CWE-862
Missing Authorization
Description
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-665
CVEs mapped to this weakness (5,549)
page 6 of 278| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-44592 | Cri | 0.61 | 9.4 | 0.00 | May 14, 2026 | Gradient is a nix-based continuous integration system. In 1.1.0, when GRADIENT_DISCOVERABLE=true (the default, and the NixOS module default), anyone who can reach /proto can register as a worker without any credentials by sending a fresh, never-registered worker UUID. The… | ||
| CVE-2025-68018 | Cri | 0.61 | 9.4 | 0.00 | Jan 22, 2026 | Missing Authorization vulnerability in StackWC Order Listener for WooCommerce woc-order-alert allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Order Listener for WooCommerce: from n/a through <= 3.6.1. | ||
| CVE-2024-54369 | Cri | 0.61 | 9.1 | 0.02 | Dec 16, 2024 | Missing Authorization vulnerability in ThemeHunk Zita Site Builder ai-site-builder allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Zita Site Builder: from n/a through <= 1.0.2. | ||
| CVE-2024-10673 | Hig | 0.61 | 8.8 | 0.01 | Nov 9, 2024 | The Top Store theme for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the top_store_install_and_activate_callback() function in all versions up to, and including, 1.5.4. This makes it possible for authenticated… | ||
| CVE-2022-0492 | Hig | 0.61 | 7.8 | 0.06 | KEV | Mar 3, 2022 | A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation… | |
| CVE-2026-44125 | Cri | 0.60 | — | 0.00 | May 8, 2026 | SEPPmail Secure Email Gateway before version 15.0.4 fails to enforce authorization checks for multiple endpoints in the new GINA UI, allowing unauthenticated remote attackers to access functionality that should require a valid session. | ||
| CVE-2026-5387 | — | Cri | 0.60 | — | 0.00 | Apr 15, 2026 | The vulnerability, if exploited, could allow an unauthenticated miscreant to perform operations intended only for Simulator Instructor or Simulator Developer (Administrator) roles, resulting in privilege escalation with potential for modification of simulation parameters,… | |
| CVE-2025-2407 | Cri | 0.60 | — | 0.00 | May 27, 2025 | Missing Authentication & Authorization in Web-API in Mobatime AMX MTAPI v6 on IIS allows adversaries to unrestricted access via the network. The vulnerability is fixed in Version 1.5. | ||
| CVE-2024-8074 | Cri | 0.60 | — | 0.00 | Nov 12, 2024 | Missing Authentication for Critical Function, Missing Authorization vulnerability in Nomysoft Informatics Nomysem allows Collect Data as Provided by Users. This issue affects Nomysem: before 13.10.2024. | ||
| CVE-2024-10674 | Hig | 0.60 | 8.8 | 0.02 | Nov 9, 2024 | The Th Shop Mania theme for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the th_shop_mania_install_and_activate_callback() function in all versions up to, and including, 1.4.9. This makes it possible for authenticated… | ||
| CVE-2024-2882 | Cri | 0.60 | — | 0.01 | Jun 27, 2024 | SDG Technologies PnPSCADA allows a remote attacker to attach various entities without requiring system authentication. This breach could potentially lead to unauthorized control, data manipulation, and access to sensitive information within the SCADA system. | ||
| CVE-2024-4351 | Hig | 0.60 | 8.8 | 0.01 | May 16, 2024 | The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on the 'authenticate' function in all versions up to, and including, 2.7.0. This makes it possible for authenticated… | ||
| CVE-2017-5180 | Hig | 0.60 | 8.8 | 0.01 | Feb 9, 2017 | Firejail before 0.9.44.4 and 0.9.38.x LTS before 0.9.38.8 LTS does not consider the .Xauthority case during its attempt to prevent accessing user files with an euid of zero, which allows local users to conduct sandbox-escape attacks via vectors involving a symlink and the… | ||
| CVE-2026-48881 | Cri | 0.59 | 9.1 | 0.00 | Jun 15, 2026 | Unauthenticated Broken Access Control in TrueBooker <= 1.1.9 versions. | ||
| CVE-2026-45550 | Cri | 0.59 | 9.1 | 0.00 | Jun 10, 2026 | Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, PUT /smon/check (app/routes/smon/routes.py:117-138) gates only on roxywi_common.check_user_group_for_flask() — which validates that the caller has some group,… | ||
| CVE-2026-42682 | Cri | 0.59 | 9.1 | 0.00 | Jun 1, 2026 | Missing Authorization vulnerability in Tomdever wpForo Forum allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects wpForo Forum: from n/a through 3.0.6. | ||
| CVE-2026-47429 | cri | 0.59 | — | 0.00 | Jun 1, 2026 | ### Summary Arbitrary file can be read on Windows when Vitest UI server is listening, especially when exposed to the network. ### Impact Only users that match either of the following conditions are affected: - explicitly exposes the Vitest UI server to the network (using… | ||
| CVE-2026-4290 | Cri | 0.59 | 9.1 | 0.00 | May 29, 2026 | The WP Travel Pro plugin for WordPress is vulnerable to arbitrary user deletion via the /wp-json/wp-travel/v1/travel-guide/{user_id} REST API endpoint in all versions up to, and including, 10.6.0. This is due to the check_permission() callback unconditionally returning true and… | ||
| CVE-2026-6512 | Cri | 0.59 | 9.1 | 0.00 | May 14, 2026 | The InfusedWoo Pro plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to… | ||
| CVE-2026-31242 | — | Cri | 0.59 | 9.1 | 0.00 | May 12, 2026 | The mem0 v1.0.0 server lacks authentication and authorization controls for its memory reset functionality accessible via the DELETE /memories endpoint. An unauthenticated attacker can send a DELETE request that triggers a reset operation, leading to the execution of a DROP TABLE… |
- risk 0.61cvss 9.4epss 0.00
Gradient is a nix-based continuous integration system. In 1.1.0, when GRADIENT_DISCOVERABLE=true (the default, and the NixOS module default), anyone who can reach /proto can register as a worker without any credentials by sending a fresh, never-registered worker UUID. The…
- risk 0.61cvss 9.4epss 0.00
Missing Authorization vulnerability in StackWC Order Listener for WooCommerce woc-order-alert allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Order Listener for WooCommerce: from n/a through <= 3.6.1.
- risk 0.61cvss 9.1epss 0.02
Missing Authorization vulnerability in ThemeHunk Zita Site Builder ai-site-builder allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Zita Site Builder: from n/a through <= 1.0.2.
- risk 0.61cvss 8.8epss 0.01
The Top Store theme for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the top_store_install_and_activate_callback() function in all versions up to, and including, 1.5.4. This makes it possible for authenticated…
- risk 0.61cvss 7.8epss 0.06
A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation…
- risk 0.60cvss —epss 0.00
SEPPmail Secure Email Gateway before version 15.0.4 fails to enforce authorization checks for multiple endpoints in the new GINA UI, allowing unauthenticated remote attackers to access functionality that should require a valid session.
- risk 0.60cvss —epss 0.00
The vulnerability, if exploited, could allow an unauthenticated miscreant to perform operations intended only for Simulator Instructor or Simulator Developer (Administrator) roles, resulting in privilege escalation with potential for modification of simulation parameters,…
- risk 0.60cvss —epss 0.00
Missing Authentication & Authorization in Web-API in Mobatime AMX MTAPI v6 on IIS allows adversaries to unrestricted access via the network. The vulnerability is fixed in Version 1.5.
- risk 0.60cvss —epss 0.00
Missing Authentication for Critical Function, Missing Authorization vulnerability in Nomysoft Informatics Nomysem allows Collect Data as Provided by Users. This issue affects Nomysem: before 13.10.2024.
- risk 0.60cvss 8.8epss 0.02
The Th Shop Mania theme for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the th_shop_mania_install_and_activate_callback() function in all versions up to, and including, 1.4.9. This makes it possible for authenticated…
- risk 0.60cvss —epss 0.01
SDG Technologies PnPSCADA allows a remote attacker to attach various entities without requiring system authentication. This breach could potentially lead to unauthorized control, data manipulation, and access to sensitive information within the SCADA system.
- risk 0.60cvss 8.8epss 0.01
The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on the 'authenticate' function in all versions up to, and including, 2.7.0. This makes it possible for authenticated…
- risk 0.60cvss 8.8epss 0.01
Firejail before 0.9.44.4 and 0.9.38.x LTS before 0.9.38.8 LTS does not consider the .Xauthority case during its attempt to prevent accessing user files with an euid of zero, which allows local users to conduct sandbox-escape attacks via vectors involving a symlink and the…
- risk 0.59cvss 9.1epss 0.00
Unauthenticated Broken Access Control in TrueBooker <= 1.1.9 versions.
- risk 0.59cvss 9.1epss 0.00
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, PUT /smon/check (app/routes/smon/routes.py:117-138) gates only on roxywi_common.check_user_group_for_flask() — which validates that the caller has some group,…
- risk 0.59cvss 9.1epss 0.00
Missing Authorization vulnerability in Tomdever wpForo Forum allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects wpForo Forum: from n/a through 3.0.6.
- risk 0.59cvss —epss 0.00
### Summary Arbitrary file can be read on Windows when Vitest UI server is listening, especially when exposed to the network. ### Impact Only users that match either of the following conditions are affected: - explicitly exposes the Vitest UI server to the network (using…
- risk 0.59cvss 9.1epss 0.00
The WP Travel Pro plugin for WordPress is vulnerable to arbitrary user deletion via the /wp-json/wp-travel/v1/travel-guide/{user_id} REST API endpoint in all versions up to, and including, 10.6.0. This is due to the check_permission() callback unconditionally returning true and…
- risk 0.59cvss 9.1epss 0.00
The InfusedWoo Pro plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to…
- risk 0.59cvss 9.1epss 0.00
The mem0 v1.0.0 server lacks authentication and authorization controls for its memory reset functionality accessible via the DELETE /memories endpoint. An unauthenticated attacker can send a DELETE request that triggers a reset operation, leading to the execution of a DROP TABLE…