VYPR

CWE-639

Authorization Bypass Through User-Controlled Key

BaseIncompleteLikelihood: High

Description

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Hierarchy (View 1000)

Parents

Children

CVEs mapped to this weakness (1,068)

page 9 of 54
  • CVE-2026-47266HigMay 29, 2026
    risk 0.50cvss epss 0.00

    Formie is a Craft CMS plugin for creating forms. Prior to 2.2.21 and 3.1.26, unauthenticated users could modify existing submissions by posting a known or guessed submission ID to formie/submissions/save-submission. This vulnerability is fixed in 2.2.21 and 3.1.26.

  • CVE-2026-35671HigMay 28, 2026
    risk 0.50cvss 8.8epss 0.00

    phpMyFAQ before 4.1.3 contains an insecure direct object reference vulnerability in the admin API user password endpoint that allows authenticated administrators to change any user's password without authorization verification. An attacker with low-privilege admin credentials…

  • CVE-2026-33356HigMay 11, 2026
    risk 0.50cvss 7.7epss 0.00

    In Meari IoT Cloud MQTT Broker deployments running EMQX 4.x, any authenticated low-privilege account can subscribe to global wildcard topics and receive telemetry from devices the user does not own. The broker enforces publish restrictions but does not enforce equivalent…

  • CVE-2026-42205HigMay 8, 2026
    risk 0.50cvss 8.8epss 0.00

    Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.31.2, a broken access control vulnerability was identified in the ActionsController of the Avo framework. Due to insecure action lookup logic, an authenticated user can execute any Action class…

  • CVE-2026-42278HigMay 8, 2026
    risk 0.50cvss epss 0.00

    UltraDAG is a minimal DAG-BFT blockchain in Rust. Prior to commit fb6ef59, the UltraDAG StateEngine implementation of SmartTransferTx contains a critical logic flaw in its policy enforcement pipeline. When a transaction originates from a "Pocket" (a derived sub-address…

  • CVE-2026-39386HigApr 21, 2026
    risk 0.50cvss 8.8epss 0.00

    Neko is a a self-hosted virtual browser that runs in Docker and uses WebRTC In versions 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1, any authenticated user can immediately obtain full administrative control of the entire Neko instance (member management, room settings,…

  • CVE-2026-5465HigApr 7, 2026
    risk 0.50cvss 8.8epss 0.01

    The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.3. This is due to the `UpdateProviderCommandHandler` failing to validate changes to the `externalId` field…

  • CVE-2026-33030HigMar 30, 2026
    risk 0.50cvss 8.8epss 0.00

    Nginx UI is a web user interface for the Nginx web server. In versions 2.3.3 and prior, Nginx-UI contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user to access, modify, and delete resources belonging to other users. The…

  • CVE-2026-34046HigMar 27, 2026
    risk 0.50cvss 8.8epss 0.00

    Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.5.1, the `_read_flow` helper in `src/backend/base/langflow/api/v1/flows.py` branched on the `AUTO_LOGIN` setting to decide whether to filter by `user_id`. When `AUTO_LOGIN` was…

  • CVE-2026-33735HigMar 27, 2026
    risk 0.50cvss 8.8epss 0.00

    MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.69, an authorization bypass in the `/api/settings/import-database` endpoint allows attackers with low-privilege credentials to upload and replace the application's SQLite database…

  • CVE-2026-4208HigMar 17, 2026
    risk 0.50cvss 8.8epss 0.00

    The extension fails to properly reset the generated MFA code after successful authentication. This leads to a possible MFA bypass for future login attempts by providing an empty string as MFA code to the extensions MFA provider.

  • CVE-2026-1992HigMar 11, 2026
    risk 0.50cvss 8.8epss 0.01

    The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Insecure Direct Object Reference in versions 8.6.0 through 9.0.2. This is due to the `store_settings()` method in the `ExactMetrics_Onboarding` class accepting a user-supplied `triggered_by`…

  • CVE-2025-64431HigNov 7, 2025
    risk 0.50cvss epss 0.00

    Zitadel is an open source identity management platform. Versions 4.0.0-rc.1 through 4.6.2 are vulnerable to secure Direct Object Reference (IDOR) attacks through its V2Beta API, allowing authenticated users with specific administrator roles within one organization to access and…

  • CVE-2025-2271HigMar 13, 2025
    risk 0.50cvss 7.7epss 0.00

    A vulnerability exists in Issuetrak v17.2.2 and prior that allows a low-privileged user to access audit results of other users by exploiting an Insecure Direct Object Reference (IDOR) vulnerability in the Issuetrak audit component. The vulnerability enables unauthorized access…

  • CVE-2024-9637HigOct 26, 2024
    risk 0.50cvss 8.8epss 0.00

    The School Management System – WPSchoolPress plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.10. This is due to the plugin not properly validating a user's identity prior to updating their details like…

  • CVE-2024-8040HigOct 16, 2024
    risk 0.50cvss 7.7epss 0.00

    An authorization bypass through user-controlled key vulnerability affecting 3DSwym in 3DSwymer on Release 3DEXPERIENCE R2024x allows an authenticated attacker to access some unauthorized data.

  • CVE-2024-8428HigSep 6, 2024
    risk 0.50cvss 8.8epss 0.00

    The ForumWP – Forum & Discussion Board Plugin plugin for WordPress is vulnerable to Privilege Escalation via Insecure Direct Object Reference in all versions up to, and including, 2.0.2 via the submit_form_handler due to missing validation on the 'user_id' user controlled key.…

  • CVE-2023-3285HigJul 9, 2024
    risk 0.50cvss 7.7epss 0.00

    A BOLA vulnerability in POST /appointments allows a low privileged user to create an appointment for any user in the system (including admin). This results in unauthorized data manipulation.

  • CVE-2026-52699HigJun 15, 2026
    risk 0.49cvss 7.5epss 0.00

    Unauthenticated Insecure Direct Object References (IDOR) in VikRentCar <= 1.4.5 versions.

  • CVE-2026-48872HigJun 15, 2026
    risk 0.49cvss 7.5epss 0.00

    Unauthenticated Sensitive Data Exposure in EmbedPress <= 4.5.2 versions.