VYPR

CWE-863

Incorrect Authorization

ClassIncompleteLikelihood: High

Description

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Hierarchy (View 1000)

CVEs mapped to this weakness (1,530)

page 20 of 77
  • CVE-2025-48881HigMay 30, 2025
    risk 0.47cvss 8.3epss 0.00

    Valtimo is a platform for Business Process Automation. In versions starting from 11.0.0.RELEASE to 11.3.3.RELEASE and 12.0.0.RELEASE to 12.12.0.RELEASE, all objects for which an object-management configuration exists can be listed, viewed, edited, created or deleted by…

  • CVE-2023-50732HigDec 21, 2023
    risk 0.47cvss 8.3epss 0.00

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to execute a Velocity script without script right through the document tree. This has been patched in XWiki 14.10.7 and 15.2RC1.

  • CVE-2022-4811HigDec 28, 2022
    risk 0.47cvss 8.3epss 0.01

    Authorization Bypass Through User-Controlled Key vulnerability in usememos usememos/memos.This issue affects usememos/memos before 0.9.1.

  • CVE-2021-33335HigAug 3, 2021
    risk 0.47cvss 7.2epss 0.01

    Privilege escalation vulnerability in Liferay Portal 7.0.3 through 7.3.4, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 9 allows remote authenticated users with permission to update/edit users to take over a company administrator user account by editing the…

  • CVE-2026-53855HigJun 16, 2026
    risk 0.46cvss 8.1epss 0.00

    OpenClaw before 2026.4.2 contains an inline-eval bypass vulnerability allowing authenticated operators to weaken strict allowlist checks via shell positional parameters. Attackers can combine allowlisted tools with shell positional arguments to place inline-eval content in shell…

  • CVE-2026-34023HigJun 15, 2026
    risk 0.46cvss epss 0.00

    The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains an incorrect authorization vulnerability in the WebSocket communication used by the SafeController WebMessageBroker. An authenticated attacker with valid low-privileged branch user credentials can…

  • CVE-2026-53721HigJun 12, 2026
    risk 0.46cvss 8.2epss 0.00

    Nuxt is an open-source web development framework for Vue.js. From versions 3.11.0 to before 3.21.7 and 4.0.0 to before 4.4.7, there is a route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcher. This issue has been patched in…

  • CVE-2026-47195HigJun 12, 2026
    risk 0.46cvss epss 0.00

    Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, the purge and slowmode commands check only guild-level permissions on the invoking member. They do not check the member’s effective permissions in the channel where the command is run. A user denied channel-level…

  • CVE-2026-44654HigJun 2, 2026
    risk 0.46cvss 8.1epss 0.00

    LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, a shared-agent editor can delete file records through `DELETE /api/files` that the owner has reused across multiple agents. The deletion removes the file globally…

  • CVE-2026-9808HigMay 29, 2026
    risk 0.46cvss 7.1epss 0.00

    An authorization bypass vulnerability exists in the Mautic 7 API v2 endpoints (utilizing API Platform). Under certain conditions, roles configured with owner-scope restrictions (such as `viewown` or `editown`) are not properly enforced. This allows low-privilege authenticated…

  • CVE-2026-44882HigMay 28, 2026
    risk 0.46cvss 8.1epss 0.00

    Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33., Portainer proxies requests to Kubernetes clusters through a middleware…

  • CVE-2026-45042HigMay 28, 2026
    risk 0.46cvss epss 0.00

    RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, improper authorization in the UploadPartCopy operation allows copying objects across buckets without enforcing destination bucket restrictions on allowed copy sources. The implementation…

  • CVE-2026-48064HigMay 27, 2026
    risk 0.46cvss 8.1epss 0.00

    pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, when a PAM service is configured with deny_remote=false in pam_usb (commonly done for display managers such as gdm-password or lightdm to bypass process/TTY heuristics for local…

  • CVE-2026-48152HigMay 27, 2026
    risk 0.46cvss 8.1epss 0.00

    Budibase is an open-source low-code platform. Prior to 3.39.0, the single-datasource GET and PUT routes are guarded by generic TABLE READ, not by Builder/Admin permission or datasource-specific ownership/resource checks. The built-in Basic app user role maps to the WRITE…

  • CVE-2026-44838HigMay 27, 2026
    risk 0.46cvss 8.1epss 0.00

    RabbitMQ is a messaging and streaming broker. From 4.2.0 to before 4.2.4, RabbitMQ's MQTT plugin allows for topic-level authorization using regular expressions with variable substitution. Administrators can create patterns such as ^{client_id}-sensors$ to restrict user access to…

  • CVE-2026-42280HigMay 27, 2026
    risk 0.46cvss 7.1epss 0.00

    Auth0.js is a client-side JavaScript library for Auth0. From 8.11.0 to 9.32.0, under specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided. This vulnerability is…

  • CVE-2026-32991HigMay 13, 2026
    risk 0.46cvss 7.1epss 0.00

    Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account.

  • CVE-2026-43913HigMay 11, 2026
    risk 0.46cvss 8.1epss 0.00

    Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden allows an unconfirmed organization owner to purge the entire organization vault. The organization invite flow uses a two-step process: accepting an invite transitions membership from…

  • CVE-2026-42296HigMay 9, 2026
    risk 0.46cvss 8.1epss 0.00

    Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, a user with create Workflow permission can bypass templateReferencing: Strict to get host network access, switch service accounts,…

  • CVE-2026-39852HigMay 5, 2026
    risk 0.46cvss 8.2epss 0.00

    Quarkus is a Java framework for building cloud-native applications. In versions prior to 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2, a path normalization inconsistency between the security layer and the routing layer allows unauthenticated or lower-privileged…