VYPR

CWE-862

Missing Authorization

ClassIncompleteLikelihood: High

Description

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-665

CVEs mapped to this weakness (5,549)

page 49 of 278
  • CVE-2022-31167HigSep 7, 2022
    risk 0.46cvss 7.1epss 0.01

    XWiki Platform Security Parent POM contains the security APIs for XWiki Platform, a generic wiki platform. Starting with version 5.0 and prior to 12.10.11, 13.10.1, and 13.4.6, a bug in the security cache stores rules associated to document Page1.Page2 and space Page1.Page2 in…

  • CVE-2020-2091HigJan 15, 2020
    risk 0.46cvss 8.1epss 0.01

    A missing permission check in Jenkins Amazon EC2 Plugin 1.47 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method.

  • CVE-2018-0092HigJan 18, 2018
    risk 0.46cvss 7.1epss 0.00

    A vulnerability in the network-operator user role implementation for Cisco NX-OS System Software could allow an authenticated, local attacker to improperly delete valid user accounts. The network-operator role should not be able to delete other configured users on the device.…

  • CVE-2026-50137higJun 22, 2026
    risk 0.45cvss epss 0.00

    ## Summary The Budibase server route `POST /api/attachments/:datasourceId/url` ([`packages/server/src/api/routes/static.ts`](https://github.com/Budibase/budibase/blob/56d2a984/packages/server/src/api/routes/static.ts)) is registered with **only** the `recaptcha` middleware.…

  • CVE-2026-54012higJun 17, 2026
    risk 0.45cvss epss 0.00

    ## Summary Open WebUI lets a user who can create, update, or import workspace models store arbitrary `meta.knowledge` entries on their model without checking whether they own or can read the referenced files. Open WebUI then treats `meta.knowledge` entries of type `file` as an…

  • CVE-2026-10831MedJun 16, 2026
    risk 0.45cvss epss 0.00

    A denial-of-service vulnerability exists in NPort devices because of improper access control on the command port. The command interface does not properly validate whether a sender is associated with a valid data port session before accepting break signal commands. A remote…

  • CVE-2026-40314MedJun 2, 2026
    risk 0.45cvss epss 0.00

    NamelessMC is website software for Minecraft servers. In version 2.2.4,`core/classes/Misc/ProfilePostReactionContext.php` only verifies that the wall post exists and does not enforce blocked/private-profile visibility. `modules/Core/queries/reactions.php` allows unauthenticated…

  • CVE-2026-35630HigMay 29, 2026
    risk 0.45cvss 8.0epss 0.00

    OpenClaw before 2026.5.18 contains an authorization bypass vulnerability in QQBot native approval buttons that fails to enforce configured approver identity. Non-approver users can click approval buttons to resolve pending exec or plugin approval requests without proper…

  • CVE-2026-43639HigMay 11, 2026
    risk 0.45cvss 8.0epss 0.01

    Bitwarden Server prior to v2026.4.0 contains a missing authorization vulnerability that allows a provider service user to add an arbitrary organization to their provider via `POST /providers/{providerId}/clients/existing`, resulting in takeover of the target organization;…

  • CVE-2025-41017MedNov 24, 2025
    risk 0.45cvss epss 0.00

    Inadequate access control vulnerability in Davantis DDFUSION v6.177.7, which allows unauthorised actors to retrieve perspective parameters from security camera settings by accessing “/cameras/<CAMERA_ID>/perspective”.

  • CVE-2025-46823HigMay 29, 2025
    risk 0.45cvss epss 0.00

    openmrs-module-fhir2 provides the FHIR REST API and related services for OpenMRS, an open medical records system. In versions of the FHIR2 module prior to 2.5.0, privileges were not always correctly checked, which means that unauthorized users may have been able to add or edit…

  • CVE-2025-31338MedApr 17, 2025
    risk 0.45cvss epss 0.00

    A missing authorization vulnerability in the retrieve teacher Information function of Wisdom Master Pro versions 5.0 through 5.2 allows remote attackers to obtain partial user data by accessing the API functionality.

  • CVE-2024-47308MedNov 1, 2024
    risk 0.45cvss 6.5epss 0.02

    Missing Authorization vulnerability in WPDeveloper Templately templately.This issue affects Templately: from n/a through <= 3.1.2.

  • CVE-2018-10092HigMay 22, 2018
    risk 0.45cvss 8.0epss 0.02

    The admin panel in Dolibarr before 7.0.2 might allow remote attackers to execute arbitrary commands by leveraging support for updating the antivirus command and parameters used to scan file uploads.

  • CVE-2026-42851HigJun 12, 2026
    risk 0.44cvss 7.8epss 0.00

    Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, a program able to write bytes to a kitty terminal — a remote SSH peer, a downloaded file viewed with `cat`, a log line, an email body rendered in `less`, an issue body in a TUI, etc. — can cause kitty…

  • CVE-2026-41477HigApr 24, 2026
    risk 0.44cvss 7.8epss 0.00

    Deskflow is a keyboard and mouse sharing app. In 1.20.0, 1.26.0.134, and earlier, Deskflow daemon runs as SYSTEM and exposes an IPC named pipe with WorldAccessOption enabled. The daemon processes privileged commands without authentication, allowing any local unprivileged user…

  • CVE-2026-4818MedMar 31, 2026
    risk 0.44cvss 6.8epss 0.00

    In Search Guard FLX versions from 3.0.0 up to 4.0.1, there exists an issue which allows users without the necessary privileges to execute some management operations against data streams.

  • CVE-2026-33632HigMar 26, 2026
    risk 0.44cvss 7.8epss 0.00

    ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to version 4.2.4, two file operation event types — ES_EVENT_TYPE_AUTH_EXCHANGEDATA and ES_EVENT_TYPE_AUTH_CLONE — were not intercepted by ClearanceKit's opfilter system…

  • CVE-2025-8886MedOct 10, 2025
    risk 0.44cvss 6.7epss 0.00

    Incorrect Permission Assignment for Critical Resource, Exposure of Sensitive Information to an Unauthorized Actor, Missing Authorization, Incorrect Authorization vulnerability in Usta Information Systems Inc. Aybs Interaktif allows Privilege Abuse, Authentication Bypass. This…

  • CVE-2025-55038MedSep 23, 2025
    risk 0.44cvss 6.8epss 0.00

    An authorization bypass vulnerability has been discovered in the Click Plus C2-03CPU2 device firmware version 3.60. Through the KOPR protocol utilized by the Remote PLC application, authenticated users with low-level access permissions can exploit this vulnerability to read and…