VYPR

CWE-863

Incorrect Authorization

ClassIncompleteLikelihood: High

Description

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Hierarchy (View 1000)

CVEs mapped to this weakness (1,530)

page 35 of 77
  • CVE-2012-1342MedAug 6, 2012
    risk 0.38cvss 5.8epss 0.01

    Cisco Carrier Routing System (CRS) 3.9, 4.0, and 4.1 allows remote attackers to bypass ACL entries via fragmented packets, aka Bug ID CSCtj10975.

  • CVE-2026-6739MedJun 12, 2026
    risk 0.37cvss 6.7epss 0.00

    Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to require system-level permission when patching protected default system roles, which allows authenticated users with delegated user-management permissions to escalate…

  • CVE-2026-33570MedMay 12, 2026
    risk 0.37cvss 5.7epss 0.00

    PowerSYSTEM Center REST API endpoint for devices allows a low privilege authenticated user to access information normally limited by operational permissions.

  • CVE-2026-43535MedMay 5, 2026
    risk 0.37cvss 6.8epss 0.00

    OpenClaw before 2026.4.14 contains an authorization context reuse vulnerability in collect-mode queue batches that allows messages from different senders to inherit the final sender's authorization context. Attackers can exploit this by sending multiple queued messages to drain…

  • CVE-2026-40574MedApr 21, 2026
    risk 0.37cvss 6.8epss 0.00

    OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Prior to 7.15.2, an authorization bypass exists in OAuth2 Proxy as part of the email_domain enforcement option. An attacker may be able to authenticate with an email claim such as…

  • CVE-2026-40224MedApr 10, 2026
    risk 0.37cvss 6.7epss 0.00

    In systemd 259 before 260, there is local privilege escalation in systemd-machined because varlink can be used to reach the root namespace.

  • CVE-2025-5187MedAug 27, 2025
    risk 0.37cvss 6.7epss 0.00

    A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is…

  • CVE-2024-49501MedNov 1, 2024
    risk 0.37cvss 5.7epss 0.00

    Sysmac Studio provided by OMRON Corporation contains an incorrect authorization vulnerability. If this vulnerability is exploited, an attacker may access the program which is protected by Data Protection function.

  • CVE-2024-47616MedOct 2, 2024
    risk 0.37cvss 6.8epss 0.01

    Pomerium is an identity and context-aware access proxy. The Pomerium databroker service is responsible for managing all persistent Pomerium application state. Requests to the databroker service API are authorized by the presence of a JSON Web Token (JWT) signed by a key known by…

  • CVE-2024-27915MedMar 6, 2024
    risk 0.37cvss 6.8epss 0.00

    Sulu is a PHP content management system. Starting in verson 2.2.0 and prior to version 2.4.17 and 2.5.13, access to pages is granted regardless of role permissions for webspaces which have a security system configured and permission check enabled. Webspaces without do not have…

  • CVE-2023-36829MedJul 6, 2023
    risk 0.37cvss 6.8epss 0.01

    Sentry is an error tracking and performance monitoring platform. Starting in version 23.6.0 and prior to version 23.6.2, the Sentry API incorrectly returns the `access-control-allow-credentials: true` HTTP header if the `Origin` request header ends with the…

  • CVE-2022-24748MedMar 9, 2022
    risk 0.37cvss 6.8epss 0.01

    Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In versions prior to 6.4.8.2 it is possible to modify customers and to create orders without App Permission. This issue is a result of improper api route checking. Users…

  • CVE-2020-15110MedJul 17, 2020
    risk 0.37cvss 6.8epss 0.01

    In jupyterhub-kubespawner before 0.12, certain usernames will be able to craft particular server names which will grant them access to the default server of other users who have matching usernames. This has been fixed in 0.12.

  • CVE-2017-2673MedJul 19, 2018
    risk 0.37cvss 6.8epss 0.02

    An authorization-check flaw was discovered in federation configurations of the OpenStack Identity service (keystone). An authenticated federated user could request permissions to a project and unintentionally be granted all related roles including administrative roles.

  • CVE-2026-49219MedJun 10, 2026
    risk 0.36cvss 5.5epss 0.00

    ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-24, an incorrect parsing of the filename can result in a policy bypass and read files disallowed by a security policy using a symlink. This issue…

  • CVE-2026-20624MedFeb 11, 2026
    risk 0.36cvss 5.5epss 0.00

    An injection issue was addressed with improved validation. This issue is fixed in macOS Sequoia 15.7.4, macOS Sonoma 14.8.4, macOS Tahoe 26.3. An app may be able to access sensitive user data.

  • CVE-2025-13813MedDec 1, 2025
    risk 0.36cvss 5.6epss 0.00

    A vulnerability was identified in moxi159753 Mogu Blog v2 up to 5.2. This issue affects some unknown processing of the file /storage/ of the component Storage Management Endpoint. The manipulation leads to missing authorization. The attack can be initiated remotely. The attack's…

  • CVE-2025-43397MedNov 4, 2025
    risk 0.36cvss 5.5epss 0.00

    A permissions issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sequoia 15.7.2, macOS Sonoma 14.8.2, macOS Tahoe 26.1. An app may be able to cause a denial-of-service.

  • CVE-2024-8270MedJun 11, 2025
    risk 0.36cvss 5.5epss 0.00

    The macOS Rocket.Chat application is affected by a vulnerability that allows bypassing Transparency, Consent, and Control (TCC) policies, enabling the exploitation or abuse of permissions specified in its entitlements (e.g., microphone, camera, automation, network client).…

  • CVE-2025-46834MedMay 15, 2025
    risk 0.36cvss epss 0.00

    Alchemy's Modular Account is a smart contract account that is compatible with ERC-4337 and ERC-6900. In versions on the 2.x branch prior to commit 5e6f540d249afcaeaf76ab95517d0359fde883b0, owners of Modular Accounts can grant session keys (scoped external keys) to external…