CWE-639
Authorization Bypass Through User-Controlled Key
Description
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Hierarchy (View 1000)
CVEs mapped to this weakness (1,068)
page 47 of 54| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-27591 | 0.00 | — | 0.00 | Mar 11, 2026 | Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions… | |||
| CVE-2026-32104 | 0.00 | — | 0.00 | Mar 11, 2026 | StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the updateUserNotifications endpoint accepts a user ID from the request payload and uses it to update that user's notification preferences. It checks that the caller is logged… | |||
| CVE-2026-32103 | 0.00 | — | 0.00 | Mar 11, 2026 | StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the POST /studiocms_api/dashboard/create-reset-link endpoint allows any authenticated user with admin privileges to generate a password reset token for any other user,… | |||
| CVE-2026-31867 | 0.00 | — | 0.00 | Mar 11, 2026 | Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.11.0 and 5.6.0, An Insecure Direct Object Reference (IDOR) vulnerability exists in Craft Commerce’s cart functionality that allows users to hijack any shopping cart by knowing or guessing its 32-character… | |||
| CVE-2026-31832 | 0.00 | — | 0.00 | Mar 10, 2026 | Umbraco is an ASP.NET CMS. From 14.0.0 to before 16.5.1 and 17.2.2, A broken object-level authorization vulnerability exists in a backoffice API endpoint that allows authenticated users to assign domain-related data to content nodes without proper authorization checks. The issue… | |||
| CVE-2026-31820 | 0.00 | — | 0.00 | Mar 10, 2026 | Sylius is an Open Source eCommerce Framework on Symfony. An authenticated Insecure Direct Object Reference (IDOR) vulnerability exists in multiple shop LiveComponents due to unvalidated resource IDs accepted via #[LiveArg] parameters. Unlike props, which are protected by… | |||
| CVE-2026-30959 | — | 0.00 | — | 0.00 | Mar 10, 2026 | OneUptime is a solution for monitoring and managing online services. The resend-verification-code endpoint allows any authenticated user to trigger a verification code resend for any UserWhatsApp record by ID. Ownership is not validated (unlike the verify endpoint). This affects… | ||
| CVE-2026-30945 | 0.00 | — | 0.00 | Mar 10, 2026 | StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the DELETE /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user with editor privileges or above to revoke API tokens belonging to any other user,… | |||
| CVE-2026-30944 | 0.00 | — | 0.01 | Mar 10, 2026 | StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user (at least Editor) to generate API tokens for any other user, including owner and admin accounts.… | |||
| CVE-2026-30927 | 0.00 | — | 0.00 | Mar 9, 2026 | Admidio is an open-source user management solution. Prior to 5.0.6, in modules/events/events_function.php, the event participation logic allows any user who can participate in an event to register OTHER users by manipulating the user_uuid GET parameter. The condition uses ||… | |||
| CVE-2026-30920 | — | 0.00 | — | 0.00 | Mar 9, 2026 | OneUptime is a solution for monitoring and managing online services. Prior to 10.0.19, OneUptime's GitHub App callback trusts attacker-controlled state and installation_id values and updates Project.gitHubAppInstallationId with isRoot: true without validating that the caller is… | ||
| CVE-2026-30857 | 0.00 | — | 0.00 | Mar 7, 2026 | WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.3.0, a cross-tenant authorization bypass in the knowledge base copy endpoint allows any authenticated user to clone (duplicate) another tenant’s knowledge… | |||
| CVE-2026-30823 | 0.00 | — | 0.00 | Mar 7, 2026 | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, there is an IDOR vulnerability, leading to account takeover and enterprise feature bypass via SSO configuration. This issue has been patched in version 3.0.13. | |||
| CVE-2026-28469 | 0.00 | — | 0.00 | Mar 5, 2026 | OpenClaw versions prior to 2026.2.14 contain a webhook routing vulnerability in the Google Chat monitor component that allows cross-account policy context misrouting when multiple webhook targets share the same HTTP path. Attackers can exploit first-match request verification… | |||
| CVE-2026-2836 | — | 0.00 | — | 0.00 | Mar 4, 2026 | A cache poisoning vulnerability has been found in the Pingora HTTP proxy framework’s default cache key construction. The issue occurs because the default HTTP cache key implementation generates cache keys using only the URI path, excluding critical factors such as the host… | ||
| CVE-2026-27898 | 0.00 | — | 0.00 | Mar 4, 2026 | Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, an authenticated regular user can specify another user’s cipher_id and call "PUT /api/ciphers/{id}/partial" Even though the standard retrieval API… | |||
| CVE-2026-29069 | 0.00 | — | 0.00 | Mar 4, 2026 | Craft is a content management system (CMS). Prior to 5.9.0-beta.2 and 4.17.0-beta.2, the actionSendActivationEmail() endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation… | |||
| CVE-2026-28782 | 0.00 | — | 0.00 | Mar 4, 2026 | Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, the "Duplicate" entry action does not properly verify if the user has permission to perform this action on the specific target elements. Even with only "View Entries" permission (where the… | |||
| CVE-2026-28781 | 0.00 | — | 0.00 | Mar 4, 2026 | Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the entry creation process allows for Mass Assignment of the authorId attribute. A user with "Create Entries" permission can inject the authorIds[] (or authorId) parameter into the POST request,… | |||
| CVE-2026-28696 | 0.00 | — | 0.00 | Mar 4, 2026 | Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the GraphQL directive @parseRefs, intended to parse internal reference tags (e.g., {user:1:email}), can be abused by both authenticated users and unauthenticated guests (if a Public Schema is… |
- CVE-2026-27591Mar 11, 2026risk 0.00cvss —epss 0.00
Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions…
- CVE-2026-32104Mar 11, 2026risk 0.00cvss —epss 0.00
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the updateUserNotifications endpoint accepts a user ID from the request payload and uses it to update that user's notification preferences. It checks that the caller is logged…
- CVE-2026-32103Mar 11, 2026risk 0.00cvss —epss 0.00
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the POST /studiocms_api/dashboard/create-reset-link endpoint allows any authenticated user with admin privileges to generate a password reset token for any other user,…
- CVE-2026-31867Mar 11, 2026risk 0.00cvss —epss 0.00
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.11.0 and 5.6.0, An Insecure Direct Object Reference (IDOR) vulnerability exists in Craft Commerce’s cart functionality that allows users to hijack any shopping cart by knowing or guessing its 32-character…
- CVE-2026-31832Mar 10, 2026risk 0.00cvss —epss 0.00
Umbraco is an ASP.NET CMS. From 14.0.0 to before 16.5.1 and 17.2.2, A broken object-level authorization vulnerability exists in a backoffice API endpoint that allows authenticated users to assign domain-related data to content nodes without proper authorization checks. The issue…
- CVE-2026-31820Mar 10, 2026risk 0.00cvss —epss 0.00
Sylius is an Open Source eCommerce Framework on Symfony. An authenticated Insecure Direct Object Reference (IDOR) vulnerability exists in multiple shop LiveComponents due to unvalidated resource IDs accepted via #[LiveArg] parameters. Unlike props, which are protected by…
- CVE-2026-30959Mar 10, 2026risk 0.00cvss —epss 0.00
OneUptime is a solution for monitoring and managing online services. The resend-verification-code endpoint allows any authenticated user to trigger a verification code resend for any UserWhatsApp record by ID. Ownership is not validated (unlike the verify endpoint). This affects…
- CVE-2026-30945Mar 10, 2026risk 0.00cvss —epss 0.00
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the DELETE /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user with editor privileges or above to revoke API tokens belonging to any other user,…
- CVE-2026-30944Mar 10, 2026risk 0.00cvss —epss 0.01
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user (at least Editor) to generate API tokens for any other user, including owner and admin accounts.…
- CVE-2026-30927Mar 9, 2026risk 0.00cvss —epss 0.00
Admidio is an open-source user management solution. Prior to 5.0.6, in modules/events/events_function.php, the event participation logic allows any user who can participate in an event to register OTHER users by manipulating the user_uuid GET parameter. The condition uses ||…
- CVE-2026-30920Mar 9, 2026risk 0.00cvss —epss 0.00
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.19, OneUptime's GitHub App callback trusts attacker-controlled state and installation_id values and updates Project.gitHubAppInstallationId with isRoot: true without validating that the caller is…
- CVE-2026-30857Mar 7, 2026risk 0.00cvss —epss 0.00
WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.3.0, a cross-tenant authorization bypass in the knowledge base copy endpoint allows any authenticated user to clone (duplicate) another tenant’s knowledge…
- CVE-2026-30823Mar 7, 2026risk 0.00cvss —epss 0.00
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, there is an IDOR vulnerability, leading to account takeover and enterprise feature bypass via SSO configuration. This issue has been patched in version 3.0.13.
- CVE-2026-28469Mar 5, 2026risk 0.00cvss —epss 0.00
OpenClaw versions prior to 2026.2.14 contain a webhook routing vulnerability in the Google Chat monitor component that allows cross-account policy context misrouting when multiple webhook targets share the same HTTP path. Attackers can exploit first-match request verification…
- CVE-2026-2836Mar 4, 2026risk 0.00cvss —epss 0.00
A cache poisoning vulnerability has been found in the Pingora HTTP proxy framework’s default cache key construction. The issue occurs because the default HTTP cache key implementation generates cache keys using only the URI path, excluding critical factors such as the host…
- CVE-2026-27898Mar 4, 2026risk 0.00cvss —epss 0.00
Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, an authenticated regular user can specify another user’s cipher_id and call "PUT /api/ciphers/{id}/partial" Even though the standard retrieval API…
- CVE-2026-29069Mar 4, 2026risk 0.00cvss —epss 0.00
Craft is a content management system (CMS). Prior to 5.9.0-beta.2 and 4.17.0-beta.2, the actionSendActivationEmail() endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation…
- CVE-2026-28782Mar 4, 2026risk 0.00cvss —epss 0.00
Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, the "Duplicate" entry action does not properly verify if the user has permission to perform this action on the specific target elements. Even with only "View Entries" permission (where the…
- CVE-2026-28781Mar 4, 2026risk 0.00cvss —epss 0.00
Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the entry creation process allows for Mass Assignment of the authorId attribute. A user with "Create Entries" permission can inject the authorIds[] (or authorId) parameter into the POST request,…
- CVE-2026-28696Mar 4, 2026risk 0.00cvss —epss 0.00
Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the GraphQL directive @parseRefs, intended to parse internal reference tags (e.g., {user:1:email}), can be abused by both authenticated users and unauthenticated guests (if a Public Schema is…