VYPR

CWE-863

Incorrect Authorization

ClassIncompleteLikelihood: High

Description

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Hierarchy (View 1000)

CVEs mapped to this weakness (1,530)

page 43 of 77
  • CVE-2026-42998MedMay 28, 2026
    risk 0.32cvss 6.0epss 0.00

    An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone application credential authentication plugin does not verify that the user supplied in the authentication request matches the owner of the application credential. An attacker can authenticate with their…

  • CVE-2026-26067MedApr 21, 2026
    risk 0.32cvss 4.9epss 0.00

    October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions could craft .less, .sass, or .scss files…

  • CVE-2025-59449MedOct 6, 2025
    risk 0.32cvss 4.9epss 0.00

    The YoSmart YoLink MQTT broker through 2025-10-02 does not enforce sufficient authorization controls to prevent cross-account attacks, allowing an attacker to remotely operate affected devices if the attacker obtains the associated device IDs. Because YoLink device IDs are…

  • CVE-2025-27213MedAug 21, 2025
    risk 0.32cvss 4.9epss 0.00

    An Improper Access Control could allow a malicious actor authenticated in the API of certain UniFi Connect devices to enable Android Debug Bridge (ADB) and make unsupported changes to the system. Affected Products: UniFi Connect EV Station Pro (Version 1.5.18 and…

  • CVE-2023-46906MedJan 9, 2024
    risk 0.32cvss 4.9epss 0.01

    juzaweb <= 3.4 is vulnerable to Incorrect Access Control, resulting in an application outage after a 500 HTTP status code. The payload in the timezone field was not correctly validated.

  • CVE-2023-5193MedSep 29, 2023
    risk 0.32cvss 4.9epss 0.00

    Mattermost fails to properly check permissions when retrieving a post allowing for a System Role with the permission to manage channels to read the posts of a DM conversation.

  • CVE-2017-2632MedJul 27, 2018
    risk 0.32cvss 4.9epss 0.01

    A logic error in valid_role() in CloudForms role validation before 5.7.1.3 could allow a tenant administrator to create groups with a higher privilege level than the tenant administrator should have. This would allow an attacker with tenant administration access to elevate…

  • CVE-2026-35622MedApr 9, 2026
    risk 0.31cvss 5.9epss 0.00

    OpenClaw before 2026.3.22 contains an improper authentication verification vulnerability in Google Chat app-url webhook handling that accepts add-on principals outside intended deployment bindings. Attackers can bypass webhook authentication by providing non-deployment add-on…

  • CVE-2026-32035MedMar 19, 2026
    risk 0.31cvss 5.9epss 0.00

    OpenClaw versions prior to 2026.3.2 fail to pass the senderIsOwner flag when processing Discord voice transcripts in agentCommand, causing the flag to default to true. Non-owner voice participants can exploit this omission to access owner-only tools including gateway and cron…

  • CVE-2025-10015MedSep 16, 2025
    risk 0.31cvss epss 0.00

    The Sparkle framework includes an XPC service Downloader.xpc, by default this service is private to the application its bundled with. A local unprivileged attacker can register this XPC service globally which will inherit TCC permissions of the application. Lack of validation…

  • CVE-2025-4975MedMay 22, 2025
    risk 0.31cvss epss 0.00

    When a notification relating to low battery appears for a user with whom the device has been shared, tapping the notification grants full access to the power settings of that device.

  • CVE-2024-34701MedMay 14, 2024
    risk 0.31cvss 5.9epss 0.01

    CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. It is possible for users to be considered as the requester of a specific wiki request if their local user ID on any wiki in a wiki farm matches the local ID of the requester at the wiki where the wiki…

  • CVE-2023-40315MedAug 17, 2023
    risk 0.31cvss 5.3epss 0.03

    In OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 and related Meridian versions, any user that has the ROLE_FILESYSTEM_EDITOR can easily escalate their privileges to ROLE_ADMIN or any other role. The solution is to upgrade to Meridian 2023.1.5 or Horizon 32.0.2 or…

  • CVE-2023-39363MedAug 7, 2023
    risk 0.31cvss 5.9epss 0.01

    Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). In versions 0.2.15, 0.2.16 and 0.3.0, named re-entrancy locks are allocated incorrectly. Each function using a named re-entrancy lock gets a unique lock regardless of the key, allowing…

  • CVE-2023-2515MedMay 12, 2023
    risk 0.31cvss 4.7epss 0.00

    Mattermost fails to restrict a user with permissions to edit other users and to create personal access tokens from elevating their privileges to system admin

  • CVE-2023-31141MedMay 8, 2023
    risk 0.31cvss 4.8epss 0.00

    OpenSearch is open-source software suite for search, analytics, and observability applications. Prior to versions 1.3.10 and 2.7.0, there is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking)…

  • CVE-2023-30840MedMay 8, 2023
    risk 0.31cvss 5.8epss 0.00

    Fluid is an open source Kubernetes-native distributed dataset orchestrator and accelerator for data-intensive applications. Starting in version 0.7.0 and prior to version 0.8.6, if a malicious user gains control of a Kubernetes node running fluid csi pod (controlled by the…

  • CVE-2022-39342MedOct 25, 2022
    risk 0.31cvss 5.9epss 0.01

    OpenFGA is an authorization/permission engine. Versions prior to version 0.2.4 are vulnerable to authorization bypass under certain conditions. Users whose model has a relation defined as a tupleset (the right hand side of a ‘from’ statement) that involves anything other…

  • CVE-2022-39341MedOct 25, 2022
    risk 0.31cvss 5.9epss 0.01

    OpenFGA is an authorization/permission engine. Versions prior to version 0.2.4 are vulnerable to authorization bypass under certain conditions. Users who have wildcard (`*`) defined on tupleset relations in their authorization model are vulnerable. Version 0.2.4 contains a patch…

  • CVE-2022-31139MedJul 11, 2022
    risk 0.31cvss 5.9epss 0.01

    UnsafeAccessor (UA) is a bridge to access jdk.internal.misc.Unsafe & sun.misc.Unsafe. Normally, if UA is loaded as a named module, the internal data of UA is protected by JVM and others can only access UA via UA's standard API. The main application can set up…