VYPR

CWE-862

Missing Authorization

ClassIncompleteLikelihood: High

Description

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-665

CVEs mapped to this weakness (5,549)

page 87 of 278
  • CVE-2020-36715HigJun 7, 2023
    risk 0.41cvss 7.4epss 0.01

    The Login/Signup Popup plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on several functions in versions up to, and including, 1.4. This makes it possible for authenticated attackers to inject arbitrary web scripts into the plugin…

  • CVE-2020-36670MedMar 7, 2023
    risk 0.41cvss 6.3epss 0.01

    The NEX-Forms. plugin for WordPress is vulnerable to unauthorized disclosure and modification of data in versions up to, and including 7.7.1 due to missing capability checks on several AJAX actions. This makes it possible for authenticated attackers with subscriber level…

  • CVE-2023-22478HigJan 14, 2023
    risk 0.41cvss 7.3epss 0.04

    KubePi is a modern Kubernetes panel. The API interfaces with unauthorized entities and may leak sensitive information. This issue has been patched in version 1.6.4. There are currently no known workarounds.

  • CVE-2022-2696MedNov 3, 2022
    risk 0.41cvss 6.3epss 0.01

    The Restaurant Menu – Food Ordering System – Table Reservation plugin for WordPress is vulnerable to authorization bypass via several AJAX actions in versions up to, and including 2.3.0 due to missing capability checks and missing nonce validation. This makes it possible for…

  • CVE-2020-7692HigJul 9, 2020
    risk 0.41cvss 7.4epss 0.02

    PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that…

  • CVE-2026-53816HigJun 11, 2026
    risk 0.40cvss 7.2epss 0.00

    OpenClaw before 2026.5.18 contains an insufficient provenance validation vulnerability in node event handling that allows paired nodes to forge exec lifecycle events without system.run authorization. A malicious or compromised paired node can send crafted node.event messages to…

  • CVE-2026-47343HigJun 9, 2026
    risk 0.40cvss epss 0.00

    Non-privileged backend users with file mount access were able to perform write operations (move, delete, rename) on folders representing the root of an active file mount due to missing authorization restrictions. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0…

  • CVE-2026-42071HigMay 28, 2026
    risk 0.40cvss epss 0.00

    Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 2.23.0 to 2.28.1, a missing authorization check in MantisBT's file visibility function allows any authenticated user (REPORTER+) to download attachments on private bugnotes they should not be able to access, via…

  • CVE-2026-44320HigMay 27, 2026
    risk 0.40cvss 7.3epss 0.00

    free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the nnef-callback route group without inbound OAuth2/bearer-token authorization. A forged or arbitrary bearer token (e.g. Authorization: Bearer not-a-real-token) is enough to…

  • CVE-2026-31266HigMay 27, 2026
    risk 0.40cvss 7.3epss 0.00

    Craft CMS 5.9.5 and earlier contains a Missing Authorization vulnerability in the migrate endpoint (/actions/app/migrate).

  • CVE-2026-44567HigMay 15, 2026
    risk 0.40cvss 7.3epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.1.124, the API does not properly validate that the user has an authorized user role of user. By default, when Open WebUI is configured with new sign-ups enabled, the…

  • CVE-2026-45395HigMay 15, 2026
    risk 0.40cvss 7.2epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, the tool update endpoint (POST /api/v1/tools/id/{id}/update) is missing the workspace.tools permission check that is present on the tool create endpoint. This…

  • CVE-2026-41342HigApr 23, 2026
    risk 0.40cvss 7.3epss 0.00

    OpenClaw before 2026.3.28 contains an authentication bypass vulnerability in the remote onboarding component that persists unauthenticated discovery endpoints without explicit trust confirmation. Attackers can spoof discovery endpoints to redirect onboarding toward malicious…

  • CVE-2026-40117MedApr 9, 2026
    risk 0.40cvss 6.2epss 0.00

    PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, read_skill_file() in skill_tools.py allows reading arbitrary files from the filesystem by accepting an unrestricted skill_path parameter. Unlike file_tools.read_file which enforces workspace boundary confinement,…

  • CVE-2026-0845HigFeb 10, 2026
    risk 0.40cvss 7.2epss 0.00

    The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the…

  • CVE-2025-14657HigJan 9, 2026
    risk 0.40cvss 7.2epss 0.00

    The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it…

  • CVE-2025-15066MedDec 29, 2025
    risk 0.40cvss 6.2epss 0.00

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Missing Authorization vulnerability in Innorix WP allows Path Traversal.This issue affects Innorix WP from All versions If the "exam" directory exists under the directory where the product is…

  • CVE-2025-8887MedOct 10, 2025
    risk 0.40cvss 6.1epss 0.00

    Authorization Bypass Through User-Controlled Key, Missing Authorization, Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Usta Information Systems Inc. Aybs Interaktif allows Forceful Browsing, Parameter Injection, Input Data Manipulation. This issue…

  • CVE-2025-59416HigSep 17, 2025
    risk 0.40cvss epss 0.00

    The Scratch Channel is a news website. If the user makes a fork, they can change the admins and make an article. Since the API uses a POST request, it will make an article. This issue is fixed in v1.2.

  • CVE-2025-57817HigSep 8, 2025
    risk 0.40cvss 7.2epss 0.00

    Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the OAuth client creation and update endpoints of the Fides Webserver API do not properly authorize scope assignment. This allows highly privileged users with `client:create` or `client:update`…