VYPR

CWE-863

Incorrect Authorization

ClassIncompleteLikelihood: High

Description

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Hierarchy (View 1000)

CVEs mapped to this weakness (1,530)

page 58 of 77
  • CVE-2023-27594MedMar 17, 2023
    risk 0.20cvss 4.2epss 0.01

    Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.11.15, 1.12.8, and 1.13.1, under specific conditions, Cilium may misattribute the source IP address of traffic to a cluster, identifying external traffic as coming from…

  • CVE-2026-54517medJun 23, 2026
    risk 0.19cvss epss 0.00

    ## Summary In `BeanDeserializer._deserializeUsingPropertyBased`, the active-view (`@JsonView`) filter was applied only to creator properties; the regular property-buffering branch performed no `prop.visibleInView(activeView)` check. A change making…

  • CVE-2026-54518medJun 23, 2026
    risk 0.19cvss epss 0.00

    ## Summary `UnwrappedPropertyHandler.processUnwrappedCreatorProperties()` replays buffered JSON into creator parameters but never consults `prop.visibleInView(activeView)`. The normal property-based creator path gates creator properties on the active view, but this…

  • CVE-2020-15248MedNov 23, 2020
    risk 0.19cvss 4.0epss 0.00

    October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.470, backend users with the default "Publisher" system role have access to create & manage users where they can choose which…

  • CVE-2026-53809LowJun 11, 2026
    risk 0.18cvss 3.8epss 0.00

    OpenClaw before 2026.4.25 contains a policy bypass vulnerability in embedded runner policy that allows requests using provider aliases to compare against aliases instead of canonical provider identities. Attackers can exploit this confusion to select bundled tool access outside…

  • CVE-2024-47272LowMay 27, 2026
    risk 0.18cvss 2.7epss 0.00

    Incorrect authorization vulnerability in IO Module functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to limited file write via unspecified vectors.

  • CVE-2025-9957LowApr 22, 2026
    risk 0.18cvss 2.7epss 0.00

    GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.2 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that under certain conditions could have allowed an authenticated user with project owner permissions to bypass group fork prevention…

  • CVE-2025-46744LowMay 12, 2025
    risk 0.18cvss 2.7epss 0.00

    An authenticated administrator could modify the Created By username for a user account

  • CVE-2024-27086LowApr 16, 2024
    risk 0.18cvss 3.9epss 0.00

    The MSAL library enabled acquisition of security tokens to call protected APIs. MSAL.NET applications targeting Xamarin Android and .NET Android (e.g., MAUI) using the library from versions 4.48.0 to 4.60.0 are impacted by a low severity vulnerability. A malicious application…

  • CVE-2023-5194LowSep 29, 2023
    risk 0.18cvss 2.7epss 0.00

    Mattermost fails to properly validate permissions when demoting and deactivating a user allowing for a system/user manager to demote / deactivate another manager

  • CVE-2022-0333LowJan 25, 2022
    risk 0.18cvss 3.8epss 0.01

    A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The calendar:manageentries capability allowed managers to access or modify any calendar event, but should have been restricted from accessing user level events.

  • CVE-2026-41852LowJun 9, 2026
    risk 0.17cvss 3.7epss 0.00

    A vulnerability in Spring Expression Language (SpEL) evaluation logic allows for arbitrary zero-argument method invocation, even within restricted or read-only contexts, which may allow an attacker to invoke unintended application logic. Affected versions: Spring Framework…

  • CVE-2026-4273LowMay 18, 2026
    risk 0.17cvss 3.7epss 0.00

    Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation which allows an authenticated attacker to bypass token rotation and reuse the original invite token…

  • CVE-2026-35648LowApr 10, 2026
    risk 0.17cvss 3.7epss 0.00

    OpenClaw before 2026.3.22 contains a policy bypass vulnerability where queued node actions are not revalidated against current command policy when delivered. Attackers can exploit stale allowlists or declarations that survive policy tightening to execute unauthorized commands.

  • CVE-2026-32067LowMar 21, 2026
    risk 0.17cvss 3.7epss 0.00

    OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability in the pairing-store access control for direct message pairing policy that allows attackers to reuse pairing approvals across multiple accounts. An attacker approved as a sender in one account can…

  • CVE-2024-23329LowJan 19, 2024
    risk 0.17cvss 3.7epss 0.01

    changedetection.io is an open source tool designed to monitor websites for content changes. In affected versions the API endpoint `/api/v1/watch//history` can be accessed by any unauthorized user. As a result any unauthorized user can check one's watch history. However,…

  • CVE-2026-45316LowMay 15, 2026
    risk 0.16cvss 3.5epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the POST /api/v1/notes/{id}/pin endpoint performs a write operation (toggling the is_pinned field) but only checks for read permission. Users with read-only access…

  • CVE-2026-33551LowApr 10, 2026
    risk 0.16cvss 3.5epss 0.00

    An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with…

  • CVE-2025-32408LowApr 21, 2025
    risk 0.16cvss 2.5epss 0.00

    In Soffid Console 3.6.31 before 3.6.32, authorization to use the pam service is mishandled.

  • CVE-2024-23255LowMar 8, 2024
    risk 0.16cvss 2.4epss 0.01

    An authentication issue was addressed with improved state management. This issue is fixed in iOS 17.4 and iPadOS 17.4, macOS Sonoma 14.4. Photos in the Hidden Photos Album may be viewed without authentication.