CWE-863
Incorrect Authorization
Description
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Hierarchy (View 1000)
CVEs mapped to this weakness (1,530)
page 54 of 77| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-4055 | Med | 0.21 | 4.3 | 0.00 | May 21, 2026 | Mattermost versions 11.5.x <= 11.5.1 fail to validate team-level run_create permission against the target team when creating a playbook run which allows an authenticated team member to create runs in teams where they lack permission via specifying a different team ID in the run… | ||
| CVE-2026-6343 | Med | 0.21 | 4.3 | 0.00 | May 18, 2026 | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check public/private permissions which allows members without these permissions to access public playbooks via /get.. Mattermost Advisory ID: MMSA-2026-00591 | ||
| CVE-2026-28732 | Med | 0.21 | 4.3 | 0.00 | May 18, 2026 | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to enforce slash command trigger-word uniqueness during command updates which allows an authenticated team member with Manage Own Slash Commands permission to hijack and impersonate existing system… | ||
| CVE-2026-28759 | Med | 0.21 | 4.3 | 0.00 | May 18, 2026 | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate that a remote cluster has access to a channel before processing membership removal requests during shared channel membership sync, which allows a malicious remote cluster to remove any… | ||
| CVE-2026-44557 | Med | 0.21 | 4.3 | 0.00 | May 15, 2026 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the _validate_collection_access function uses an incomplete allowlist that only enforces ownership checks for collections matching user-memory-* and file-*… | ||
| CVE-2026-45009 | Med | 0.21 | 4.3 | 0.00 | May 15, 2026 | phpMyFAQ before 4.1.2 contains an insufficient authorization vulnerability in admin-api routes that allows authenticated ordinary users to access administrative endpoints by only checking login status instead of verifying backend privileges. Attackers with valid frontend user… | ||
| CVE-2026-45148 | Med | 0.21 | 4.3 | 0.00 | May 14, 2026 | SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, broken access control in the searchAsset, searchTag, searchWidget, and searchTemplate publish-mode Readers can enumerate metadata from documents that are invisible to the publish service. This… | ||
| CVE-2026-41910 | Med | 0.21 | 4.3 | 0.00 | Apr 28, 2026 | OpenClaw before 2026.4.8 omits owner-only enforcement for cross-channel allowlist writes in the /allowlist endpoint. An authorized non-owner sender can bypass access controls to perform allowlist modifications against different channels, violating the intended trust model. | ||
| CVE-2026-41350 | Med | 0.21 | 4.3 | 0.00 | Apr 23, 2026 | OpenClaw before 2026.3.31 contains a session visibility bypass vulnerability where the session_status function fails to enforce configured tools.sessions.visibility restrictions for unsandboxed invocations. Attackers can invoke session_status without sandbox constraints to… | ||
| CVE-2026-41908 | Med | 0.21 | 4.3 | 0.00 | Apr 23, 2026 | OpenClaw before 2026.4.20 contains a scope enforcement bypass vulnerability in the assistant-media route that allows trusted-proxy callers without operator.read scope to access protected assistant-media files and metadata. Attackers can bypass identity-bearing HTTP auth path… | ||
| CVE-2026-29179 | — | Low | 0.21 | 3.3 | 0.00 | Apr 21, 2026 | October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, fine-grained sub-permission checks for asset and blueprint file operations were not enforced in the CMS and Tailor editor extensions. This only affects backend users who were explicitly… | |
| CVE-2026-34082 | Med | 0.21 | 4.3 | 0.00 | Apr 20, 2026 | Dify is an open-source LLM app development platform. Prior to 1.13.1, the method `DELETE /console/api/installed-apps//conversations/` has poor authorization checking and allows any Dify-authenticated user to delete someone else's chat history. Version… | ||
| CVE-2026-40103 | Med | 0.21 | 4.3 | 0.00 | Apr 10, 2026 | Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's scoped API token enforcement for custom project background routes is method-confused. A token with only projects.background can successfully delete a project background, while a token with… | ||
| CVE-2026-35619 | Med | 0.21 | 4.3 | 0.00 | Apr 10, 2026 | OpenClaw before 2026.3.24 contains an authorization bypass vulnerability in the HTTP /v1/models endpoint that fails to enforce operator read scope requirements. Attackers with only operator.approvals scope can enumerate gateway model metadata through the HTTP compatibility… | ||
| CVE-2026-35596 | Med | 0.21 | 4.3 | 0.00 | Apr 10, 2026 | Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the hasAccessToLabel function contains a SQL operator precedence bug that allows any authenticated user to read any label that has at least one task association, regardless of project access. Label… | ||
| CVE-2026-39957 | Med | 0.21 | 4.3 | 0.00 | Apr 9, 2026 | Lychee is a free, open-source photo-management tool. Prior to 7.5.4, a SQL operator-precedence bug in SharingController::listAll() causes the orWhereNotNull('user_group_id') clause to escape the ownership filter applied by the when() block. Any authenticated non-admin user with… | ||
| CVE-2026-33460 | Med | 0.21 | 4.3 | 0.00 | Apr 8, 2026 | Incorrect Authorization (CWE-863) in Kibana can lead to cross-space information disclosure via Privilege Abuse (CAPEC-122). A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment… | ||
| CVE-2026-39381 | Med | 0.21 | 4.3 | 0.00 | Apr 7, 2026 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns _Session fields that the server operator explicitly configured as protected via the protectedFields… | ||
| CVE-2026-33578 | Med | 0.21 | 4.3 | 0.00 | Mar 31, 2026 | OpenClaw before 2026.3.28 contains a sender policy bypass vulnerability in the Google Chat and Zalouser extensions where route-level group allowlist policies silently downgrade to open policy. Attackers can exploit this policy resolution flaw to bypass sender restrictions and… | ||
| CVE-2026-34506 | Med | 0.21 | 4.3 | 0.00 | Mar 31, 2026 | OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a team/channel route allowlist is configured with an empty groupAllowFrom parameter, the message… |
- risk 0.21cvss 4.3epss 0.00
Mattermost versions 11.5.x <= 11.5.1 fail to validate team-level run_create permission against the target team when creating a playbook run which allows an authenticated team member to create runs in teams where they lack permission via specifying a different team ID in the run…
- risk 0.21cvss 4.3epss 0.00
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check public/private permissions which allows members without these permissions to access public playbooks via /get.. Mattermost Advisory ID: MMSA-2026-00591
- risk 0.21cvss 4.3epss 0.00
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to enforce slash command trigger-word uniqueness during command updates which allows an authenticated team member with Manage Own Slash Commands permission to hijack and impersonate existing system…
- risk 0.21cvss 4.3epss 0.00
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate that a remote cluster has access to a channel before processing membership removal requests during shared channel membership sync, which allows a malicious remote cluster to remove any…
- risk 0.21cvss 4.3epss 0.00
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the _validate_collection_access function uses an incomplete allowlist that only enforces ownership checks for collections matching user-memory-* and file-*…
- risk 0.21cvss 4.3epss 0.00
phpMyFAQ before 4.1.2 contains an insufficient authorization vulnerability in admin-api routes that allows authenticated ordinary users to access administrative endpoints by only checking login status instead of verifying backend privileges. Attackers with valid frontend user…
- risk 0.21cvss 4.3epss 0.00
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, broken access control in the searchAsset, searchTag, searchWidget, and searchTemplate publish-mode Readers can enumerate metadata from documents that are invisible to the publish service. This…
- risk 0.21cvss 4.3epss 0.00
OpenClaw before 2026.4.8 omits owner-only enforcement for cross-channel allowlist writes in the /allowlist endpoint. An authorized non-owner sender can bypass access controls to perform allowlist modifications against different channels, violating the intended trust model.
- risk 0.21cvss 4.3epss 0.00
OpenClaw before 2026.3.31 contains a session visibility bypass vulnerability where the session_status function fails to enforce configured tools.sessions.visibility restrictions for unsandboxed invocations. Attackers can invoke session_status without sandbox constraints to…
- risk 0.21cvss 4.3epss 0.00
OpenClaw before 2026.4.20 contains a scope enforcement bypass vulnerability in the assistant-media route that allows trusted-proxy callers without operator.read scope to access protected assistant-media files and metadata. Attackers can bypass identity-bearing HTTP auth path…
- risk 0.21cvss 3.3epss 0.00
October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, fine-grained sub-permission checks for asset and blueprint file operations were not enforced in the CMS and Tailor editor extensions. This only affects backend users who were explicitly…
- risk 0.21cvss 4.3epss 0.00
Dify is an open-source LLM app development platform. Prior to 1.13.1, the method `DELETE /console/api/installed-apps//conversations/` has poor authorization checking and allows any Dify-authenticated user to delete someone else's chat history. Version…
- risk 0.21cvss 4.3epss 0.00
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's scoped API token enforcement for custom project background routes is method-confused. A token with only projects.background can successfully delete a project background, while a token with…
- risk 0.21cvss 4.3epss 0.00
OpenClaw before 2026.3.24 contains an authorization bypass vulnerability in the HTTP /v1/models endpoint that fails to enforce operator read scope requirements. Attackers with only operator.approvals scope can enumerate gateway model metadata through the HTTP compatibility…
- risk 0.21cvss 4.3epss 0.00
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the hasAccessToLabel function contains a SQL operator precedence bug that allows any authenticated user to read any label that has at least one task association, regardless of project access. Label…
- risk 0.21cvss 4.3epss 0.00
Lychee is a free, open-source photo-management tool. Prior to 7.5.4, a SQL operator-precedence bug in SharingController::listAll() causes the orWhereNotNull('user_group_id') clause to escape the ownership filter applied by the when() block. Any authenticated non-admin user with…
- risk 0.21cvss 4.3epss 0.00
Incorrect Authorization (CWE-863) in Kibana can lead to cross-space information disclosure via Privilege Abuse (CAPEC-122). A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment…
- risk 0.21cvss 4.3epss 0.00
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns _Session fields that the server operator explicitly configured as protected via the protectedFields…
- risk 0.21cvss 4.3epss 0.00
OpenClaw before 2026.3.28 contains a sender policy bypass vulnerability in the Google Chat and Zalouser extensions where route-level group allowlist policies silently downgrade to open policy. Attackers can exploit this policy resolution flaw to bypass sender restrictions and…
- risk 0.21cvss 4.3epss 0.00
OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a team/channel route allowlist is configured with an empty groupAllowFrom parameter, the message…