VYPR

CWE-863

Incorrect Authorization

ClassIncompleteLikelihood: High

Description

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Hierarchy (View 1000)

CVEs mapped to this weakness (1,530)

page 46 of 77
  • CVE-2026-41341MedApr 23, 2026
    risk 0.28cvss 5.4epss 0.00

    OpenClaw before 2026.3.31 contains a logic error in Discord component interaction routing that misclassifies group direct messages as direct messages in extensions/discord/src/monitor/agent-components-helpers.ts. Attackers can exploit this misclassification to bypass group DM…

  • CVE-2026-41909MedApr 23, 2026
    risk 0.28cvss 5.4epss 0.00

    OpenClaw before 2026.4.20 contains an improper authorization vulnerability in paired-device pairing management that allows limited-scope sessions to enumerate and act on pairing requests. Attackers with paired-device access can approve or operate on unrelated pending device…

  • CVE-2026-41233MedApr 23, 2026
    risk 0.28cvss 5.4epss 0.00

    Froxlor is open source server administration software. Prior to version 2.3.6, in `Domains.add()`, the `adminid` parameter is accepted from user input and used without validation when the calling reseller does not have the `customers_see_all` permission. This allows a reseller…

  • CVE-2026-5377MedApr 22, 2026
    risk 0.28cvss 4.3epss 0.00

    GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.1 that could have allowed an authenticated user to access titles of confidential or private issues in public projects due to improper access control in the issue description rendering…

  • CVE-2026-24176MedApr 21, 2026
    risk 0.28cvss 4.3epss 0.00

    NVIDIA KAI Scheduler contains a vulnerability where an attacker could cause improper authorization through cross-namespace pod references. A successful exploit of this vulnerability might lead to data tampering.

  • CVE-2026-40155MedApr 17, 2026
    risk 0.28cvss 5.4epss 0.00

    The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In versions 4.12.0 through 4.17.1, simultaneous requests that trigger a nonce retry may cause the proxy cache fetcher to perform improper lookups for the token request results. Users…

  • CVE-2026-39350MedApr 15, 2026
    risk 0.28cvss 5.4epss 0.00

    Istio is an open platform to connect, manage, and secure microservices. In versions 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1, the serviceAccounts and notServiceAccounts fields in AuthorizationPolicy incorrectly interpret dots (.) as a regular expression…

  • CVE-2026-2619MedApr 8, 2026
    risk 0.28cvss 4.3epss 0.00

    GitLab has remediated an issue in GitLab EE affecting all versions from 18.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that under certain circumstances could have allowed an authenticated user with auditor privileges to modify vulnerability flag data in private…

  • CVE-2026-1752MedApr 8, 2026
    risk 0.28cvss 4.3epss 0.00

    GitLab has remediated an issue in GitLab EE affecting all versions from 11.3 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user with developer-role permissions to modify protected environment settings due to improper…

  • CVE-2026-32923MedMar 29, 2026
    risk 0.28cvss 5.4epss 0.00

    OpenClaw before 2026.3.11 contains an authorization bypass vulnerability in Discord guild reaction ingestion that fails to enforce member users and roles allowlist checks. Non-allowlisted guild members can trigger reaction events accepted as trusted system events, injecting…

  • CVE-2026-33726MedMar 27, 2026
    risk 0.28cvss 5.4epss 0.00

    Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.17.14, 1.18.8, and 1.19.2, Ingress Network Policies are not enforced for traffic from pods to L7 Services (Envoy, GAMMA) with a local backend on the same node, when…

  • CVE-2026-32642MedMar 24, 2026
    risk 0.28cvss 4.3epss 0.00

    Incorrect Authorization (CWE-863) vulnerability in Apache Artemis, Apache ActiveMQ Artemis exists when an application using the OpenWire protocol attempts to create a non-durable JMS topic subscription on an address that doesn't exist with an authenticated user which has the…

  • CVE-2026-22624MedJan 30, 2026
    risk 0.28cvss 4.3epss 0.00

    Due to inadequate access control, authenticated users of certain HIKSEMI NAS products can manipulate other users' file resources without proper authorization.

  • CVE-2025-14943MedJan 10, 2026
    risk 0.28cvss 4.3epss 0.00

    The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 8.7.2. This is due to a misconfigured authorization check on the 'getShipItemFullText' function which only verifies that…

  • CVE-2025-15085MedDec 25, 2025
    risk 0.28cvss 4.3epss 0.00

    A security flaw has been discovered in youlaitech youlai-mall 1.0.0/2.0.0. This affects the function deductBalance of the file mall-ums/ums-boot/src/main/java/com/youlai/mall/ums/controller/app/MemberController.java of the component Balance Handler. The manipulation results in…

  • CVE-2025-13653MedDec 1, 2025
    risk 0.28cvss 4.3epss 0.00

    In Search Guard FLX versions from 3.1.0 up to 4.0.0 with enterprise modules being disabled, there exists an issue which allows authenticated users to use specially crafted requests to read documents from data streams without having the respective privileges.

  • CVE-2025-42939MedOct 14, 2025
    risk 0.28cvss 4.3epss 0.00

    SAP S/4HANA (Manage Processing Rules - For Bank Statements) allows an authenticated attacker with basic privileges to delete conditions from any shared rule of any user by tampering the request parameter. Due to missing authorization check, the attacker can delete shared rule…

  • CVE-2025-11439MedOct 8, 2025
    risk 0.28cvss 4.3epss 0.00

    A vulnerability was found in JhumanJ OpnForm up to 1.9.3. This issue affects some unknown processing of the file /show/integrations. Performing manipulation results in missing authorization. Remote exploitation of the attack is possible. The exploit has been made public and…

  • CVE-2025-9835MedSep 2, 2025
    risk 0.28cvss 4.3epss 0.00

    A vulnerability has been found in macrozheng mall up to 1.0.3. This affects the function cancelOrder of the file /order/cancelUserOrder. The manipulation of the argument orderId leads to authorization bypass. The attack can be initiated remotely. The exploit has been disclosed…

  • CVE-2025-1501MedAug 26, 2025
    risk 0.28cvss 4.3epss 0.00

    An access control vulnerability was discovered in the Request Trace and Download Trace functionalities of CMC before 25.1.0 due to a specific access restriction not being properly enforced for users with limited privileges. An authenticated user with limited privileges can…