VYPR

CWE-863

Incorrect Authorization

ClassIncompleteLikelihood: High

Description

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Hierarchy (View 1000)

CVEs mapped to this weakness (1,530)

page 52 of 77
  • CVE-2023-32261MedJul 19, 2023
    risk 0.27cvss 4.2epss 0.01

    A potential vulnerability has been identified in the Micro Focus Dimensions CM Plugin for Jenkins. The vulnerability allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. See the following Jenkins security advisory for…

  • CVE-2023-25173MedFeb 16, 2023
    risk 0.27cvss 5.3epss 0.01

    containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group…

  • CVE-2017-8196MedNov 22, 2017
    risk 0.27cvss 4.2epss 0.00

    FusionSphere V100R006C00SPC102(NFV) has an incorrect authorization vulnerability. An authenticated attacker could execute commands that he/she should have had no permission to perform, thereby querying, modifying, and deleting certain service data and making the service…

  • CVE-2026-54357MedJun 12, 2026
    risk 0.26cvss epss 0.00

    An improper authorization vulnerability in MISP allowed an authenticated organization administrator to access or modify user settings belonging to site administrator accounts within the same organization. The affected access-control checks scoped administrative actions by…

  • CVE-2026-41367MedApr 28, 2026
    risk 0.26cvss 5.0epss 0.00

    OpenClaw versions 2026.2.14 through 2026.3.24 fail to consistently apply guild and channel policy gates to Discord button and component interactions. Attackers can trigger privileged component actions from blocked contexts by bypassing channel policy enforcement.

  • CVE-2026-41232MedApr 23, 2026
    risk 0.26cvss 5.0epss 0.00

    Froxlor is open source server administration software. Prior to version 2.3.6, in `EmailSender::add()`, the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to…

  • CVE-2026-41131MedApr 22, 2026
    risk 0.26cvss 5.0epss 0.00

    OpenFGA is an authorization/permission engine built for developers. Prior to version 1.14.1, in specific scenarios, models using conditions with caching enabled can result in two different check requests producing the same cache key. This could result in OpenFGA reusing an…

  • CVE-2026-34972MedApr 6, 2026
    risk 0.26cvss 5.0epss 0.00

    OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. From 1.8.0 to 1.13.1, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can…

  • CVE-2026-29044MedMar 26, 2026
    risk 0.26cvss 5.0epss 0.00

    EVerest is an EV charging software stack. Prior to version 2026.02.0, when WithdrawAuthorization is processed before the TransactionStarted event, AuthHandler determines `transaction_active=false` and only calls `withdraw_authorization_callback`. This path ultimately calls…

  • CVE-2025-66406MedDec 3, 2025
    risk 0.26cvss 5.0epss 0.00

    Step CA is an online certificate authority for secure, automated certificate management for DevOps. Prior to 0.29.0, there is an improper authorization check for SSH certificate revocation. This affects deployments configured with the SSHPOP provisioner. This vulnerability is…

  • CVE-2025-43230MedJul 30, 2025
    risk 0.26cvss 4.0epss 0.00

    The issue was addressed with additional permissions checks. This issue is fixed in iOS 18.6 and iPadOS 18.6, iPadOS 17.7.9, macOS Sequoia 15.6, tvOS 18.6, visionOS 2.6, watchOS 11.6. An app may be able to access user-sensitive data.

  • CVE-2022-36009MedAug 19, 2022
    risk 0.26cvss 5.0epss 0.01

    gomatrixserverlib is a Go library for matrix protocol federation. Dendrite is a Matrix homeserver written in Go, an alternative to Synapse. The power level parsing within gomatrixserverlib was failing to parse the `"events_default"` key of the `m.room.power_levels` event,…

  • CVE-2026-41657MedMay 7, 2026
    risk 0.25cvss 4.9epss 0.00

    Admidio is an open-source user management solution. Prior to version 5.0.9, the contacts_data.php endpoint uses a weaker permission check (isAdministratorUsers(), requiring only rol_edit_user=true) than the frontend UI (contacts.php) which correctly requires the stronger…

  • CVE-2025-68152MedApr 3, 2026
    risk 0.25cvss 4.9epss 0.00

    Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called ‘charms’. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, it is possible that a compromised…

  • CVE-2021-26387LowAug 13, 2024
    risk 0.25cvss 3.9epss 0.00

    Insufficient access controls in ASP kernel may allow a privileged attacker with access to AMD signing keys and the BIOS menu or UEFI shell to map DRAM regions in protected areas, potentially leading to a loss of platform integrity.

  • CVE-2023-5159LowSep 29, 2023
    risk 0.25cvss 3.8epss 0.00

    Mattermost fails to properly verify the permissions when managing/updating a bot allowing a User Manager role with user edit permissions to manage/update bots.

  • CVE-2023-30544LowApr 24, 2023
    risk 0.25cvss 3.9epss 0.00

    Kiwi TCMS is an open source test management system. In versions of Kiwi TCMS prior to 12.2, users were able to update their email addresses via the `My profile` admin page. This page allowed them to change the email address registered with their account without the ownership…

  • CVE-2023-0091LowJan 13, 2023
    risk 0.25cvss 3.8epss 0.00

    A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.

  • CVE-2022-23452MedSep 1, 2022
    risk 0.25cvss 4.9epss 0.01

    An authorization flaw was found in openstack-barbican, where anyone with an admin role could add secrets to a different project container. This flaw allows an attacker on the network to consume protected resources and cause a denial of service.

  • CVE-2022-1553MedMay 16, 2022
    risk 0.25cvss 4.9epss 0.01

    Leaking password protected articles content due to improper access control in GitHub repository publify/publify prior to 9.2.8. Attackers can leverage this vulnerability to view the contents of any password-protected article present on the publify website, compromising…