VYPR

CWE-639

Authorization Bypass Through User-Controlled Key

BaseIncompleteLikelihood: High

Description

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Hierarchy (View 1000)

Parents

Children

CVEs mapped to this weakness (1,068)

page 45 of 54
  • CVE-2026-47716LowMay 26, 2026
    risk 0.13cvss 3.1epss 0.00

    Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, In affected versions, the issue list view authorizes access through the project in the URL, but applies the requested bulk action to the submitted issue IDs without also requiring those issues to belong to that…

  • CVE-2026-47715LowMay 26, 2026
    risk 0.13cvss 3.1epss 0.00

    Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, Bugsink issue event pages accept a direct event identifier from the URL and, in affected versions, look up that event without also requiring it to belong to the issue in the URL. This is a project-boundary…

  • CVE-2026-39967LowMay 22, 2026
    risk 0.13cvss 3.1epss 0.00

    TypeBot is a chatbot builder tool. In versions 3.15.2 and prior, the bot engine's the findResult query does not filter results by typebotId, allowing an authenticated user to load result data (user answers, variable values) from a different typebot by supplying a foreign…

  • CVE-2026-29071LowMar 27, 2026
    risk 0.13cvss 3.1epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, any authenticated user can read other users' private memories via `/api/v1/retrieval/query/collection`. Version 0.8.6 patches the issue.

  • CVE-2026-45155LowJun 1, 2026
    risk 0.10cvss 2.6epss 0.00

    Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.7 and 33.0.0 to before 33.0.1, a missing access check on API level allowed to add unknown circles by their ID directly to other circles. Since circle IDs have…

  • CVE-2026-47068LowMay 20, 2026
    risk 0.08cvss epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenix_storybook allows cross-session PubSub topic injection via a URL query parameter. 'Elixir.PhoenixStorybook.Story.ComponentIframeLive':handle_params/3 in lib/phoenix_storybook/live/story/compon…

  • CVE-2026-5199LowApr 1, 2026
    risk 0.08cvss epss 0.00

    A writer role user in an attacker-controlled namespace could signal, delete, and reset workflows or activities in a victim namespace on the same cluster. Exploitation requires the attacker to know or guess specific victim workflow ID(s) and, for signal operations, signal names.…

  • CVE-2026-47388lowJun 5, 2026
    risk 0.07cvss epss 0.00

    ### Summary A low-privilege MCP token holder with knowledge of an attachment path could read any file in shared storage, including attachments belonging to other bases and workspaces, because the MCP `readAttachment` tool did not verify the file's ownership. ### Details The MCP…

  • CVE-2020-13700Jun 24, 2020
    risk 0.07cvss epss 0.13

    An issue was discovered in the acf-to-rest-api plugin through 3.1.0 for WordPress. It allows an insecure direct object reference via permalinks manipulation, as demonstrated by a wp-json/acf/v3/options/ request that reads sensitive information in the wp_options table, such as…

  • CVE-2026-47713LowMay 28, 2026
    risk 0.06cvss 2.0epss 0.00

    AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, an approved mobile device token created in single-user mode can survive single-user -> multi-user migration even when the device record…

  • CVE-2024-50633Jan 16, 2025
    risk 0.01cvss epss 0.01

    A Broken Object Level Authorization (BOLA) vulnerability in Indico through 3.3.5 allows attackers to read information by sending a crafted POST request to the component /api/principals. NOTE: this is disputed by the Supplier because the product intentionally lets all users…

  • CVE-2026-54683Jun 18, 2026
    risk 0.00cvss epss

    ## Summary A previous advisory (CVE-2026-49463 / GHSA-qpm9-h556-mwxm) reported that any logged-in user could download any document by its identifier, and stated this was fixed in 3.0.1. For the document-content part that fix was **incomplete**: documents remained downloadable…

  • CVE-2026-55670lowJun 18, 2026
    risk 0.00cvss epss

    ### Summary A flaw in the user lifecycle enforcement allowed deleted users to retain their original organization/tenant association. Recreating a deleted user under a distinct organization can cause the new user instance to be incorrectly provisioned within the original…

  • CVE-2026-54324Jun 17, 2026
    risk 0.00cvss epss 0.00

    ### Summary A cross-tenant authorization flaw in Daytona's notification WebSocket gateway allowed any authenticated user to subscribe to another organization's realtime notification channel and passively receive that organization's events. ### Impact The notification gateway's…

  • CVE-2026-54015Jun 17, 2026
    risk 0.00cvss epss 0.00

    ## Summary Open WebUI's prompt version-history endpoints authorize the `prompt_id` in the URL but then act on caller-supplied history IDs without verifying that the history row belongs to that prompt (`history_entry.prompt_id == prompt.id`). Three operations are affected: -…

  • CVE-2026-54009Jun 17, 2026
    risk 0.00cvss epss 0.00

    ## summary `POST /api/chat/completions` accepts an `image_url.url` value that, when it does NOT start with `http://`, `https://`, or `data:image/`, is interpreted as a file id and resolved against the global file table with no ownership check. An authenticated user can…

  • CVE-2026-54006Jun 17, 2026
    risk 0.00cvss epss 0.00

    ### Summary `POST /api/v1/calendars/events/{event_id}/update` validates that the caller has **write** access to the calendar the event *currently* belongs to, but does not validate the **destination** `calendar_id` supplied in the request body. The model layer then persists the…

  • CVE-2026-48067Jun 11, 2026
    risk 0.00cvss epss 0.00

    The `recordSelectOptionsQuery()` method may be used to scope the options available in the `Select` field for `AttachAction` and `AssociateAction`. However, the built-in validation rule for these fields did not apply the same scope. As a result, a user who can trigger these…

  • CVE-2026-47378Jun 5, 2026
    risk 0.00cvss epss 0.00

    ### Summary Public shared-view endpoints exposed values from columns that the view owner had hidden, via three independent paths: groupBy returned raw values for any column named in the request, filter and sort arrays operated on hidden columns enabling boolean-blind extraction,…

  • CVE-2026-47408May 29, 2026
    risk 0.00cvss epss 0.00

    ## Summary **Type:** Insecure Direct Object Reference. The `GET /workspaces/{workspace_id}/issues/{issue_id}/activity` endpoint is gated by `require_workspace_member(workspace_id)` and dispatches to `ActivityService.list_for_issue(issue_id)`, which executes `SELECT * FROM…