CWE-862
Missing Authorization
Description
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-665
CVEs mapped to this weakness (5,549)
page 17 of 278| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-14272 | Hig | 0.54 | — | 0.00 | Jun 16, 2026 | A security issue was identified in Pavilion due to improper authorization enforcement in API endpoints. This vulnerability can allow an unauthorized actor to execute privileged operations, including user/role management and other administrative actions. | ||
| CVE-2026-44326 | Cri | 0.54 | 9.4 | 0.00 | May 27, 2026 | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the 3gpp-traffic-influence API without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can create, read, patch, and delete… | ||
| CVE-2026-44315 | Cri | 0.54 | 9.4 | 0.00 | May 27, 2026 | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the 3gpp-pfd-management API without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can create, read, and delete PFD-management… | ||
| CVE-2026-35438 | Hig | 0.54 | 8.3 | 0.01 | May 12, 2026 | Missing authorization in Windows Admin Center allows an authorized attacker to elevate privileges over a network. | ||
| CVE-2026-42613 | Cri | 0.54 | 9.4 | 0.01 | May 11, 2026 | Grav is a file-based Web platform. Prior to 2.0.0-beta.2, the Login::register() method in the Login plugin accepts attacker-controlled groups and access fields from the registration POST data without server-side validation. When registration is enabled and groups or access are… | ||
| CVE-2026-42569 | Cri | 0.54 | 9.4 | 0.01 | May 9, 2026 | phpVMS is a PHP application to run and simulate an airline. Prior to version 7.0.6, a critical vulnerability in phpVMS allowed unauthenticated access to a legacy import feature. This issue has been patched in version 7.0.6. | ||
| CVE-2026-40937 | Hig | 0.54 | 8.3 | 0.00 | Apr 22, 2026 | RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions` helper that validates authentication only (access key + session token),… | ||
| CVE-2026-39397 | Cri | 0.54 | 9.4 | 0.00 | Apr 7, 2026 | @delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual page builder. Prior to 0.6.23, all /api/puck/* CRUD endpoint handlers registered by createPuckPlugin() called Payload's local API with the default overrideAccess: true, bypassing all collection-level… | ||
| CVE-2026-33950 | Cri | 0.54 | 9.4 | 0.00 | Apr 2, 2026 | Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK… | ||
| CVE-2025-29756 | Hig | 0.54 | — | 0.00 | Jun 11, 2025 | SunGrow's back end users system iSolarCloud https://isolarcloud.com uses an MQTT service to transport data from the user's connected devices to the user's web browser. The MQTT server however did not have sufficient restrictions in place to limit the topics that a user… | ||
| CVE-2025-20164 | Hig | 0.54 | 8.3 | 0.00 | May 7, 2025 | A vulnerability in the Cisco Industrial Ethernet Switch Device Manager (DM) of Cisco IOS Software could allow an authenticated, remote attacker to elevate privileges. This vulnerability is due to insufficient validation of authorizations for authenticated users. An attacker… | ||
| CVE-2025-30960 | Hig | 0.54 | 8.3 | 0.00 | Apr 16, 2025 | Missing Authorization vulnerability in fs-code FS Poster fs-poster.This issue affects FS Poster: from n/a through <= 6.5.8. | ||
| CVE-2025-26969 | Hig | 0.54 | 8.3 | 0.00 | Mar 15, 2025 | Missing Authorization vulnerability in Aldo Latino PrivateContent. This issue affects PrivateContent: from n/a through 8.11.5. | ||
| CVE-2024-56067 | Hig | 0.54 | 7.5 | 0.10 | Dec 31, 2024 | Missing Authorization vulnerability in azzaroco WP SuperBackup indeed-wp-superbackup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP SuperBackup: from n/a through <= 2.3.3. | ||
| CVE-2023-38385 | Hig | 0.54 | 8.3 | 0.00 | Dec 13, 2024 | Missing Authorization vulnerability in Artbees JupiterX Core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JupiterX Core: from 3.0.0 through 3.3.0. | ||
| CVE-2024-38744 | Hig | 0.54 | 8.3 | 0.00 | Nov 1, 2024 | Missing Authorization vulnerability in Upqode Plum: Spin Wheel & Email Pop-up allows Accessing Functionality Not Properly Constrained by ACLs, Stored XSS.This issue affects Plum: Spin Wheel & Email Pop-up: from n/a through 2.0. | ||
| CVE-2023-47783 | Hig | 0.54 | 8.3 | 0.00 | Jun 19, 2024 | Missing Authorization vulnerability in Thrive Themes Thrive Theme Builder.This issue affects Thrive Theme Builder: from n/a before 3.24.0. | ||
| CVE-2023-47771 | Hig | 0.54 | 8.3 | 0.00 | Jun 19, 2024 | Missing Authorization vulnerability in ThemePunch OHG Essential Grid.This issue affects Essential Grid: from n/a through 3.0.18. | ||
| CVE-2024-5324 | Hig | 0.54 | 8.8 | 0.02 | Jun 6, 2024 | Multiple plugins for WordPress utilizing the XootiX Framework are vulnerable to unauthorized modification of data due to a missing capability check on the 'import_settings' function in various versions. This makes it possible for authenticated attackers, with Subscriber-level… | ||
| CVE-2024-5326 | Hig | 0.54 | 8.8 | 0.01 | May 30, 2024 | The Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'postx_presets_callback' function in all versions up to, and including, 4.1.2. This makes it… |
- risk 0.54cvss —epss 0.00
A security issue was identified in Pavilion due to improper authorization enforcement in API endpoints. This vulnerability can allow an unauthorized actor to execute privileged operations, including user/role management and other administrative actions.
- risk 0.54cvss 9.4epss 0.00
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the 3gpp-traffic-influence API without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can create, read, patch, and delete…
- risk 0.54cvss 9.4epss 0.00
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the 3gpp-pfd-management API without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can create, read, and delete PFD-management…
- risk 0.54cvss 8.3epss 0.01
Missing authorization in Windows Admin Center allows an authorized attacker to elevate privileges over a network.
- risk 0.54cvss 9.4epss 0.01
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, the Login::register() method in the Login plugin accepts attacker-controlled groups and access fields from the registration POST data without server-side validation. When registration is enabled and groups or access are…
- risk 0.54cvss 9.4epss 0.01
phpVMS is a PHP application to run and simulate an airline. Prior to version 7.0.6, a critical vulnerability in phpVMS allowed unauthenticated access to a legacy import feature. This issue has been patched in version 7.0.6.
- risk 0.54cvss 8.3epss 0.00
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions` helper that validates authentication only (access key + session token),…
- risk 0.54cvss 9.4epss 0.00
@delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual page builder. Prior to 0.6.23, all /api/puck/* CRUD endpoint handlers registered by createPuckPlugin() called Payload's local API with the default overrideAccess: true, bypassing all collection-level…
- risk 0.54cvss 9.4epss 0.00
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK…
- risk 0.54cvss —epss 0.00
SunGrow's back end users system iSolarCloud https://isolarcloud.com uses an MQTT service to transport data from the user's connected devices to the user's web browser. The MQTT server however did not have sufficient restrictions in place to limit the topics that a user…
- risk 0.54cvss 8.3epss 0.00
A vulnerability in the Cisco Industrial Ethernet Switch Device Manager (DM) of Cisco IOS Software could allow an authenticated, remote attacker to elevate privileges. This vulnerability is due to insufficient validation of authorizations for authenticated users. An attacker…
- risk 0.54cvss 8.3epss 0.00
Missing Authorization vulnerability in fs-code FS Poster fs-poster.This issue affects FS Poster: from n/a through <= 6.5.8.
- risk 0.54cvss 8.3epss 0.00
Missing Authorization vulnerability in Aldo Latino PrivateContent. This issue affects PrivateContent: from n/a through 8.11.5.
- risk 0.54cvss 7.5epss 0.10
Missing Authorization vulnerability in azzaroco WP SuperBackup indeed-wp-superbackup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP SuperBackup: from n/a through <= 2.3.3.
- risk 0.54cvss 8.3epss 0.00
Missing Authorization vulnerability in Artbees JupiterX Core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JupiterX Core: from 3.0.0 through 3.3.0.
- risk 0.54cvss 8.3epss 0.00
Missing Authorization vulnerability in Upqode Plum: Spin Wheel & Email Pop-up allows Accessing Functionality Not Properly Constrained by ACLs, Stored XSS.This issue affects Plum: Spin Wheel & Email Pop-up: from n/a through 2.0.
- risk 0.54cvss 8.3epss 0.00
Missing Authorization vulnerability in Thrive Themes Thrive Theme Builder.This issue affects Thrive Theme Builder: from n/a before 3.24.0.
- risk 0.54cvss 8.3epss 0.00
Missing Authorization vulnerability in ThemePunch OHG Essential Grid.This issue affects Essential Grid: from n/a through 3.0.18.
- risk 0.54cvss 8.8epss 0.02
Multiple plugins for WordPress utilizing the XootiX Framework are vulnerable to unauthorized modification of data due to a missing capability check on the 'import_settings' function in various versions. This makes it possible for authenticated attackers, with Subscriber-level…
- risk 0.54cvss 8.8epss 0.01
The Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'postx_presets_callback' function in all versions up to, and including, 4.1.2. This makes it…