CWE-863
Incorrect Authorization
Description
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Hierarchy (View 1000)
CVEs mapped to this weakness (1,530)
page 64 of 77| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-32102 | 0.00 | — | 0.00 | Mar 11, 2026 | OliveTin gives access to predefined shell commands from a web interface. In 3000.10.2 and earlier, OliveTin’s live EventStream broadcasts execution events and action output to authenticated dashboard subscribers without enforcing per-action authorization. A low-privileged… | |||
| CVE-2026-32101 | 0.00 | — | 0.00 | Mar 11, 2026 | StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.3.1, the S3 storage manager's isAuthorized() function is declared async (returns Promise) but is called without await in both the POST and PUT handlers. Since a Promise… | |||
| CVE-2026-31887 | — | 0.00 | — | 0.00 | Mar 11, 2026 | Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, an insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint. This vulnerability… | ||
| CVE-2026-31892 | 0.00 | — | 0.00 | Mar 11, 2026 | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From 2.9.0 to before 4.0.2 and 3.7.11, A user who can submit Workflows can completely bypass all security settings defined in a WorkflowTemplate by including a… | |||
| CVE-2026-28229 | 0.00 | — | 0.01 | Mar 11, 2026 | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to 4.0.2 and 3.7.11, Workflow templates endpoints allow any client to retrieve WorkflowTemplates (and ClusterWorkflowTemplates). Any request with a… | |||
| CVE-2026-32059 | 0.00 | — | 0.00 | Mar 11, 2026 | OpenClaw version 2026.2.22-2 prior to 2026.2.23 tools.exec.safeBins validation for sort command fails to properly validate GNU long-option abbreviations, allowing attackers to bypass denied-flag checks via abbreviated options. Remote attackers can execute sort commands with… | |||
| CVE-2026-31801 | 0.00 | — | 0.00 | Mar 10, 2026 | zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. From 1.3.0 to 2.1.14, zot’s dist-spec authorization middleware infers the required action for PUT /v2/{name}/manifests/{reference} as create by default, and only… | |||
| CVE-2026-30965 | 0.00 | — | 0.00 | Mar 10, 2026 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.8 and 8.6.21, a vulnerability in Parse Server's query handling allows an authenticated or unauthenticated attacker to exfiltrate session tokens of other… | |||
| CVE-2026-30947 | 0.00 | — | 0.00 | Mar 10, 2026 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.3 and 8.6.16, class-level permissions (CLP) are not enforced for LiveQuery subscriptions. An unauthenticated or unauthorized client can subscribe to any… | |||
| CVE-2026-26308 | 0.00 | — | 0.00 | Mar 10, 2026 | Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, the Envoy RBAC (Role-Based Access Control) filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name.… | |||
| CVE-2026-30944 | 0.00 | — | 0.01 | Mar 10, 2026 | StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user (at least Editor) to generate API tokens for any other user, including owner and admin accounts.… | |||
| CVE-2026-28513 | 0.00 | — | 0.00 | Mar 9, 2026 | Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.4.0, the OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and… | |||
| CVE-2026-30854 | 0.00 | — | 0.00 | Mar 7, 2026 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.3.1-alpha.3 to before version 9.5.0-alpha.10, when graphQLPublicIntrospection is disabled, __type queries nested inside inline fragments (e.g. ... on Query {… | |||
| CVE-2026-29196 | 0.00 | — | 0.00 | Mar 7, 2026 | Netmaker makes networks with WireGuard. Prior to version 1.5.0, a user assigned the platform-user role can retrieve WireGuard private keys of all wireguard configs in a network by calling GET /api/extclients/{network} or GET /api/nodes/{network}. While the Netmaker UI restricts… | |||
| CVE-2026-29195 | 0.00 | — | 0.00 | Mar 7, 2026 | Netmaker makes networks with WireGuard. Prior to version 1.5.0, the user update handler (PUT /api/users/{username}) lacks validation to prevent an admin-role user from assigning the super-admin role during account updates. While the code correctly blocks an admin from assigning… | |||
| CVE-2026-29194 | 0.00 | — | 0.00 | Mar 7, 2026 | Netmaker makes networks with WireGuard. Prior to version 1.5.0, the Authorize middleware in Netmaker incorrectly validates host JWT tokens. When a route permits host authentication (hostAllowed=true), a valid host token bypasses all subsequent authorization checks without… | |||
| CVE-2026-30820 | 0.00 | — | 0.00 | Mar 7, 2026 | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, Flowise trusts any HTTP client that sets the header x-request-from: internal, allowing an authenticated tenant session to bypass all /api/v1/** authorization checks.… | |||
| CVE-2026-30241 | — | 0.00 | — | 0.00 | Mar 6, 2026 | Mercurius is a GraphQL adapter for Fastify. Prior to version 16.8.0, Mercurius fails to enforce the configured queryDepth limit on GraphQL subscription queries received over WebSocket connections. The depth check is correctly applied to HTTP queries and mutations, but… | ||
| CVE-2026-30229 | 0.00 | — | 0.00 | Mar 6, 2026 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.6 and 9.5.0-alpha.4, the readOnlyMasterKey can call POST /loginAs to obtain a valid session token for any user. This allows a read-only credential to… | |||
| CVE-2026-30228 | 0.00 | — | 0.00 | Mar 6, 2026 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.5 and 9.5.0-alpha.3, the readOnlyMasterKey can be used to create and delete files via the Files API (POST /files/:filename, DELETE /files/:filename).… |
- CVE-2026-32102Mar 11, 2026risk 0.00cvss —epss 0.00
OliveTin gives access to predefined shell commands from a web interface. In 3000.10.2 and earlier, OliveTin’s live EventStream broadcasts execution events and action output to authenticated dashboard subscribers without enforcing per-action authorization. A low-privileged…
- CVE-2026-32101Mar 11, 2026risk 0.00cvss —epss 0.00
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.3.1, the S3 storage manager's isAuthorized() function is declared async (returns Promise) but is called without await in both the POST and PUT handlers. Since a Promise…
- CVE-2026-31887Mar 11, 2026risk 0.00cvss —epss 0.00
Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, an insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint. This vulnerability…
- CVE-2026-31892Mar 11, 2026risk 0.00cvss —epss 0.00
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From 2.9.0 to before 4.0.2 and 3.7.11, A user who can submit Workflows can completely bypass all security settings defined in a WorkflowTemplate by including a…
- CVE-2026-28229Mar 11, 2026risk 0.00cvss —epss 0.01
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to 4.0.2 and 3.7.11, Workflow templates endpoints allow any client to retrieve WorkflowTemplates (and ClusterWorkflowTemplates). Any request with a…
- CVE-2026-32059Mar 11, 2026risk 0.00cvss —epss 0.00
OpenClaw version 2026.2.22-2 prior to 2026.2.23 tools.exec.safeBins validation for sort command fails to properly validate GNU long-option abbreviations, allowing attackers to bypass denied-flag checks via abbreviated options. Remote attackers can execute sort commands with…
- CVE-2026-31801Mar 10, 2026risk 0.00cvss —epss 0.00
zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. From 1.3.0 to 2.1.14, zot’s dist-spec authorization middleware infers the required action for PUT /v2/{name}/manifests/{reference} as create by default, and only…
- CVE-2026-30965Mar 10, 2026risk 0.00cvss —epss 0.00
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.8 and 8.6.21, a vulnerability in Parse Server's query handling allows an authenticated or unauthenticated attacker to exfiltrate session tokens of other…
- CVE-2026-30947Mar 10, 2026risk 0.00cvss —epss 0.00
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.3 and 8.6.16, class-level permissions (CLP) are not enforced for LiveQuery subscriptions. An unauthenticated or unauthorized client can subscribe to any…
- CVE-2026-26308Mar 10, 2026risk 0.00cvss —epss 0.00
Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, the Envoy RBAC (Role-Based Access Control) filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name.…
- CVE-2026-30944Mar 10, 2026risk 0.00cvss —epss 0.01
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user (at least Editor) to generate API tokens for any other user, including owner and admin accounts.…
- CVE-2026-28513Mar 9, 2026risk 0.00cvss —epss 0.00
Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.4.0, the OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and…
- CVE-2026-30854Mar 7, 2026risk 0.00cvss —epss 0.00
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.3.1-alpha.3 to before version 9.5.0-alpha.10, when graphQLPublicIntrospection is disabled, __type queries nested inside inline fragments (e.g. ... on Query {…
- CVE-2026-29196Mar 7, 2026risk 0.00cvss —epss 0.00
Netmaker makes networks with WireGuard. Prior to version 1.5.0, a user assigned the platform-user role can retrieve WireGuard private keys of all wireguard configs in a network by calling GET /api/extclients/{network} or GET /api/nodes/{network}. While the Netmaker UI restricts…
- CVE-2026-29195Mar 7, 2026risk 0.00cvss —epss 0.00
Netmaker makes networks with WireGuard. Prior to version 1.5.0, the user update handler (PUT /api/users/{username}) lacks validation to prevent an admin-role user from assigning the super-admin role during account updates. While the code correctly blocks an admin from assigning…
- CVE-2026-29194Mar 7, 2026risk 0.00cvss —epss 0.00
Netmaker makes networks with WireGuard. Prior to version 1.5.0, the Authorize middleware in Netmaker incorrectly validates host JWT tokens. When a route permits host authentication (hostAllowed=true), a valid host token bypasses all subsequent authorization checks without…
- CVE-2026-30820Mar 7, 2026risk 0.00cvss —epss 0.00
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, Flowise trusts any HTTP client that sets the header x-request-from: internal, allowing an authenticated tenant session to bypass all /api/v1/** authorization checks.…
- CVE-2026-30241Mar 6, 2026risk 0.00cvss —epss 0.00
Mercurius is a GraphQL adapter for Fastify. Prior to version 16.8.0, Mercurius fails to enforce the configured queryDepth limit on GraphQL subscription queries received over WebSocket connections. The depth check is correctly applied to HTTP queries and mutations, but…
- CVE-2026-30229Mar 6, 2026risk 0.00cvss —epss 0.00
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.6 and 9.5.0-alpha.4, the readOnlyMasterKey can call POST /loginAs to obtain a valid session token for any user. This allows a read-only credential to…
- CVE-2026-30228Mar 6, 2026risk 0.00cvss —epss 0.00
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.5 and 9.5.0-alpha.3, the readOnlyMasterKey can be used to create and delete files via the Files API (POST /files/:filename, DELETE /files/:filename).…