VYPR

CWE-862

Missing Authorization

ClassIncompleteLikelihood: High

Description

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-665

CVEs mapped to this weakness (5,549)

page 90 of 278
  • CVE-2019-0201MedMay 23, 2019
    risk 0.39cvss 5.9epss 0.10

    An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string.…

  • CVE-2017-7677MedJun 14, 2017
    risk 0.39cvss 5.9epss 0.03

    In environments that use external location for hive tables, Hive Authorizer in Apache Ranger before 0.7.1 should be checking RWX permission for create table.

  • CVE-2026-52812higJun 23, 2026
    risk 0.38cvss epss 0.00

    Summary Git LFS storage is content-addressed by OID alone (`/<oid[0]>/<oid[1]>/`) but per-repo authorization lives in the `lfs_object` table keyed `(repo_id, oid)`. `serveUpload` skips re-uploading when the OID file already exists on disk and inserts a new…

  • CVE-2026-52799higJun 22, 2026
    risk 0.38cvss epss 0.00

    ## Summary In Gogs 0.14.1, `GET /attachments/:uuid` returns the raw attachment file **without verifying whether the requester has view permission for the associated Issue/Comment/Release or the repository**. In a test environment with `REQUIRE_SIGNIN_VIEW = false`, we confirmed…

  • CVE-2026-54695higJun 18, 2026
    risk 0.38cvss epss

    ## Development Runner Telephony WebSocket `/ws` Unauthenticated Call-Control Abuse via Attacker-Supplied Call SID ### Summary The pipecat development runner registers a `/ws` WebSocket endpoint for telephony testing that accepts connections without any authentication. An…

  • CVE-2026-54005higJun 18, 2026
    risk 0.38cvss epss

    ### TL;DR This vulnerability affects all Kirby sites where users of a particular role have no permission to access pages (`pages.access` permission is disabled). This can be due to configuration in the user blueprint(s), `options` in the model blueprint(s), or a combination of…

  • CVE-2026-54010higJun 17, 2026
    risk 0.38cvss epss 0.00

    ## Summary Open WebUI `v0.9.5` lets an authenticated user attach arbitrary `file_id` values to their own chat message without checking whether they own or can read those files. If the attacker then shares that chat and grants themselves read access, `has_access_to_file()`…

  • CVE-2026-54322higJun 16, 2026
    risk 0.38cvss epss 0.00

    ### Summary Daytona's organization role update and delete endpoints authorized the caller as an owner of the organization named in the request path, but resolved and mutated the target role by its identifier alone, without verifying the role belonged to that organization. An…

  • CVE-2026-52714MedJun 16, 2026
    risk 0.38cvss 5.9epss 0.00

    Unauthenticated Broken Access Control in SEO Plugin by Squirrly SEO <= 12.4.16 versions.

  • CVE-2026-50026MedJun 12, 2026
    risk 0.38cvss epss 0.00

    Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, a lack of permission checks in these endpoints allowed unauthorized access to resources. This issue has been patched in versions 15.107.0 and 16.17.0.

  • CVE-2026-47412higJun 1, 2026
    risk 0.38cvss epss 0.00

    ## Summary **Type:** Authorization bypass enabling destructive action. The `DELETE /workspaces/{workspace_id}` endpoint is gated only by `require_workspace_member(workspace_id)` (default `min_role="member"`). Any member of the workspace can issue a single DELETE to wipe the…

  • CVE-2026-47409higMay 29, 2026
    risk 0.38cvss epss 0.00

    ## Summary **Type:** Authorization bypass enabling owner lockout. The `DELETE /workspaces/{workspace_id}/members/{user_id}` endpoint is gated only by `require_workspace_member(workspace_id)` (default `min_role="member"`). Any member can remove any other member, including the…

  • CVE-2026-47405higMay 29, 2026
    risk 0.38cvss epss 0.00

    ### Summary PraisonAI Platform has a broken workspace authorization check that allows any authenticated low-privilege workspace member to escalate their own role to `owner`. The issue is caused by privileged workspace-management routes using the shared dependency…

  • CVE-2026-48169higMay 29, 2026
    risk 0.38cvss epss 0.00

    ### Summary The PraisonAI Platform API has two authorization failures that together break workspace isolation. The service layer for issues and projects performs global primary-key lookups without checking workspace ownership, so any authenticated user can read, modify, and…

  • CVE-2026-47394higMay 29, 2026
    risk 0.38cvss epss 0.00

    ## Summary The fix for GHSA-9mqq-jqxf-grvw / CVE-2026-44336 is incomplete. The original advisory description named four vulnerable handlers in `mcp_server/adapters/cli_tools.py`: > "registers four file-handling tools by default, `praisonai.rules.create`,…

  • CVE-2026-0246MedMay 13, 2026
    risk 0.38cvss epss 0.00

    A vulnerability with a privilege management mechanism in the Palo Alto Networks Prisma Access Agent® enables a locally authenticated non-administrative user to escalate their privileges to root on macOS and Linux or NT AUTHORITY\SYSTEM on Windows. This allows the user to…

  • CVE-2026-27344MedMar 5, 2026
    risk 0.38cvss 5.9epss 0.00

    Missing Authorization vulnerability in inseriswiss inseri core inseri-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects inseri core: from n/a through <= 1.0.5.

  • CVE-2025-67970MedFeb 20, 2026
    risk 0.38cvss 5.9epss 0.00

    Missing Authorization vulnerability in vertim Schedula schedula-smart-appointment-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Schedula: from n/a through <= 1.0.

  • CVE-2026-0829MedFeb 17, 2026
    risk 0.38cvss 5.8epss 0.01

    The Frontend File Manager Plugin WordPress plugin through 23.5 allows unauthenticated users to send emails through the site without any security checks. This lets attackers use the WordPress site as an open relay for spam or phishing emails to anyone. Attackers can also guess…

  • CVE-2025-13391MedFeb 11, 2026
    risk 0.38cvss 5.8epss 0.00

    The Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'uni_cpo_remove_file' function in all versions up to, and including, 4.9.60. This…