VYPR

CWE-863

Incorrect Authorization

ClassIncompleteLikelihood: High

Description

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Hierarchy (View 1000)

CVEs mapped to this weakness (1,530)

page 54 of 77
  • CVE-2026-4055MedMay 21, 2026
    risk 0.21cvss 4.3epss 0.00

    Mattermost versions 11.5.x <= 11.5.1 fail to validate team-level run_create permission against the target team when creating a playbook run which allows an authenticated team member to create runs in teams where they lack permission via specifying a different team ID in the run…

  • CVE-2026-6343MedMay 18, 2026
    risk 0.21cvss 4.3epss 0.00

    Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check public/private permissions which allows members without these permissions to access public playbooks via /get.. Mattermost Advisory ID: MMSA-2026-00591

  • CVE-2026-28732MedMay 18, 2026
    risk 0.21cvss 4.3epss 0.00

    Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to enforce slash command trigger-word uniqueness during command updates which allows an authenticated team member with Manage Own Slash Commands permission to hijack and impersonate existing system…

  • CVE-2026-28759MedMay 18, 2026
    risk 0.21cvss 4.3epss 0.00

    Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate that a remote cluster has access to a channel before processing membership removal requests during shared channel membership sync, which allows a malicious remote cluster to remove any…

  • CVE-2026-44557MedMay 15, 2026
    risk 0.21cvss 4.3epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the _validate_collection_access function uses an incomplete allowlist that only enforces ownership checks for collections matching user-memory-* and file-*…

  • CVE-2026-45009MedMay 15, 2026
    risk 0.21cvss 4.3epss 0.00

    phpMyFAQ before 4.1.2 contains an insufficient authorization vulnerability in admin-api routes that allows authenticated ordinary users to access administrative endpoints by only checking login status instead of verifying backend privileges. Attackers with valid frontend user…

  • CVE-2026-45148MedMay 14, 2026
    risk 0.21cvss 4.3epss 0.00

    SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, broken access control in the searchAsset, searchTag, searchWidget, and searchTemplate publish-mode Readers can enumerate metadata from documents that are invisible to the publish service. This…

  • CVE-2026-41910MedApr 28, 2026
    risk 0.21cvss 4.3epss 0.00

    OpenClaw before 2026.4.8 omits owner-only enforcement for cross-channel allowlist writes in the /allowlist endpoint. An authorized non-owner sender can bypass access controls to perform allowlist modifications against different channels, violating the intended trust model.

  • CVE-2026-41350MedApr 23, 2026
    risk 0.21cvss 4.3epss 0.00

    OpenClaw before 2026.3.31 contains a session visibility bypass vulnerability where the session_status function fails to enforce configured tools.sessions.visibility restrictions for unsandboxed invocations. Attackers can invoke session_status without sandbox constraints to…

  • CVE-2026-41908MedApr 23, 2026
    risk 0.21cvss 4.3epss 0.00

    OpenClaw before 2026.4.20 contains a scope enforcement bypass vulnerability in the assistant-media route that allows trusted-proxy callers without operator.read scope to access protected assistant-media files and metadata. Attackers can bypass identity-bearing HTTP auth path…

  • CVE-2026-29179LowApr 21, 2026
    risk 0.21cvss 3.3epss 0.00

    October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, fine-grained sub-permission checks for asset and blueprint file operations were not enforced in the CMS and Tailor editor extensions. This only affects backend users who were explicitly…

  • CVE-2026-34082MedApr 20, 2026
    risk 0.21cvss 4.3epss 0.00

    Dify is an open-source LLM app development platform. Prior to 1.13.1, the method `DELETE /console/api/installed-apps//conversations/` has poor authorization checking and allows any Dify-authenticated user to delete someone else's chat history. Version…

  • CVE-2026-40103MedApr 10, 2026
    risk 0.21cvss 4.3epss 0.00

    Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's scoped API token enforcement for custom project background routes is method-confused. A token with only projects.background can successfully delete a project background, while a token with…

  • CVE-2026-35619MedApr 10, 2026
    risk 0.21cvss 4.3epss 0.00

    OpenClaw before 2026.3.24 contains an authorization bypass vulnerability in the HTTP /v1/models endpoint that fails to enforce operator read scope requirements. Attackers with only operator.approvals scope can enumerate gateway model metadata through the HTTP compatibility…

  • CVE-2026-35596MedApr 10, 2026
    risk 0.21cvss 4.3epss 0.00

    Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the hasAccessToLabel function contains a SQL operator precedence bug that allows any authenticated user to read any label that has at least one task association, regardless of project access. Label…

  • CVE-2026-39957MedApr 9, 2026
    risk 0.21cvss 4.3epss 0.00

    Lychee is a free, open-source photo-management tool. Prior to 7.5.4, a SQL operator-precedence bug in SharingController::listAll() causes the orWhereNotNull('user_group_id') clause to escape the ownership filter applied by the when() block. Any authenticated non-admin user with…

  • CVE-2026-33460MedApr 8, 2026
    risk 0.21cvss 4.3epss 0.00

    Incorrect Authorization (CWE-863) in Kibana can lead to cross-space information disclosure via Privilege Abuse (CAPEC-122). A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment…

  • CVE-2026-39381MedApr 7, 2026
    risk 0.21cvss 4.3epss 0.00

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns _Session fields that the server operator explicitly configured as protected via the protectedFields…

  • CVE-2026-33578MedMar 31, 2026
    risk 0.21cvss 4.3epss 0.00

    OpenClaw before 2026.3.28 contains a sender policy bypass vulnerability in the Google Chat and Zalouser extensions where route-level group allowlist policies silently downgrade to open policy. Attackers can exploit this policy resolution flaw to bypass sender restrictions and…

  • CVE-2026-34506MedMar 31, 2026
    risk 0.21cvss 4.3epss 0.00

    OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a team/channel route allowlist is configured with an empty groupAllowFrom parameter, the message…