CWE-862
Missing Authorization
ClassIncompleteLikelihood: High
Description
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-665
CVEs mapped to this weakness (4,561)
page 227 of 229| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2017-17807 | Low | 0.21 | 3.3 | 0.00 | Dec 20, 2017 | The KEYS subsystem in the Linux kernel before 4.14.6 omitted an access-control check when adding a key to the current task's "default request-key keyring" via the request_key() system call, allowing a local user to use a sequence of crafted system calls to add keys to a keyring with only Search permission (not Write permission) to that keyring, related to construct_get_dest_keyring() in security/keys/request_key.c. | |
| CVE-2017-5985 | Low | 0.21 | 3.3 | 0.00 | Mar 14, 2017 | lxc-user-nic in Linux Containers (LXC) allows local users with a lxc-usernet allocation to create network interfaces on the host and choose the name of those interfaces by leveraging lack of netns ownership check. | |
| CVE-2026-3155 | Low | 0.20 | 3.1 | 0.00 | Apr 16, 2026 | The OneSignal – Web Push Notifications plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.8.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete OneSignal metadata for arbitrary posts. | |
| CVE-2026-4590 | Low | 0.20 | 3.1 | 0.00 | Mar 23, 2026 | A security flaw has been discovered in kalcaddle kodbox 1.64. The impacted element is an unknown function of the file /workspace/source-code/plugins/oauth/controller/bind/index.class.php of the component loginSubmit API. Performing a manipulation of the argument third results in cross-site request forgery. Remote exploitation of the attack is possible. A high degree of complexity is needed for the attack. The exploitability is regarded as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | |
| CVE-2026-3193 | Low | 0.20 | 3.1 | 0.00 | Feb 25, 2026 | A vulnerability was detected in Chia Blockchain 2.1.0. Impacted is an unknown function of the file /send_transaction. The manipulation results in cross-site request forgery. The attack may be performed from remote. The attack requires a high level of complexity. The exploitability is considered difficult. The exploit is now public and may be used. The vendor was informed early via email. A separate report via bugbounty was rejected with the reason "This is by design. The user is responsible for host security". | |
| CVE-2025-12817 | Low | 0.20 | 3.1 | 0.00 | Nov 13, 2025 | Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected. | |
| CVE-2025-42914 | Low | 0.20 | 3.1 | 0.00 | Sep 9, 2025 | Due to missing authorization checks, SAP HCM My Timesheet Fiori 2.0 application allows an authenticated attacker with in-depth system knowledge to escalate privileges and perform activities that are otherwise restricted, resulting in a low impact on the integrity of the application. Confidentiality and availability are not impacted. | |
| CVE-2025-42913 | Low | 0.20 | 3.1 | 0.00 | Sep 9, 2025 | Due to missing authorization checks, SAP HCM My Timesheet Fiori 2.0 application allows an authenticated attacker with in-depth system knowledge to escalate privileges and perform activities that are otherwise restricted, resulting in a low impact on the integrity of the application. Confidentiality and availability are not impacted. | |
| CVE-2025-26655 | Low | 0.20 | 3.1 | 0.00 | Mar 11, 2025 | SAP Just In Time(JIT) does not perform necessary authorization checks for an authenticated user, allowing attacker to escalate privileges that would otherwise be restricted, potentially causing a low impact on the integrity of the application.Confidentiality and Availability are not impacted. | |
| CVE-2024-10527 | Low | 0.20 | 3.1 | 0.00 | Jan 7, 2025 | The Spacer plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the motech_spacer_callback() function in all versions up to, and including, 3.0.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view limited setting information. | |
| CVE-2023-23825 | Low | 0.20 | 3.1 | 0.00 | Dec 9, 2024 | Missing Authorization vulnerability in Brainstorm Force Spectra allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spectra: from n/a through 2.3.0. | |
| CVE-2024-3932 | Low | 0.20 | 3.1 | 0.00 | Apr 18, 2024 | A vulnerability classified as problematic has been found in Totara LMS up to 18.7. This affects an unknown part of the component User Selector. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 13.46, 14.38, 15.33, 16.27, 17.21 and 18.8 is able to address this issue. It is recommended to upgrade the affected component. | |
| CVE-2023-22676 | Low | 0.20 | 3.1 | 0.00 | Dec 29, 2023 | Missing Authorization vulnerability in Anders Thorborg.This issue affects Anders Thorborg: from n/a through 1.4.12. | |
| CVE-2026-2900 | Low | 0.18 | 2.7 | 0.00 | May 14, 2026 | GitLab has remediated an issue in GitLab EE affecting all versions from 16.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that when instance-level approval rule editing prevention was enabled, could have allowed an authenticated user with Maintainer permissions to modify or delete project approval rules due to missing authorization checks. | |
| CVE-2026-27769 | Low | 0.18 | 2.7 | 0.00 | Apr 15, 2026 | Mattermost versions 10.11.x <= 10.11.12 fail to validate whether users were correctly owned by the correct Connected Workspace which allows a malicious remote server connected using the Conntexted Workspaces feature to change the displayed status of local users via the Connected Workspaces API.. Mattermost Advisory ID: MMSA-2026-00603 | |
| CVE-2026-4916 | Low | 0.18 | 2.7 | 0.00 | Apr 8, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user with custom role permissions to demote or remove higher-privileged group members due to improper authorization checks on member management operations. | |
| CVE-2026-4292 | Low | 0.18 | 2.7 | 0.00 | Apr 7, 2026 | An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Admin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new instances to be created via forged `POST` data. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Cantina for reporting this issue. | |
| CVE-2026-32445 | Low | 0.18 | 2.7 | 0.00 | Mar 13, 2026 | Missing Authorization vulnerability in Elementor Elementor Website Builder elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Elementor Website Builder: from n/a through <= 3.35.5. | |
| CVE-2025-14270 | Low | 0.18 | 2.7 | 0.00 | Feb 19, 2026 | The OneClick Chat to Order plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.0.9. This is due to the plugin not properly verifying that a user is authorized to perform an action in the wa_order_number_save_number_field function. This makes it possible for authenticated attackers, with Editor-level access and above, to modify WhatsApp phone numbers used by the plugin, redirecting customer orders and messages to attacker-controlled phone numbers. | |
| CVE-2026-1831 | Low | 0.18 | 2.7 | 0.00 | Feb 18, 2026 | The YayMail - WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized plugin installation and activation due to missing capability checks on the 'yaymail_install_yaysmtp' AJAX action and `/yaymail/v1/addons/activate` REST endpoint in all versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to install and activate the YaySMTP plugin. |