VYPR

CWE-863

Incorrect Authorization

ClassIncompleteLikelihood: High

Description

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Hierarchy (View 1000)

CVEs mapped to this weakness (1,530)

page 24 of 77
  • CVE-2022-24721HigMar 15, 2022
    risk 0.46cvss 8.1epss 0.01

    CometD is a scalable comet implementation for web messaging. In any version prior to 5.0.11, 6.0.6, and 7.0.6, internal usage of Oort and Seti channels is improperly authorized, so any remote user could subscribe and publish to those channels. By subscribing to those channels, a…

  • CVE-2019-11247HigAug 29, 2019
    risk 0.46cvss 8.1epss 0.02

    The Kubernetes kube-apiserver mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced. Authorizations for the resource accessed in this manner are enforced using roles and role bindings within the namespace, meaning…

  • CVE-2017-15091HigJan 23, 2018
    risk 0.46cvss 7.1epss 0.01

    An issue has been found in the API component of PowerDNS Authoritative 4.x up to and including 4.0.4 and 3.x up to and including 3.4.11, where some operations that have an impact on the state of the server are still allowed even though the API has been configured as read-only…

  • CVE-2015-0266HigApr 11, 2016
    risk 0.46cvss 7.1epss 0.02

    The Policy Admin Tool in Apache Ranger before 0.5.0 allows remote authenticated users to bypass intended access restrictions via direct access to module URLs.

  • CVE-2026-42604MedJun 12, 2026
    risk 0.45cvss epss 0.00

    Actual is a local-first personal finance tool. The `POST /openid/config` endpoint in Actual Budget's sync-server versions <= 26.4.0 exposes the full OpenID Connect configuration—including the OAuth2 `client_secret`—to any caller who knows the bootstrap password. The endpoint…

  • CVE-2026-4263MedMar 26, 2026
    risk 0.45cvss epss 0.00

    Vulnerability of incorrect authorization in HiJiffy Chatbot allows an attacker to download private messages from other users via the parameter  'visitor' in '/api/v1/webchat/message'.

  • CVE-2026-4262MedMar 26, 2026
    risk 0.45cvss epss 0.00

    Vulnerability of incorrect authorization in HiJiffy Chatbot allows an attacker to download private messages from other users via the parameter 'ID' in '/api/v1/download//'.

  • CVE-2025-41031MedSep 2, 2025
    risk 0.45cvss epss 0.00

    Lack of authorisation in Deporsite by T-INNOVA. This vulnerability allows an unauthenticated attacker to change other users' profile pictures via a POST request using the parameters ‘IdPersona’ and “Foto” in ‘/ajax/TInnova_c/FotoUsuario/llamadaAjax/uploadImage’.

  • CVE-2025-41030MedSep 2, 2025
    risk 0.45cvss epss 0.00

    Lack of authorisation in Deporsite by T-INNOVA. This vulnerability allows an unauthenticated attacker to obtain information from other users via GET ‘/ajax/TInnova_v2/Integrantes_Recurso_v2_1/llamadaAjax/buscarPersona’ using the ‘dni’ parameter.

  • CVE-2025-8533MedAug 7, 2025
    risk 0.45cvss epss 0.00

    A vulnerability was identified in the XPC services of Fantastical. The services failed to implement proper client authorization checks in its listener:shouldAcceptNewConnection method, unconditionally accepting requests from any local process. As a result, any local,…

  • CVE-2025-2202MedMar 17, 2025
    risk 0.45cvss epss 0.00

    Broken access control vulnerability in the Innovación y Cualificación local administration plugin ajax.php. This vulnerability allows an attacker to obtain sensitive information about other users such as id, name, login and email.

  • CVE-2025-2201MedMar 17, 2025
    risk 0.45cvss epss 0.00

    Broken access control vulnerability in the IcProgress Innovación y Cualificación plugin. This vulnerability allows an attacker to obtain sensitive information about other users such as public IP addresses, messages with other users and more.

  • CVE-2021-34429MedJul 15, 2021
    risk 0.45cvss 5.3epss 0.99

    For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in…

  • CVE-2026-42312MedMay 11, 2026
    risk 0.44cvss 6.8epss 0.00

    pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist…

  • CVE-2026-6863MedMay 6, 2026
    risk 0.44cvss 6.8epss 0.00

    Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET…

  • CVE-2026-43001HigMay 1, 2026
    risk 0.44cvss 7.9epss 0.00

    An issue was discovered in OpenStack Keystone before 29.0.2. POST /v3/credentials did not validate that the caller-supplied project_id for an EC2-type credential matched the project of the authenticating application credential. This allowed an attacker holding an unrestricted…

  • CVE-2026-42432HigApr 28, 2026
    risk 0.44cvss 7.8epss 0.00

    OpenClaw before 2026.4.8 contains a privilege escalation vulnerability allowing previously paired nodes to reconnect with exec-capable commands without the operator.admin scope requirement. Attackers can bypass re-pairing authentication to execute privileged commands on the…

  • CVE-2026-40191MedApr 10, 2026
    risk 0.44cvss epss 0.00

    ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to 5.0.4-beta-1f46165, ClearanceKit's Endpoint Security event handler only checked the source path of dual-path file operations against File Access Authorization (FAA)…

  • CVE-2026-35586MedApr 7, 2026
    risk 0.44cvss 6.8epss 0.00

    pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the ADMIN_ONLY_CORE_OPTIONS authorization set in set_config_value() uses incorrect option names ssl_cert and ssl_key, while the actual configuration option names are ssl_certfile and…

  • CVE-2025-8886MedOct 10, 2025
    risk 0.44cvss 6.7epss 0.00

    Incorrect Permission Assignment for Critical Resource, Exposure of Sensitive Information to an Unauthorized Actor, Missing Authorization, Incorrect Authorization vulnerability in Usta Information Systems Inc. Aybs Interaktif allows Privilege Abuse, Authentication Bypass. This…