VYPR

CWE-863

Incorrect Authorization

ClassIncompleteLikelihood: High

Description

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Hierarchy (View 1000)

CVEs mapped to this weakness (1,530)

page 12 of 77
  • CVE-2026-42889CriMay 12, 2026
    risk 0.52cvss 9.1epss 0.00

    Relay adds real-time collaboration to Obsidian. Relay Server versions 0.9.0 through 0.9.6 contain an authentication bypass in the multi-document WebSocket endpoints. When authentication is configured, WebSocket connections without a token query parameter were incorrectly treated…

  • CVE-2026-42571CriMay 9, 2026
    risk 0.52cvss epss 0.00

    Pelican is a platform for creating data federations. From versions 7.21.0 to before 7.21.5, 7.22.0 to before 7.22.3, 7.23.0 to before 7.23.3, and 7.24.0 to before 7.24.2, there is a a privilege escalation vulnerability affecting Pelican's Web User Interface (WebUI). This attack…

  • CVE-2026-43566CriMay 5, 2026
    risk 0.52cvss 9.1epss 0.00

    OpenClaw versions 2026.4.7 before 2026.4.14 contain a privilege escalation vulnerability where heartbeat owner downgrade logic skips webhook wake events carrying untrusted content. Attackers can exploit this by sending untrusted webhook wake events to preserve owner-like…

  • CVE-2026-5712HigApr 29, 2026
    risk 0.52cvss 8.0epss 0.00

    This vulnerability impacts all versions of IdentityIQ and allows an authenticated identity that is the requestor or assignee of a work item to edit the definition of a role without having an assigned capability that would allow role editing.

  • CVE-2026-6290HigApr 15, 2026
    risk 0.52cvss 8.0epss 0.00

    Velociraptor versions prior to 0.76.3 contain a vulnerability in the query() plugin which allows access to all orgs with the user's current ACL token. This allows an authenticated GUI user with access in one org, to use the query() plugin, in a notebook cell, to run VQL queries…

  • CVE-2026-35029HigApr 6, 2026
    risk 0.52cvss 8.8epss 0.26

    LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, the /config/update endpoint does not enforce admin role authorization. A user who is already authenticated into the platform can then use this endpoint to modify proxy…

  • CVE-2026-34953CriApr 3, 2026
    risk 0.52cvss 9.1epss 0.00

    PraisonAI is a multi-agent teams system. Prior to version 4.5.97, OAuthManager.validate_token() returns True for any token not found in its internal store, which is empty by default. Any HTTP request to the MCP server with an arbitrary Bearer token is treated as authenticated,…

  • CVE-2026-34532CriMar 31, 2026
    risk 0.52cvss 9.1epss 0.00

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.67 and 9.7.0-alpha.11, an attacker can bypass Cloud Function validator access controls by appending "prototype.constructor" to the function name in the…

  • CVE-2025-55205CriAug 18, 2025
    risk 0.52cvss 9.0epss 0.00

    Capsule is a multi-tenancy and policy-based framework for Kubernetes. A namespace label injection vulnerability in Capsule v0.10.3 and earlier allows authenticated tenant users to inject arbitrary labels into system namespaces (kube-system, default, capsule-system), bypassing…

  • CVE-2024-45160CriOct 9, 2024
    risk 0.52cvss 9.1epss 0.01

    Incorrect credential validation in LemonLDAP::NG 2.18.x and 2.19.x before 2.19.2 allows attackers to bypass OAuth2 client authentication via an empty client_password parameter (client secret).

  • CVE-2024-44667HigSep 10, 2024
    risk 0.52cvss 8.0epss 0.01

    Shenzhen Haichangxing Technology Co., Ltd HCX H822 4G LTE Router M7628NNxISPxUIv2_v1.0.1557.15.35_P0 is vulnerable to Incorrect Access Control. Unauthenticated factory mode reset and command injection leads to information exposure and root shell access.

  • CVE-2024-35187CriMay 16, 2024
    risk 0.52cvss 9.1epss 0.01

    Stalwart Mail Server is an open-source mail server. Prior to version 0.8.0, attackers who achieved Arbitrary Code Execution as the stalwart-mail user (including web interface admins) can gain complete root access to the system. Usually, system services are run as a separate user…

  • CVE-2024-2378HigApr 30, 2024
    risk 0.52cvss 8.0epss 0.00

    A vulnerability exists in the web-authentication component of the SDM600. If exploited an attacker could escalate privileges on af-fected installations.

  • CVE-2023-46244CriNov 7, 2023
    risk 0.52cvss 9.1epss 0.01

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible for a user to write a script in which any velocity content is executed with the right of any other document content author. Since this API…

  • CVE-2023-23947CriFeb 16, 2023
    risk 0.52cvss 9.1epss 0.01

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All Argo CD versions starting with 2.3.0-rc1 and prior to 2.3.17, 2.4.23 2.5.11, and 2.6.2 are vulnerable to an improper authorization bug which allows users who have the ability to update at least one…

  • CVE-2022-47408CriDec 14, 2022
    risk 0.52cvss 9.1epss 0.01

    An issue was discovered in the fp_newsletter (aka Newsletter subscriber management) extension before 1.1.1, 1.2.0, 2.x before 2.1.2, 2.2.1 through 2.4.0, and 3.x before 3.2.6 for TYPO3. There is a CAPTCHA bypass that can lead to subscribing many people.

  • CVE-2022-39322CriOct 25, 2022
    risk 0.52cvss 9.1epss 0.01

    @keystone-6/core is a core package for Keystone 6, a content management system for Node.js. Starting with version 2.2.0 and prior to version 2.3.1, users who expected their `multiselect` fields to use the field-level access control - if configured - are vulnerable to their…

  • CVE-2022-35924CriAug 2, 2022
    risk 0.52cvss 9.1epss 0.01

    NextAuth.js is a complete open source authentication solution for Next.js applications. `next-auth` users who are using the `EmailProvider` either in versions before `4.10.3` or `3.29.10` are affected. If an attacker could forge a request that sent a comma-separated list of…

  • CVE-2022-0860CriMar 11, 2022
    risk 0.52cvss 9.1epss 0.02

    Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2.

  • CVE-2021-38598CriAug 23, 2021
    risk 0.52cvss 9.1epss 0.01

    OpenStack Neutron before 16.4.1, 17.x before 17.1.3, and 18.0.0 allows hardware address impersonation when the linuxbridge driver with ebtables-nft is used on a Netfilter-based platform. By sending carefully crafted packets, anyone in control of a server instance connected to…