CWE-863
Incorrect Authorization
Description
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Hierarchy (View 1000)
CVEs mapped to this weakness (1,530)
page 5 of 77| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-28474 | Cri | 0.57 | 9.8 | 0.00 | Mar 5, 2026 | OpenClaw's Nextcloud Talk plugin versions prior to 2026.2.6 accept equality matching on the mutable actor.name display name field for allowlist validation, allowing attackers to bypass DM and room allowlists. An attacker can change their Nextcloud display name to match an… | ||
| CVE-2026-2293 | Cri | 0.57 | 9.8 | 0.01 | Feb 27, 2026 | A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when Fastify path-normalization options are enabled. This issue affects nest.Js: 11.1.13. | ||
| CVE-2026-24480 | Hig | 0.57 | — | 0.00 | Jan 27, 2026 | QGIS is a free, open source, cross platform geographical information system (GIS) The repository contains a GitHub Actions workflow called "pre-commit checks" that, before commit 76a693cd91650f9b4e83edac525e5e4f90d954e9, was vulnerable to remote code execution and repository… | ||
| CVE-2020-36920 | Hig | 0.57 | 8.8 | 0.00 | Jan 6, 2026 | iDS6 DSSPro Digital Signage System 6.2 contains an improper access control vulnerability that allows authenticated users to elevate privileges through console JavaScript functions. Attackers can create users, modify roles and permissions, and potentially achieve full application… | ||
| CVE-2025-6892 | — | Hig | 0.57 | — | 0.01 | Oct 17, 2025 | An Incorrect Authorization vulnerability has been identified in Moxa’s network security appliances and routers. A flaw in the API authentication mechanism allows unauthorized access to protected API endpoints, including those intended for administrative functions. This… | |
| CVE-2025-10016 | Hig | 0.57 | — | 0.00 | Sep 16, 2025 | The Sparkle framework includes a helper tool Autoupdate. Due to lack of authentication of connecting clients a local unprivileged attacker can request installation of crafted malicious PKG file by racing to connect to the daemon when other app spawns it as root. This results… | ||
| CVE-2025-23256 | Hig | 0.57 | 8.7 | 0.00 | Sep 4, 2025 | NVIDIA BlueField contains a vulnerability in the management interface, where an attacker with local access could cause incorrect authorization to modify the configuration. A successful exploit of this vulnerability might lead to denial of service, escalation of privileges,… | ||
| CVE-2025-7773 | Hig | 0.57 | — | 0.00 | Aug 14, 2025 | A security issue exists within the 5032 16pt Digital Configurable module’s web server. The web server’s session number increments at an interval that correlates to the last two consecutive sign in session interval, making it predictable. | ||
| CVE-2025-42951 | Hig | 0.57 | 8.8 | 0.00 | Aug 12, 2025 | Due to broken authorization, SAP Business One (SLD) allows an authenticated attacker to gain administrator privileges of a database by invoking the corresponding API.�As a result , it has a high impact on the confidentiality, integrity, and availability of the application. | ||
| CVE-2025-20701 | Hig | 0.57 | 8.8 | 0.04 | Aug 4, 2025 | In the Airoha Bluetooth audio SDK, there is a possible way to pair Bluetooth audio device without user consent. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | ||
| CVE-2025-53943 | Hig | 0.57 | — | 0.00 | Jul 16, 2025 | VoidBot Open-Source is a customizable Discord bot. VoidBot Open-Source versions 0.0.1 through 0.8.1 contain a vulnerability in the command handler where permission checks are not properly enforced for certain administrative commands. This allows users without the required roles… | ||
| CVE-2024-5705 | Hig | 0.57 | 8.8 | 0.00 | Feb 19, 2025 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions. (CWE-863) Hitachi Vantara Pentaho Business… | ||
| CVE-2025-24500 | — | Hig | 0.57 | — | 0.00 | Jan 30, 2025 | The vulnerability allows an unauthenticated attacker to access information in PAM database. | |
| CVE-2024-55579 | Hig | 0.57 | 8.8 | 0.00 | Dec 9, 2024 | An issue was discovered in Qlik Sense Enterprise for Windows before November 2024 IR. An unprivileged user with network access may be able to create connection objects that trigger execution of arbitrary EXE files. This is fixed in November 2024 IR, May 2024 Patch 10, February… | ||
| CVE-2024-53937 | Hig | 0.57 | 8.8 | 0.00 | Dec 2, 2024 | An issue was discovered on Victure RX1800 WiFi 6 Router (software EN_V1.0.0_r12_110933, hardware 1.0) devices. The TELNET service is enabled by default with admin/admin as default credentials and is exposed over the LAN. The allows attackers to execute arbitrary commands with… | ||
| CVE-2024-53941 | Hig | 0.57 | 8.8 | 0.01 | Dec 2, 2024 | An issue was discovered in Victure RX1800 WiFi 6 Router (software EN_V1.0.0_r12_110933, hardware 1.0) devices. A remote attacker (in proximity to a Wi-Fi network) can derive the default Wi-Fi PSK value via the last 4 octets of the BSSID. | ||
| CVE-2024-54124 | Hig | 0.57 | 8.8 | 0.00 | Nov 29, 2024 | In Click Studios Passwordstate before build 9920, there is a potential permission escalation on the edit folder screen. | ||
| CVE-2024-51426 | Hig | 0.57 | 8.8 | 0.00 | Oct 30, 2024 | An issue in the PepeGxng smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact via the _transfer function. NOTE: this is disputed by third parties because the impact is limited to function calls. | ||
| CVE-2024-51425 | Hig | 0.57 | 8.8 | 0.00 | Oct 30, 2024 | An issue in the WaterToken smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact. NOTE: this is disputed by third parties because the impact is limited to function calls. | ||
| CVE-2024-41617 | Cri | 0.57 | 9.8 | 0.01 | Oct 24, 2024 | Money Manager EX WebApp (web-money-manager-ex) 1.2.2 is vulnerable to Incorrect Access Control. The `redirect_if_not_loggedin` function in `functions_security.php` fails to terminate script execution after redirecting unauthenticated users. This flaw allows an unauthenticated… |
- risk 0.57cvss 9.8epss 0.00
OpenClaw's Nextcloud Talk plugin versions prior to 2026.2.6 accept equality matching on the mutable actor.name display name field for allowlist validation, allowing attackers to bypass DM and room allowlists. An attacker can change their Nextcloud display name to match an…
- risk 0.57cvss 9.8epss 0.01
A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when Fastify path-normalization options are enabled. This issue affects nest.Js: 11.1.13.
- risk 0.57cvss —epss 0.00
QGIS is a free, open source, cross platform geographical information system (GIS) The repository contains a GitHub Actions workflow called "pre-commit checks" that, before commit 76a693cd91650f9b4e83edac525e5e4f90d954e9, was vulnerable to remote code execution and repository…
- risk 0.57cvss 8.8epss 0.00
iDS6 DSSPro Digital Signage System 6.2 contains an improper access control vulnerability that allows authenticated users to elevate privileges through console JavaScript functions. Attackers can create users, modify roles and permissions, and potentially achieve full application…
- risk 0.57cvss —epss 0.01
An Incorrect Authorization vulnerability has been identified in Moxa’s network security appliances and routers. A flaw in the API authentication mechanism allows unauthorized access to protected API endpoints, including those intended for administrative functions. This…
- risk 0.57cvss —epss 0.00
The Sparkle framework includes a helper tool Autoupdate. Due to lack of authentication of connecting clients a local unprivileged attacker can request installation of crafted malicious PKG file by racing to connect to the daemon when other app spawns it as root. This results…
- risk 0.57cvss 8.7epss 0.00
NVIDIA BlueField contains a vulnerability in the management interface, where an attacker with local access could cause incorrect authorization to modify the configuration. A successful exploit of this vulnerability might lead to denial of service, escalation of privileges,…
- risk 0.57cvss —epss 0.00
A security issue exists within the 5032 16pt Digital Configurable module’s web server. The web server’s session number increments at an interval that correlates to the last two consecutive sign in session interval, making it predictable.
- risk 0.57cvss 8.8epss 0.00
Due to broken authorization, SAP Business One (SLD) allows an authenticated attacker to gain administrator privileges of a database by invoking the corresponding API.�As a result , it has a high impact on the confidentiality, integrity, and availability of the application.
- risk 0.57cvss 8.8epss 0.04
In the Airoha Bluetooth audio SDK, there is a possible way to pair Bluetooth audio device without user consent. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
- risk 0.57cvss —epss 0.00
VoidBot Open-Source is a customizable Discord bot. VoidBot Open-Source versions 0.0.1 through 0.8.1 contain a vulnerability in the command handler where permission checks are not properly enforced for certain administrative commands. This allows users without the required roles…
- risk 0.57cvss 8.8epss 0.00
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions. (CWE-863) Hitachi Vantara Pentaho Business…
- risk 0.57cvss —epss 0.00
The vulnerability allows an unauthenticated attacker to access information in PAM database.
- risk 0.57cvss 8.8epss 0.00
An issue was discovered in Qlik Sense Enterprise for Windows before November 2024 IR. An unprivileged user with network access may be able to create connection objects that trigger execution of arbitrary EXE files. This is fixed in November 2024 IR, May 2024 Patch 10, February…
- risk 0.57cvss 8.8epss 0.00
An issue was discovered on Victure RX1800 WiFi 6 Router (software EN_V1.0.0_r12_110933, hardware 1.0) devices. The TELNET service is enabled by default with admin/admin as default credentials and is exposed over the LAN. The allows attackers to execute arbitrary commands with…
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in Victure RX1800 WiFi 6 Router (software EN_V1.0.0_r12_110933, hardware 1.0) devices. A remote attacker (in proximity to a Wi-Fi network) can derive the default Wi-Fi PSK value via the last 4 octets of the BSSID.
- risk 0.57cvss 8.8epss 0.00
In Click Studios Passwordstate before build 9920, there is a potential permission escalation on the edit folder screen.
- risk 0.57cvss 8.8epss 0.00
An issue in the PepeGxng smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact via the _transfer function. NOTE: this is disputed by third parties because the impact is limited to function calls.
- risk 0.57cvss 8.8epss 0.00
An issue in the WaterToken smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact. NOTE: this is disputed by third parties because the impact is limited to function calls.
- risk 0.57cvss 9.8epss 0.01
Money Manager EX WebApp (web-money-manager-ex) 1.2.2 is vulnerable to Incorrect Access Control. The `redirect_if_not_loggedin` function in `functions_security.php` fails to terminate script execution after redirecting unauthenticated users. This flaw allows an unauthenticated…