CWE-863
Incorrect Authorization
Description
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Hierarchy (View 1000)
CVEs mapped to this weakness (1,530)
page 66 of 77| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-25890 | 0.00 | — | 0.00 | Feb 9, 2026 | File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to 2.57.1, an authenticated user can bypass the application's "Disallow" file path rules by modifying the request URL. By… | |||
| CVE-2026-25598 | 0.00 | — | 0.00 | Feb 9, 2026 | Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. Prior to 2.14.2, a security vulnerability has been identified in the Harden-Runner GitHub Action (Community Tier) that allows outbound network connections to evade audit logging.… | |||
| CVE-2026-23989 | 0.00 | — | 0.00 | Feb 6, 2026 | REVA is an interoperability platform. Prior to 2.42.3 and 2.40.3, a bug in the GRPC authorization middleware of the "Reva" component of OpenCloud allows a malicious user to bypass the scope verification of a public link. By exploiting this via the the "archiver" service this can… | |||
| CVE-2026-24851 | 0.00 | — | 0.00 | Feb 6, 2026 | OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.5 to v1.11.2 ( openfga-0.2.22<= Helm chart <= openfga-0.2.51, v.1.8.5 <= docker <= v.1.11.2) are vulnerable to improper policy… | |||
| CVE-2026-23632 | 0.00 | — | 0.00 | Feb 6, 2026 | Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, the endpoint "PUT /repos/:owner/:repo/contents/*" does not require write permissions and allows access with read permission only via repoAssignment(). After passing the permission check, PutContents()… | |||
| CVE-2025-67856 | 0.00 | — | 0.00 | Feb 3, 2026 | A flaw was found in Moodle. An authorization logic flaw, specifically due to incomplete role checks during the badge awarding process, allowed badges to be granted without proper verification. This could enable unauthorized users to obtain badges they are not entitled to,… | |||
| CVE-2026-24780 | 0.00 | — | 0.01 | Jan 29, 2026 | AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.44, AutoGPT Platform's block execution endpoints (both main web API and external API) allow… | |||
| CVE-2026-24748 | 0.00 | — | 0.00 | Jan 27, 2026 | Kargo manages and automates the promotion of software artifacts. Prior to versions 1.8.7, 1.7.7, and 1.6.3, a bug was found with authentication checks on the `GetConfig()` API endpoint. This allowed unauthenticated users to access this endpoint by specifying an `Authorization`… | |||
| CVE-2025-66719 | 0.00 | — | 0.00 | Jan 23, 2026 | An issue was discovered in Free5gc NRF 1.4.0. In the access-token generation logic of free5GC, the AccessTokenScopeCheck() function in file internal/sbi/processor/access_token.go bypasses all scope validation when the attacker uses a crafted targetNF value. This allows attackers… | |||
| CVE-2026-23517 | 0.00 | — | 0.00 | Jan 21, 2026 | Fleet is open source device management software. A broken access control issue in versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view… | |||
| CVE-2026-22822 | 0.00 | — | 0.00 | Jan 21, 2026 | External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Starting in version 0.20.2 and prior to version 1.2.0, the `getSecretKey` template function, while introduced for senhasegura Devops Secrets… | |||
| CVE-2025-59020 | 0.00 | — | 0.00 | Jan 13, 2026 | By exploiting the defVals parameter, attackers could bypass field‑level access checks during record creation in the TYPO3 backend. This gave them the ability to insert arbitrary data into prohibited exclude fields of a database table for which the user already has write… | |||
| CVE-2026-22595 | 0.00 | — | 0.00 | Jan 10, 2026 | Ghost is a Node.js content management system. In versions 5.121.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's handling of Staff Token authentication allowed certain endpoints to be accessed that were only intended to be accessible via Staff Session… | |||
| CVE-2026-22253 | 0.00 | — | 0.00 | Jan 8, 2026 | Soft Serve is a self-hostable Git server for the command line. Prior to version 0.11.2, an authorization bypass in the LFS lock deletion endpoint allows any authenticated user with repository write access to delete locks owned by other users by setting the force flag. The… | |||
| CVE-2026-21896 | 0.00 | — | 0.00 | Jan 8, 2026 | Kirby is an open-source content management system. From versions 5.0.0 to 5.2.1, Kirby is missing permission checks in the content changes API. This vulnerability affects all Kirby sites where user permissions are configured to prevent specific role(s) from performing write… | |||
| CVE-2025-68941 | 0.00 | — | 0.00 | Dec 26, 2025 | Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources. | |||
| CVE-2025-68940 | 0.00 | — | 0.00 | Dec 26, 2025 | In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request. | |||
| CVE-2025-68938 | 0.00 | — | 0.00 | Dec 26, 2025 | Gitea before 1.25.2 mishandles authorization for deletion of releases. | |||
| CVE-2025-64641 | 0.00 | — | 0.00 | Dec 24, 2025 | Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fail to verify that post actions invoking /share-issue-publicly were created by the Jira plugin which allowed a malicious Mattermost user to exfiltrate Jira tickets when victim users… | |||
| CVE-2025-13767 | 0.00 | — | 0.00 | Dec 24, 2025 | Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fails to validate user channel membership when attaching Mattermost posts as comments to Jira issues, which allows an authenticated attacker with access to the Jira plugin to read post… |
- CVE-2026-25890Feb 9, 2026risk 0.00cvss —epss 0.00
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to 2.57.1, an authenticated user can bypass the application's "Disallow" file path rules by modifying the request URL. By…
- CVE-2026-25598Feb 9, 2026risk 0.00cvss —epss 0.00
Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. Prior to 2.14.2, a security vulnerability has been identified in the Harden-Runner GitHub Action (Community Tier) that allows outbound network connections to evade audit logging.…
- CVE-2026-23989Feb 6, 2026risk 0.00cvss —epss 0.00
REVA is an interoperability platform. Prior to 2.42.3 and 2.40.3, a bug in the GRPC authorization middleware of the "Reva" component of OpenCloud allows a malicious user to bypass the scope verification of a public link. By exploiting this via the the "archiver" service this can…
- CVE-2026-24851Feb 6, 2026risk 0.00cvss —epss 0.00
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.5 to v1.11.2 ( openfga-0.2.22<= Helm chart <= openfga-0.2.51, v.1.8.5 <= docker <= v.1.11.2) are vulnerable to improper policy…
- CVE-2026-23632Feb 6, 2026risk 0.00cvss —epss 0.00
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, the endpoint "PUT /repos/:owner/:repo/contents/*" does not require write permissions and allows access with read permission only via repoAssignment(). After passing the permission check, PutContents()…
- CVE-2025-67856Feb 3, 2026risk 0.00cvss —epss 0.00
A flaw was found in Moodle. An authorization logic flaw, specifically due to incomplete role checks during the badge awarding process, allowed badges to be granted without proper verification. This could enable unauthorized users to obtain badges they are not entitled to,…
- CVE-2026-24780Jan 29, 2026risk 0.00cvss —epss 0.01
AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.44, AutoGPT Platform's block execution endpoints (both main web API and external API) allow…
- CVE-2026-24748Jan 27, 2026risk 0.00cvss —epss 0.00
Kargo manages and automates the promotion of software artifacts. Prior to versions 1.8.7, 1.7.7, and 1.6.3, a bug was found with authentication checks on the `GetConfig()` API endpoint. This allowed unauthenticated users to access this endpoint by specifying an `Authorization`…
- CVE-2025-66719Jan 23, 2026risk 0.00cvss —epss 0.00
An issue was discovered in Free5gc NRF 1.4.0. In the access-token generation logic of free5GC, the AccessTokenScopeCheck() function in file internal/sbi/processor/access_token.go bypasses all scope validation when the attacker uses a crafted targetNF value. This allows attackers…
- CVE-2026-23517Jan 21, 2026risk 0.00cvss —epss 0.00
Fleet is open source device management software. A broken access control issue in versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view…
- CVE-2026-22822Jan 21, 2026risk 0.00cvss —epss 0.00
External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Starting in version 0.20.2 and prior to version 1.2.0, the `getSecretKey` template function, while introduced for senhasegura Devops Secrets…
- CVE-2025-59020Jan 13, 2026risk 0.00cvss —epss 0.00
By exploiting the defVals parameter, attackers could bypass field‑level access checks during record creation in the TYPO3 backend. This gave them the ability to insert arbitrary data into prohibited exclude fields of a database table for which the user already has write…
- CVE-2026-22595Jan 10, 2026risk 0.00cvss —epss 0.00
Ghost is a Node.js content management system. In versions 5.121.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's handling of Staff Token authentication allowed certain endpoints to be accessed that were only intended to be accessible via Staff Session…
- CVE-2026-22253Jan 8, 2026risk 0.00cvss —epss 0.00
Soft Serve is a self-hostable Git server for the command line. Prior to version 0.11.2, an authorization bypass in the LFS lock deletion endpoint allows any authenticated user with repository write access to delete locks owned by other users by setting the force flag. The…
- CVE-2026-21896Jan 8, 2026risk 0.00cvss —epss 0.00
Kirby is an open-source content management system. From versions 5.0.0 to 5.2.1, Kirby is missing permission checks in the content changes API. This vulnerability affects all Kirby sites where user permissions are configured to prevent specific role(s) from performing write…
- CVE-2025-68941Dec 26, 2025risk 0.00cvss —epss 0.00
Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources.
- CVE-2025-68940Dec 26, 2025risk 0.00cvss —epss 0.00
In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request.
- CVE-2025-68938Dec 26, 2025risk 0.00cvss —epss 0.00
Gitea before 1.25.2 mishandles authorization for deletion of releases.
- CVE-2025-64641Dec 24, 2025risk 0.00cvss —epss 0.00
Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fail to verify that post actions invoking /share-issue-publicly were created by the Jira plugin which allowed a malicious Mattermost user to exfiltrate Jira tickets when victim users…
- CVE-2025-13767Dec 24, 2025risk 0.00cvss —epss 0.00
Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fails to validate user channel membership when attaching Mattermost posts as comments to Jira issues, which allows an authenticated attacker with access to the Jira plugin to read post…