CWE-863
Incorrect Authorization
ClassIncompleteLikelihood: High
Description
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Hierarchy (View 1000)
CVEs mapped to this weakness (586)
page 1 of 30| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-6782 | Cri | 0.67 | 9.8 | 0.94 | Aug 6, 2024 | Improper access control in Calibre 6.9.0 ~ 7.14.0 allow unauthenticated attackers to achieve remote code execution. | |
| CVE-2026-42160 | Cri | 0.65 | — | 0.00 | May 8, 2026 | Data Space Portal is an open-source Software as a Service (SaaS) solution designed to streamline Dataspace management. From version 2.1.1 to before version 7.3.2, there is insufficient authorization in the dataspace-portal backend regarding self-registered "PENDING" organization / user accounts. This issue has been patched in version 7.3.2. | |
| CVE-2026-33105 | Cri | 0.65 | 10.0 | 0.00 | Apr 3, 2026 | Improper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to elevate privileges over a network. | |
| CVE-2026-32213 | Cri | 0.65 | 10.0 | 0.00 | Apr 3, 2026 | Improper authorization in Azure AI Foundry allows an unauthorized attacker to elevate privileges over a network. | |
| CVE-2025-49825 | Cri | 0.65 | 9.8 | 0.18 | Jun 17, 2025 | Teleport provides connectivity, authentication, access controls and audit for infrastructure. Community Edition versions before and including 17.5.1 are vulnerable to remote authentication bypass. At time of posting, there is no available open-source patch. | |
| CVE-2023-4617 | Cri | 0.65 | 10.0 | 0.01 | Dec 19, 2024 | Incorrect authorization vulnerability in HTTP POST method in Govee Home application on Android and iOS allows remote attacker to control devices owned by other users via changing "device", "sku" and "type" fields' values. This issue affects Govee Home applications on Android and iOS in versions before 5.9. | |
| CVE-2026-43999 | Cri | 0.64 | 9.9 | 0.00 | May 13, 2026 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, NodeVM's builtin allowlist can be bypassed when the module builtin is allowed (including via the '*' wildcard). The module builtin exposes Node's Module._load(), which loads any module by name directly in the host context, completely bypassing vm2's builtin restriction. This allows sandboxed code to load excluded builtins like child_process and achieve remote code execution. This vulnerability is fixed in 3.11.0. | |
| CVE-2026-41050 | Cri | 0.64 | 9.9 | 0.00 | May 13, 2026 | Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by their `GitRepo`. | |
| CVE-2026-43948 | Cri | 0.64 | 9.9 | 0.00 | May 12, 2026 | wger is a free, open-source workout and fitness manager. Prior to 2.6, the reset_user_password and gym_permissions_user_edit views in wger perform a gym-scope authorization check using Python object comparison (!=) that evaluates None != None as False, silently bypassing the guard when both the attacker and victim have no gym assignment (gym=None). A user with gym.manage_gym permission and gym=None can reset the password of any other gym=None user; the new plaintext password is returned verbatim in the HTML response body, enabling one-shot full account takeover. The victim's original password is invalidated, locking them out permanently. This vulnerability is fixed in 2.6. | |
| CVE-2026-25660 | Cri | 0.64 | 9.8 | 0.00 | Apr 24, 2026 | CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Authentication bypass occurs when the URL ends with Authentication with certain function calls. This bypass allows assigning arbitrary permission to any user existing in CodeChecker. This issue affects CodeChecker: through 6.27.3. | |
| CVE-2026-32924 | Cri | 0.64 | 9.8 | 0.00 | Mar 29, 2026 | OpenClaw before 2026.3.12 contains an authorization bypass vulnerability where Feishu reaction events with omitted chat_type are misclassified as p2p conversations instead of group chats. Attackers can exploit this misclassification to bypass groupAllowFrom and requireMention protections in group chat reaction-derived events. | |
| CVE-2020-36948 | Cri | 0.64 | 9.8 | 0.00 | Jan 27, 2026 | VestaCP 0.9.8-26 contains a session token vulnerability in the LoginAs module that allows remote attackers to manipulate authentication tokens. Attackers can exploit insufficient token validation to access user accounts and perform unauthorized login requests without proper administrative permissions. | |
| CVE-2019-25237 | Cri | 0.64 | 9.8 | 0.00 | Dec 24, 2025 | V-SOL GPON/EPON OLT Platform v2.03 contains a privilege escalation vulnerability that allows normal users to gain administrative access by manipulating the user role parameter. Attackers can send a crafted HTTP POST request to the user management endpoint with 'user_role_mod' set to integer value '1' to elevate their privileges. | |
| CVE-2025-24233 | Cri | 0.64 | 9.8 | 0.00 | Mar 31, 2025 | A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. A malicious app may be able to read or write to protected files. | |
| CVE-2024-31695 | Cri | 0.64 | 9.8 | 0.00 | Nov 14, 2024 | A misconfiguration in the fingerprint authentication mechanism of Binance: BTC, Crypto and NFTS v2.85.4, allows attackers to bypass authentication when adding a new fingerprint. | |
| CVE-2024-48784 | Cri | 0.64 | 9.8 | 0.01 | Oct 11, 2024 | An Incorrect Access Control issue in SAMPMAX com.sampmax.homemax 2.1.2.7 allows a remote attacker to obtain sensitive information via the firmware update process. | |
| CVE-2024-4447 | Cri | 0.64 | 9.9 | 0.00 | Jul 26, 2024 | In the System → Maintenance tool, the Logged Users tab surfaces sessionId data for all users via the Direct Web Remoting API (UserSessionAjax.getSessionList.dwr) calls. While this is information that would and should be available to admins who possess "Sign In As" powers, admins who otherwise lack this privilege would still be able to utilize the session IDs to imitate other users. While this is a very small attack vector that requires very high permissions to execute, its danger lies principally in obfuscating attribution; all Sign In As operations are attributed appropriately in the log files, and a malicious administrator could use this information to render their dealings untraceable — including those admins who have not been granted this ability — such as by using a session ID to generate an API token. Fixed in: 24.07.12 / 23.01.20 LTS / 23.10.24v13 LTS / 24.04.24v5 LTS This was the original found by researcher Zakaria Agharghar. 2. Later, on October 20, 2025, another researcher (Chris O’Neill) found additional affected DWR Endpoints that are vulnerable to Information Disclosure, namely and in addition to the original found of "UserSessionAjax.getSessionList.dwr - Session ID exposure": * UserAjax.getUsersList.dwr - Enumerate all users with IDs, names, emails * RoleAjax.getUserRole.dwr - Get user role information * RoleAjax.getRole.dwr - Get role details * RoleAjax.getRolePermissions.dwr - View role permissions * RoleAjax.isPermissionableInheriting.dwr - Check permission inheritance * RoleAjax.getCurrentCascadePermissionsJobs.dwr - View permission cascade jobs * ThreadMonitorTool.getThreads.dwr - Monitor system threads; and, * CRITICAL - Privilege Escalation: RoleAjax.saveRolePermission.dwr - Modify role permissions Overall CVSS for the above findings: * CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L * Score: 9.1 (Critical) | |
| CVE-2024-31682 | Cri | 0.64 | 9.8 | 0.00 | Jun 3, 2024 | Incorrect access control in the fingerprint authentication mechanism of Phone Cleaner: Boost & Clean v2.2.0 allows attackers to bypass fingerprint authentication due to the use of a deprecated API. | |
| CVE-2024-28394 | Cri | 0.64 | 9.8 | 0.02 | Mar 19, 2024 | An issue in Advanced Plugins reportsstatistics v1.3.20 and before allows a remote attacker to execute arbitrary code via the Sales Reports, Statistics, Custom Fields & Export module. | |
| CVE-2017-17067 | Cri | 0.64 | 9.8 | 0.03 | Nov 30, 2017 | Splunk Web in Splunk Enterprise 7.0.x before 7.0.0.1, 6.6.x before 6.6.3.2, 6.5.x before 6.5.6, 6.4.x before 6.4.9, and 6.3.x before 6.3.12, when the SAML authType is enabled, mishandles SAML, which allows remote attackers to bypass intended access restrictions or conduct impersonation attacks. |