CWE-863
Incorrect Authorization
Description
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Hierarchy (View 1000)
CVEs mapped to this weakness (1,530)
page 60 of 77| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-55774 | low | 0.00 | — | — | Jun 19, 2026 | ### Summary OpenBao users with access to the `sys/leases/revoke/:lease_id` endpoint in any namespace can revoke leases in any other namespace as long as the lease identifier is known to them, bypassing ACLs that should apply for cross-namespace revocations. ### Impact … | ||
| CVE-2026-56074 | 0.00 | — | 0.00 | Jun 18, 2026 | PraisonAI before 1.5.128 caches tool approval decisions by tool name only, not by invocation arguments, allowing subsequent execute_command calls to bypass approval prompts. Attackers can exploit this by obtaining initial approval for a benign command, then silently exfiltrate… | |||
| CVE-2026-55701 | 0.00 | — | — | Jun 18, 2026 | ## githubreceiver Silently Ignores Configured required_headers Authentication ### Summary The githubreceiver webhook handler does not enforce the `required_headers` configuration. Headers are validated at startup (config rejects empty keys/values) but never checked on incoming… | |||
| CVE-2026-55636 | 0.00 | — | — | Jun 17, 2026 | ### Summary Capsule v0.13.2 webhook rules contain `namespace/finalize` (singular) instead of `namespaces/finalize` (plural). K8s requires plural. The finalize defense from CVE-2026-30963 fix is absent. ### Details PUT to `/api/v1/namespaces//finalize` has… | |||
| CVE-2026-54324 | 0.00 | — | 0.00 | Jun 17, 2026 | ### Summary A cross-tenant authorization flaw in Daytona's notification WebSocket gateway allowed any authenticated user to subscribe to another organization's realtime notification channel and passively receive that organization's events. ### Impact The notification gateway's… | |||
| CVE-2026-54022 | 0.00 | — | 0.00 | Jun 17, 2026 | ### Summary The `ydoc:document:join` Socket.IO handler checks note ownership only when the `document_id` starts with `note:` (colon). However, the `YdocManager` storage layer normalizes all document IDs by replacing colons with underscores (`document_id.replace(":", "_")`). An… | |||
| CVE-2026-54021 | 0.00 | — | 0.00 | Jun 17, 2026 | ## Summary Several direct, index-addressed Ollama proxy routes accept a caller-supplied `url_idx` path parameter and use it as a raw index into the admin-configured `OLLAMA_BASE_URLS` list. Access control on these routes validates only whether the user may use the requested… | |||
| CVE-2026-54761 | 0.00 | — | 0.00 | Jun 17, 2026 | ## Summary There is a high severity vulnerability in Traefik's Kubernetes Gateway provider affecting the `crossProviderNamespaces` allowlist. For `HTTPRoute` rules that declare multiple (WRR) backendRefs, Traefik evaluates the allowlist against the target `backendRef.namespace`… | |||
| CVE-2026-32967 | 0.00 | — | 0.00 | Jun 17, 2026 | Incorrect Authorization vulnerability of `/v2` experimental interface in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes the issue. | |||
| CVE-2026-42357 | 0.00 | — | 0.00 | Jun 17, 2026 | Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access. This issue affects Apache DolphinScheduler versions prior to 3.4.2. Users are recommended to upgrade to version 3.4.2, which… | |||
| CVE-2026-41280 | 0.00 | — | 0.00 | Jun 17, 2026 | Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects This issue affects Apache DolphinScheduler versions prior to 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes this issue. | |||
| CVE-2026-32966 | 0.00 | — | 0.00 | Jun 17, 2026 | DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes the issue. | |||
| CVE-2026-20706 | 0.00 | — | — | Jun 16, 2026 | ## Summary PR #37698 added checkDownloadTokenScope to /raw/*, /media/*, and attachment download web endpoints. The /archive/* endpoint (repo.Download in routers/web/repo/repo.go:372) was not included in the fix. This endpoint accepts OAuth2 tokens via webAuth.AllowOAuth2… | |||
| CVE-2026-49983 | 0.00 | — | 0.00 | Jun 16, 2026 | ## Summary In Deno, environment access is gated by the `env` permission. You can deny it with `--deny-env`, or restrict it to a specific allowlist with `--allow-env=FOO,BAR`. The expectation is that a program running without `env` permission cannot change `process.env`. … | |||
| CVE-2026-47230 | 0.00 | — | 0.00 | May 29, 2026 | ## Summary `modules/documents-files.php` mode `file_rename_save` shares the same root-cause shape as the cross-folder move bug (`05-documents-cross-folder-move-idor.md`): the top-level rights check at lines 79-89 validates `hasUploadRight()` on the URL parameter `folder_uuid`,… | |||
| CVE-2026-47227 | 0.00 | — | 0.00 | May 29, 2026 | ## Summary `modules/categories.php` checks that the supplied `type` parameter (`ANN`, `EVT`, `ROL`, `USF`, …) corresponds to a module the actor administers. The follow-up "is this specific category editable by me" check at lines 56-61 is dead code because it compares… | |||
| CVE-2026-47128 | 0.00 | — | 0.00 | May 28, 2026 | ### Summary The nono Landlock/seccomp policies allow access to local Unix domain sockets (concrete and abstract). This allows an easy sandbox escape by talking to the per-user systemd dbus socket. Threat scenario: Running Aider, Claude Code, OpenCode or similar tools with… | |||
| CVE-2026-45703 | 0.00 | — | 0.00 | May 27, 2026 | ### Summary The `WordExport` export flow only checks whether the current backend user has the feature permission `word_export`. It does not verify access rights on the target element itself. As a result, a low-privileged backend user can export document content even when the… | |||
| CVE-2026-46549 | low | 0.00 | — | 0.00 | May 21, 2026 | ### Summary The OAuth token strategy attached `oauth_scope` and `oauth_granted_resources` to the request user, but the ACL middleware never consulted either. An OAuth token issued with a restricted scope (e.g. MCP-only) therefore inherited the full permissions of the underlying… | ||
| CVE-2026-45692 | 0.00 | — | 0.00 | May 19, 2026 | This report is not about a normal textual prefix-expansion case. The issue here is that the authorization layer and the `/config` traversal layer do **not agree on what object the path refers to**. In this case, a path authorized for one config object is accepted, but then… |
- risk 0.00cvss —epss —
### Summary OpenBao users with access to the `sys/leases/revoke/:lease_id` endpoint in any namespace can revoke leases in any other namespace as long as the lease identifier is known to them, bypassing ACLs that should apply for cross-namespace revocations. ### Impact …
- CVE-2026-56074Jun 18, 2026risk 0.00cvss —epss 0.00
PraisonAI before 1.5.128 caches tool approval decisions by tool name only, not by invocation arguments, allowing subsequent execute_command calls to bypass approval prompts. Attackers can exploit this by obtaining initial approval for a benign command, then silently exfiltrate…
- CVE-2026-55701Jun 18, 2026risk 0.00cvss —epss —
## githubreceiver Silently Ignores Configured required_headers Authentication ### Summary The githubreceiver webhook handler does not enforce the `required_headers` configuration. Headers are validated at startup (config rejects empty keys/values) but never checked on incoming…
- CVE-2026-55636Jun 17, 2026risk 0.00cvss —epss —
### Summary Capsule v0.13.2 webhook rules contain `namespace/finalize` (singular) instead of `namespaces/finalize` (plural). K8s requires plural. The finalize defense from CVE-2026-30963 fix is absent. ### Details PUT to `/api/v1/namespaces//finalize` has…
- CVE-2026-54324Jun 17, 2026risk 0.00cvss —epss 0.00
### Summary A cross-tenant authorization flaw in Daytona's notification WebSocket gateway allowed any authenticated user to subscribe to another organization's realtime notification channel and passively receive that organization's events. ### Impact The notification gateway's…
- CVE-2026-54022Jun 17, 2026risk 0.00cvss —epss 0.00
### Summary The `ydoc:document:join` Socket.IO handler checks note ownership only when the `document_id` starts with `note:` (colon). However, the `YdocManager` storage layer normalizes all document IDs by replacing colons with underscores (`document_id.replace(":", "_")`). An…
- CVE-2026-54021Jun 17, 2026risk 0.00cvss —epss 0.00
## Summary Several direct, index-addressed Ollama proxy routes accept a caller-supplied `url_idx` path parameter and use it as a raw index into the admin-configured `OLLAMA_BASE_URLS` list. Access control on these routes validates only whether the user may use the requested…
- CVE-2026-54761Jun 17, 2026risk 0.00cvss —epss 0.00
## Summary There is a high severity vulnerability in Traefik's Kubernetes Gateway provider affecting the `crossProviderNamespaces` allowlist. For `HTTPRoute` rules that declare multiple (WRR) backendRefs, Traefik evaluates the allowlist against the target `backendRef.namespace`…
- CVE-2026-32967Jun 17, 2026risk 0.00cvss —epss 0.00
Incorrect Authorization vulnerability of `/v2` experimental interface in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes the issue.
- CVE-2026-42357Jun 17, 2026risk 0.00cvss —epss 0.00
Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access. This issue affects Apache DolphinScheduler versions prior to 3.4.2. Users are recommended to upgrade to version 3.4.2, which…
- CVE-2026-41280Jun 17, 2026risk 0.00cvss —epss 0.00
Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects This issue affects Apache DolphinScheduler versions prior to 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes this issue.
- CVE-2026-32966Jun 17, 2026risk 0.00cvss —epss 0.00
DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes the issue.
- CVE-2026-20706Jun 16, 2026risk 0.00cvss —epss —
## Summary PR #37698 added checkDownloadTokenScope to /raw/*, /media/*, and attachment download web endpoints. The /archive/* endpoint (repo.Download in routers/web/repo/repo.go:372) was not included in the fix. This endpoint accepts OAuth2 tokens via webAuth.AllowOAuth2…
- CVE-2026-49983Jun 16, 2026risk 0.00cvss —epss 0.00
## Summary In Deno, environment access is gated by the `env` permission. You can deny it with `--deny-env`, or restrict it to a specific allowlist with `--allow-env=FOO,BAR`. The expectation is that a program running without `env` permission cannot change `process.env`. …
- CVE-2026-47230May 29, 2026risk 0.00cvss —epss 0.00
## Summary `modules/documents-files.php` mode `file_rename_save` shares the same root-cause shape as the cross-folder move bug (`05-documents-cross-folder-move-idor.md`): the top-level rights check at lines 79-89 validates `hasUploadRight()` on the URL parameter `folder_uuid`,…
- CVE-2026-47227May 29, 2026risk 0.00cvss —epss 0.00
## Summary `modules/categories.php` checks that the supplied `type` parameter (`ANN`, `EVT`, `ROL`, `USF`, …) corresponds to a module the actor administers. The follow-up "is this specific category editable by me" check at lines 56-61 is dead code because it compares…
- CVE-2026-47128May 28, 2026risk 0.00cvss —epss 0.00
### Summary The nono Landlock/seccomp policies allow access to local Unix domain sockets (concrete and abstract). This allows an easy sandbox escape by talking to the per-user systemd dbus socket. Threat scenario: Running Aider, Claude Code, OpenCode or similar tools with…
- CVE-2026-45703May 27, 2026risk 0.00cvss —epss 0.00
### Summary The `WordExport` export flow only checks whether the current backend user has the feature permission `word_export`. It does not verify access rights on the target element itself. As a result, a low-privileged backend user can export document content even when the…
- risk 0.00cvss —epss 0.00
### Summary The OAuth token strategy attached `oauth_scope` and `oauth_granted_resources` to the request user, but the ACL middleware never consulted either. An OAuth token issued with a restricted scope (e.g. MCP-only) therefore inherited the full permissions of the underlying…
- CVE-2026-45692May 19, 2026risk 0.00cvss —epss 0.00
This report is not about a normal textual prefix-expansion case. The issue here is that the authorization layer and the `/config` traversal layer do **not agree on what object the path refers to**. In this case, a path authorized for one config object is accepted, but then…