VYPR

CWE-863

Incorrect Authorization

ClassIncompleteLikelihood: High

Description

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Hierarchy (View 1000)

CVEs mapped to this weakness (1,530)

page 23 of 77
  • CVE-2026-35604HigApr 7, 2026
    risk 0.46cvss 8.1epss 0.00

    File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, when an admin revokes a user's Share and Download permissions, existing share links created by that user remain fully…

  • CVE-2026-35442HigApr 6, 2026
    risk 0.46cvss 8.1epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, aggregate functions (min, max) applied to fields with the conceal special type incorrectly return raw database values instead of the masked placeholder. When combined with groupBy,…

  • CVE-2026-32726HigMar 31, 2026
    risk 0.46cvss 8.1epss 0.00

    SciTokens C++ is a minimal library for creating and using SciTokens from C or C++. Prior to version 1.4.1, scitokens-cpp is vulnerable to an authorization bypass in path-based scope validation. The enforcer used a simple string-prefix comparison when checking whether a requested…

  • CVE-2026-33577HigMar 31, 2026
    risk 0.46cvss 8.1epss 0.00

    OpenClaw before 2026.3.28 contains an insufficient scope validation vulnerability in the node pairing approval path that allows low-privilege operators to approve nodes with broader scopes. Attackers can exploit missing callerScopes validation in node-pairing.ts to extend…

  • CVE-2026-25741HigFeb 26, 2026
    risk 0.46cvss 7.1epss 0.00

    Zulip is an open-source team collaboration tool. Prior to commit bf28c82dc9b1f630fa8e9106358771b20a0040f7, the API endpoint for creating a card update session during an upgrade flow was accessible to users with only organization member privileges. When the associated Stripe…

  • CVE-2025-68476HigDec 22, 2025
    risk 0.46cvss epss 0.00

    KEDA is a Kubernetes-based Event Driven Autoscaling component. Prior to versions 2.17.3 and 2.18.3, an Arbitrary File Read vulnerability has been identified in KEDA, potentially affecting any KEDA resource that uses TriggerAuthentication to configure HashiCorp Vault…

  • CVE-2025-58052HigDec 19, 2025
    risk 0.46cvss 8.1epss 0.00

    Galette is a membership management web application for non profit organizations. Starting in version 0.9.6 and prior to version 1.2.0, attackers with group manager role can bypass intended restrictions allowing unauthorized access and changes despite role-based controls. Since…

  • CVE-2025-61830HigNov 11, 2025
    risk 0.46cvss 7.1epss 0.00

    Adobe Pass versions 3.7.3 and earlier are affected by an Incorrect Authorization vulnerability. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read and write access. Exploitation of this issue requires user interaction in that a…

  • CVE-2025-62506HigOct 16, 2025
    risk 0.46cvss 8.1epss 0.01

    MinIO is a high-performance object storage system. In all versions prior to RELEASE.2025-10-15T17-29-55Z, a privilege escalation vulnerability allows service accounts and STS (Security Token Service) accounts with restricted session policies to bypass their inline policy…

  • CVE-2025-52890HigJun 25, 2025
    risk 0.46cvss 8.1epss 0.00

    Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, Incus versions 6.12 and 6.13generates nftables rules that partially bypass security options `security.mac_filtering`, `security.ipv4_filtering` and…

  • CVE-2025-1416HigMay 21, 2025
    risk 0.46cvss epss 0.00

    In Proget MDM, a low-privileged user can retrieve passwords for managed devices and subsequently use functionalities restricted by the MDM (Mobile Device Management). For it to happen, they must know the UUIDs of targetted devices, which might be obtained by…

  • CVE-2024-45106HigDec 3, 2024
    risk 0.46cvss 8.1epss 0.01

    Improper authentication of an HTTP endpoint in the S3 Gateway of Apache Ozone 1.4.0 allows any authenticated Kerberos user to revoke and regenerate the S3 secrets of any other user. This is only possible if: * ozone.s3g.secret.http.enabled is set to true. The default value of…

  • CVE-2024-47183HigOct 4, 2024
    risk 0.46cvss 8.1epss 0.00

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. If the Parse Server option allowCustomObjectId: true is set, an attacker that is allowed to create a new user can set a custom object ID for that new user that exploits the…

  • CVE-2024-41964HigAug 29, 2024
    risk 0.46cvss 8.1epss 0.00

    Kirby is a CMS targeting designers and editors. Kirby allows to restrict the permissions of specific user roles. Users of that role can only perform permitted actions. Permissions for creating and deleting languages have already existed and could be configured, but were not…

  • CVE-2024-37300HigJun 12, 2024
    risk 0.46cvss 8.1epss 0.00

    OAuthenticator is software that allows OAuth2 identity providers to be plugged in and used with JupyterHub. JupyterHub < 5.0, when used with `GlobusOAuthenticator`, could be configured to allow all users from a particular institution only. This worked fine prior to JupyterHub…

  • CVE-2024-31452HigApr 16, 2024
    risk 0.46cvss 8.1epss 0.01

    OpenFGA is a high-performance and flexible authorization/permission engine. Some end users of OpenFGA v1.5.0 or later are vulnerable to authorization bypass when calling Check or ListObjects APIs. You are very likely affected if your model involves exclusion (e.g. `a but not b`)…

  • CVE-2024-27933HigMar 21, 2024
    risk 0.46cvss 8.2epss 0.02

    Deno is a JavaScript, TypeScript, and WebAssembly runtime. In version 1.39.0, use of raw file descriptors in `op_node_ipc_pipe()` leads to premature close of arbitrary file descriptors, allowing standard input to be re-opened as a different resource resulting in permission…

  • CVE-2023-22480HigJan 14, 2023
    risk 0.46cvss 7.3epss 0.67

    KubeOperator is an open source Kubernetes distribution focused on helping enterprises plan, deploy and operate production-level K8s clusters. In KubeOperator versions 3.16.3 and below, API interfaces with unauthorized entities and can leak sensitive information. This…

  • CVE-2022-23451HigSep 6, 2022
    risk 0.46cvss 8.1epss 0.01

    An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete…

  • CVE-2022-31107HigJul 15, 2022
    risk 0.46cvss 7.1epss 0.02

    Grafana is an open-source platform for monitoring and observability. In versions 5.3 until 9.0.3, 8.5.9, 8.4.10, and 8.3.10, it is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP which provides a login name to take…