VYPR

CWE-862

Missing Authorization

ClassIncompleteLikelihood: High

Description

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-665

CVEs mapped to this weakness (5,549)

page 93 of 278
  • CVE-2026-40782MedJun 15, 2026
    risk 0.35cvss 6.5epss 0.00

    Unauthenticated Broken Access Control in WPAdverts <= 2.3.0 versions.

  • CVE-2026-53815MedJun 11, 2026
    risk 0.35cvss 6.5epss 0.00

    OpenClaw before 2026.5.19 contains an authorization bypass vulnerability in message read actions that skips channel allowlist checks. Lower-trust callers can request messages from channels not intended for them by exploiting insufficient validation in the affected feature,…

  • CVE-2023-25969MedJun 11, 2026
    risk 0.35cvss 5.4epss 0.00

    Missing Authorization vulnerability in ThemeHunk Contact Form & Lead Form Elementor Builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Contact Form & Lead Form Elementor Builder: from n/a through 1.8.4.

  • CVE-2022-45813MedJun 11, 2026
    risk 0.35cvss 5.4epss 0.00

    Missing Authorization vulnerability in BeRocket Advanced AJAX Product Filters allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Advanced AJAX Product Filters: from n/a through 1.6.3.3.

  • CVE-2022-42479MedJun 11, 2026
    risk 0.35cvss 5.4epss 0.00

    Missing Authorization vulnerability in TemplateHouse Soledad allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Soledad: from n/a through 8.2.5.

  • CVE-2026-49956MedJun 9, 2026
    risk 0.35cvss 6.5epss 0.00

    Hermes WebUI before version 0.51.269 contains a profile isolation bypass vulnerability that allows authenticated users to access data belonging to other profiles by querying the session search endpoint without active-profile filtering. Attackers can send requests to the sessions…

  • CVE-2026-27351MedJun 2, 2026
    risk 0.35cvss 5.4epss 0.00

    Missing Authorization vulnerability in Sekander Badsha Crew HRM allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Crew HRM: from n/a through 1.2.2.

  • CVE-2026-45285MedJun 1, 2026
    risk 0.35cvss 6.4epss 0.00

    Nextcloud is an open source content collaboration platform. From versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, when a user shares a folder or file with a Nextcloud Team that includes an external member (a person added via email address who does not have a…

  • CVE-2026-45267MedJun 1, 2026
    risk 0.35cvss 6.5epss 0.00

    Nextcloud is an open source content collaboration platform. Prior to version 5.2.6, a missing permissions check allowed users to request reading form submissions of other users. This issue has been patched in version 5.2.6.

  • CVE-2026-42671MedJun 1, 2026
    risk 0.35cvss 6.5epss 0.00

    Missing Authorization vulnerability in Paolo GeoDirectory allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects GeoDirectory: from n/a through 2.8.157.

  • CVE-2026-47745MedMay 29, 2026
    risk 0.35cvss 6.5epss 0.00

    Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, the admin tables for PaymentMethods, Currencies and Carriers exposed inline toggles and per-record actions (enable, disable, edit, delete) that were rendered for any authenticated panel user without checking the…

  • CVE-2026-47742MedMay 29, 2026
    risk 0.35cvss 6.5epss 0.00

    Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Sub-form Livewire components used in the product editor (Edit, Inventory, Seo, Shipping, Files) had no authorization on their store() method. Any authenticated panel user, regardless of role, could mutate any…

  • CVE-2026-44884MedMay 28, 2026
    risk 0.35cvss 6.5epss 0.00

    Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8 and 2.39.1, a missing authorization vulnerability in the Custom Template…

  • CVE-2026-32389MedMay 25, 2026
    risk 0.35cvss 5.4epss 0.00

    Missing Authorization vulnerability in Linethemes NanoCare allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects NanoCare: from n/a before 1.2.2.

  • CVE-2026-24586MedMay 25, 2026
    risk 0.35cvss 5.4epss 0.00

    Missing Authorization vulnerability in Themeansar Newses allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Newses: from n/a through 2.0.0.77.

  • CVE-2026-9251MedMay 22, 2026
    risk 0.35cvss 5.4epss 0.00

    Missing authorization in the entry status management feature in Devolutions Server allows a non-administrator authenticated user to bypass the administrator-enforced Pending Approval flow and gain access to an entry's data via a crafted status change request. This issue affects…

  • CVE-2026-8381MedMay 22, 2026
    risk 0.35cvss 5.4epss 0.00

    A broken access control vulnerability exists in the TeamViewer DEX Platform (On‑Premises) prior version 9.2. Certain backend API endpoints do not correctly enforce authorization checks, allowing an authenticated user with low privileges to perform actions and access resources…

  • CVE-2026-8096MedMay 19, 2026
    risk 0.35cvss 6.5epss 0.00

    The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes…

  • CVE-2026-5163MedMay 18, 2026
    risk 0.35cvss 6.5epss 0.00

    Mattermost versions 11.5.x <= 11.5.1 fail to verify channel membership when processing AI-assisted message rewrites which allows an authenticated attacker to read the content of threads in private channels and direct messages they do not have access to via a crafted request to…

  • CVE-2026-1631MedMay 18, 2026
    risk 0.35cvss 5.4epss 0.00

    The Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4 is vulnerable to unauthorized modification of the Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4's license key due to a missing…