CWE-639
Authorization Bypass Through User-Controlled Key
Description
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Hierarchy (View 1000)
CVEs mapped to this weakness (1,068)
page 48 of 54| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-28361 | 0.00 | — | 0.00 | Mar 2, 2026 | NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the MCP token service did not validate token ownership, allowing a Creator within the same base to read, regenerate, or delete another user's MCP tokens if the token ID was known. This issue has… | |||
| CVE-2026-27839 | 0.00 | — | 0.00 | Feb 26, 2026 | wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, three `nutritional_values` action endpoints fetch objects via `Model.objects.get(pk=pk)` — a raw ORM call that bypasses the user-scoped queryset. Any authenticated user can read… | |||
| CVE-2026-27838 | 0.00 | — | 0.00 | Feb 26, 2026 | wger is a free, open-source workout and fitness manager. Five routine detail action endpoints check a cache before calling `self.get_object()`. In versions up to and including 2.4, ache keys are scoped only by `pk` — no user ID is included. When a victim has previously… | |||
| CVE-2026-27835 | 0.00 | — | 0.00 | Feb 26, 2026 | wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, `RepetitionsConfigViewSet` and `MaxRepetitionsConfigViewSet` return all users' repetition config data because their `get_queryset()` calls `.all()` instead of filtering by the… | |||
| CVE-2026-26016 | 0.00 | — | 0.00 | Feb 19, 2026 | Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.1, a missing authorization check in multiple controllers allows any user with access to a node secret token to fetch information about any server on a… | |||
| CVE-2026-25120 | 0.00 | — | 0.00 | Feb 19, 2026 | Gogs is an open source self-hosted Git service. In versions 0.13.4 and below, the DeleteComment API does not verify that the comment belongs to the repository specified in the URL. This allows a repository administrator to delete comments from any other repository by supplying… | |||
| CVE-2026-25497 | 0.00 | — | 0.00 | Feb 9, 2026 | Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1, there is a Privilege Escalation vulnerability in Craft CMS’s GraphQL API that allows an authenticated user with write access to one asset volume to… | |||
| CVE-2026-25757 | 0.00 | — | 0.00 | Feb 6, 2026 | Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2, unauthenticated users can view completed guest orders by Order ID. This issue may lead to disclosure of PII of guest users (including names, addresses and… | |||
| CVE-2026-25758 | 0.00 | — | 0.01 | Feb 6, 2026 | Spree is an open source e-commerce solution built with Ruby on Rails. A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID parameters. This enables… | |||
| CVE-2026-25574 | 0.00 | — | 0.00 | Feb 6, 2026 | Payload is a free and open source headless content management system. Prior to 3.74.0, a cross-collection Insecure Direct Object Reference (IDOR) vulnerability exists in the payload-preferences internal collection. In multi-auth collection environments using Postgres or SQLite… | |||
| CVE-2026-1707 | 0.00 | — | 0.00 | Feb 5, 2026 | pgAdmin versions 9.11 are affected by a Restore restriction bypass via key disclosure vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. An attacker with access to the pgAdmin web interface can observe an active restore… | |||
| CVE-2025-69207 | 0.00 | — | 0.00 | Feb 2, 2026 | Khoj is a self-hostable artificial intelligence app. Prior to 2.0.0-beta.23, an IDOR in the Notion OAuth callback allows an attacker to hijack any user's Notion integration by manipulating the state parameter. The callback endpoint accepts any user UUID without verifying the… | |||
| CVE-2026-24134 | 0.00 | — | 0.00 | Jan 27, 2026 | StudioCMS is a server-side-rendered, Astro native, headless content management system. Versions prior to 0.2.0 contain a Broken Object Level Authorization (BOLA) vulnerability in the Content Management feature that allows users with the "Visitor" role to access draft content… | |||
| CVE-2026-24740 | 0.00 | — | 0.00 | Jan 27, 2026 | Dozzle is a realtime log viewer for docker containers. Prior to version 9.0.3, a flaw in Dozzle’s agent-backed shell endpoints allows a user restricted by label filters (for example, `label=env=dev`) to obtain an interactive root shell in out‑of‑scope containers (for… | |||
| CVE-2026-22589 | 0.00 | — | 0.00 | Jan 10, 2026 | Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an unauthenticated attacker to access guest address… | |||
| CVE-2026-22588 | 0.00 | — | 0.00 | Jan 8, 2026 | Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Authenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an authenticated user to retrieve other users’ address… | |||
| CVE-2026-21447 | 0.00 | — | 0.00 | Jan 2, 2026 | Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer's order to their own shopping cart by… | |||
| CVE-2025-69202 | 0.00 | — | 0.00 | Dec 29, 2025 | Axios Cache Interceptor is a cache interceptor for axios. Prior to version 1.11.1, when a server calls an upstream service using different auth tokens, axios-cache-interceptor returns incorrect cached responses, leading to authorization bypass. The cache key is generated only… | |||
| CVE-2025-67165 | 0.00 | — | 0.00 | Dec 17, 2025 | An Insecure Direct Object Reference (IDOR) in Pagekit CMS v1.0.18 allows attackers to escalate privileges. | |||
| CVE-2025-66306 | 0.00 | — | 0.00 | Dec 1, 2025 | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, there is an IDOR (Insecure Direct Object Reference) vulnerability in the Grav CMS Admin Panel which allows low-privilege users to access sensitive information from other accounts. Although direct account takeover is not… |
- CVE-2026-28361Mar 2, 2026risk 0.00cvss —epss 0.00
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the MCP token service did not validate token ownership, allowing a Creator within the same base to read, regenerate, or delete another user's MCP tokens if the token ID was known. This issue has…
- CVE-2026-27839Feb 26, 2026risk 0.00cvss —epss 0.00
wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, three `nutritional_values` action endpoints fetch objects via `Model.objects.get(pk=pk)` — a raw ORM call that bypasses the user-scoped queryset. Any authenticated user can read…
- CVE-2026-27838Feb 26, 2026risk 0.00cvss —epss 0.00
wger is a free, open-source workout and fitness manager. Five routine detail action endpoints check a cache before calling `self.get_object()`. In versions up to and including 2.4, ache keys are scoped only by `pk` — no user ID is included. When a victim has previously…
- CVE-2026-27835Feb 26, 2026risk 0.00cvss —epss 0.00
wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, `RepetitionsConfigViewSet` and `MaxRepetitionsConfigViewSet` return all users' repetition config data because their `get_queryset()` calls `.all()` instead of filtering by the…
- CVE-2026-26016Feb 19, 2026risk 0.00cvss —epss 0.00
Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.1, a missing authorization check in multiple controllers allows any user with access to a node secret token to fetch information about any server on a…
- CVE-2026-25120Feb 19, 2026risk 0.00cvss —epss 0.00
Gogs is an open source self-hosted Git service. In versions 0.13.4 and below, the DeleteComment API does not verify that the comment belongs to the repository specified in the URL. This allows a repository administrator to delete comments from any other repository by supplying…
- CVE-2026-25497Feb 9, 2026risk 0.00cvss —epss 0.00
Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1, there is a Privilege Escalation vulnerability in Craft CMS’s GraphQL API that allows an authenticated user with write access to one asset volume to…
- CVE-2026-25757Feb 6, 2026risk 0.00cvss —epss 0.00
Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2, unauthenticated users can view completed guest orders by Order ID. This issue may lead to disclosure of PII of guest users (including names, addresses and…
- CVE-2026-25758Feb 6, 2026risk 0.00cvss —epss 0.01
Spree is an open source e-commerce solution built with Ruby on Rails. A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID parameters. This enables…
- CVE-2026-25574Feb 6, 2026risk 0.00cvss —epss 0.00
Payload is a free and open source headless content management system. Prior to 3.74.0, a cross-collection Insecure Direct Object Reference (IDOR) vulnerability exists in the payload-preferences internal collection. In multi-auth collection environments using Postgres or SQLite…
- CVE-2026-1707Feb 5, 2026risk 0.00cvss —epss 0.00
pgAdmin versions 9.11 are affected by a Restore restriction bypass via key disclosure vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. An attacker with access to the pgAdmin web interface can observe an active restore…
- CVE-2025-69207Feb 2, 2026risk 0.00cvss —epss 0.00
Khoj is a self-hostable artificial intelligence app. Prior to 2.0.0-beta.23, an IDOR in the Notion OAuth callback allows an attacker to hijack any user's Notion integration by manipulating the state parameter. The callback endpoint accepts any user UUID without verifying the…
- CVE-2026-24134Jan 27, 2026risk 0.00cvss —epss 0.00
StudioCMS is a server-side-rendered, Astro native, headless content management system. Versions prior to 0.2.0 contain a Broken Object Level Authorization (BOLA) vulnerability in the Content Management feature that allows users with the "Visitor" role to access draft content…
- CVE-2026-24740Jan 27, 2026risk 0.00cvss —epss 0.00
Dozzle is a realtime log viewer for docker containers. Prior to version 9.0.3, a flaw in Dozzle’s agent-backed shell endpoints allows a user restricted by label filters (for example, `label=env=dev`) to obtain an interactive root shell in out‑of‑scope containers (for…
- CVE-2026-22589Jan 10, 2026risk 0.00cvss —epss 0.00
Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an unauthenticated attacker to access guest address…
- CVE-2026-22588Jan 8, 2026risk 0.00cvss —epss 0.00
Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Authenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an authenticated user to retrieve other users’ address…
- CVE-2026-21447Jan 2, 2026risk 0.00cvss —epss 0.00
Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer's order to their own shopping cart by…
- CVE-2025-69202Dec 29, 2025risk 0.00cvss —epss 0.00
Axios Cache Interceptor is a cache interceptor for axios. Prior to version 1.11.1, when a server calls an upstream service using different auth tokens, axios-cache-interceptor returns incorrect cached responses, leading to authorization bypass. The cache key is generated only…
- CVE-2025-67165Dec 17, 2025risk 0.00cvss —epss 0.00
An Insecure Direct Object Reference (IDOR) in Pagekit CMS v1.0.18 allows attackers to escalate privileges.
- CVE-2025-66306Dec 1, 2025risk 0.00cvss —epss 0.00
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, there is an IDOR (Insecure Direct Object Reference) vulnerability in the Grav CMS Admin Panel which allows low-privilege users to access sensitive information from other accounts. Although direct account takeover is not…