerable to Incorrect Authorization to Sensitive Information Exposure in all versions up to, and including, 3.35.7. This is due to a logic error in the is_allowed_to_read_template() function permission check that treats…