CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3258 vulnerabilities reference this CWE, most recent first.
GHSA-P26R-GFGC-C47H
Vulnerability from github – Published: 2024-10-14 18:30 – Updated: 2024-12-12 17:51An Insecure Direct Object Reference (IDOR) vulnerability in KubeSphere v3.4.1 and v4.1.1 allows low-privileged authenticated attackers to access sensitive resources without proper authorization checks.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/kubesphere/kubesphere"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.1.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/kubesphere/kubesphere"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.4.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-46528"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2024-11-01T20:35:14Z",
"nvd_published_at": "2024-10-14T18:15:03Z",
"severity": "MODERATE"
},
"details": "An Insecure Direct Object Reference (IDOR) vulnerability in KubeSphere v3.4.1 and v4.1.1 allows low-privileged authenticated attackers to access sensitive resources without proper authorization checks.",
"id": "GHSA-p26r-gfgc-c47h",
"modified": "2024-12-12T17:51:25Z",
"published": "2024-10-14T18:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46528"
},
{
"type": "WEB",
"url": "https://github.com/kubesphere/kubesphere/issues/6227"
},
{
"type": "PACKAGE",
"url": "https://github.com/kubesphere/kubesphere"
},
{
"type": "WEB",
"url": "https://kubesphere.io"
},
{
"type": "WEB",
"url": "https://okankurtulus.com.tr/2024/09/09/idor-vulnerability-in-kubesphere"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2024-3248"
},
{
"type": "WEB",
"url": "https://www.kubesphere.io/news/kubesphere-cve-2024-46528"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "KubeSphere IDOR vulnerability"
}
GHSA-P2V5-84J7-PC37
Vulnerability from github – Published: 2026-07-02 12:30 – Updated: 2026-07-02 12:30The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.6.2 via the 'service_id' parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to create approved bookings against services explicitly restricted to admins and agents, consuming restricted appointment capacity and triggering unauthorized bookings for admin/agent-only services. The bypass works via both the params[booking][service_id] parameter in steps__load_step and the presets[selected_service] parameter in steps__start, both of which are publicly accessible without authentication.
{
"affected": [],
"aliases": [
"CVE-2026-12657"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-02T10:16:27Z",
"severity": "MODERATE"
},
"details": "The LatePoint \u2013 Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.6.2 via the \u0027service_id\u0027 parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to create approved bookings against services explicitly restricted to admins and agents, consuming restricted appointment capacity and triggering unauthorized bookings for admin/agent-only services. The bypass works via both the params[booking][service_id] parameter in steps__load_step and the presets[selected_service] parameter in steps__start, both of which are publicly accessible without authentication.",
"id": "GHSA-p2v5-84j7-pc37",
"modified": "2026-07-02T12:30:59Z",
"published": "2026-07-02T12:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12657"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.2/lib/controllers/steps_controller.php#L244"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.2/lib/controllers/steps_controller.php#L341"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.2/lib/helpers/steps_helper.php#L1202"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.2/lib/helpers/steps_helper.php#L1618"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.2/lib/helpers/steps_helper.php#L1710"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/controllers/steps_controller.php#L244"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/controllers/steps_controller.php#L341"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/helpers/steps_helper.php#L1202"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/helpers/steps_helper.php#L1618"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/helpers/steps_helper.php#L1710"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3584059%40latepoint\u0026new=3584059%40latepoint\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/09588c2a-1631-4924-8277-d47f096493c5?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P2VX-QJ66-88Q3
Vulnerability from github – Published: 2023-12-12 03:31 – Updated: 2024-09-30 13:40SAP BTP Security Services Integration Library ([Node.js] @sap/xssec - versions < 3.6.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@sap/xssec"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.6.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-49583"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-639",
"CWE-749"
],
"github_reviewed": true,
"github_reviewed_at": "2023-12-20T17:57:49Z",
"nvd_published_at": "2023-12-12T02:15:07Z",
"severity": "CRITICAL"
},
"details": "SAP\u00a0BTP\u00a0Security Services Integration Library ([Node.js] @sap/xssec - versions \u003c 3.6.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.\n\n",
"id": "GHSA-p2vx-qj66-88q3",
"modified": "2024-09-30T13:40:50Z",
"published": "2023-12-12T03:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49583"
},
{
"type": "WEB",
"url": "https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3411067"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3412456"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3413475"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/@sap/xssec"
},
{
"type": "WEB",
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Escalation of privileges in @sap/xssec"
}
GHSA-P39J-8498-PCJW
Vulnerability from github – Published: 2026-07-03 18:31 – Updated: 2026-07-03 18:31A flaw was found in the ClientResource component of Keycloak's admin services when Fine-Grained Admin Permissions (FGAP) v2 is enabled. This issue allows a delegated administrator, who should only have limited control over specific clients, to attach or remove hidden client scopes that they are not authorized to see or manage. As a result, an attacker could inject unauthorized data or permissions into the security tokens issued to end-users, potentially tricking other applications into granting higher levels of access than intended.
{
"affected": [],
"aliases": [
"CVE-2026-14614"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-03T16:16:55Z",
"severity": "MODERATE"
},
"details": "A flaw was found in the ClientResource component of Keycloak\u0027s admin services when Fine-Grained Admin Permissions (FGAP) v2 is enabled. This issue allows a delegated administrator, who should only have limited control over specific clients, to attach or remove hidden client scopes that they are not authorized to see or manage. As a result, an attacker could inject unauthorized data or permissions into the security tokens issued to end-users, potentially tricking other applications into granting higher levels of access than intended.",
"id": "GHSA-p39j-8498-pcjw",
"modified": "2026-07-03T18:31:06Z",
"published": "2026-07-03T18:31:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14614"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-14614"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2496889"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P3RH-58J4-QHHQ
Vulnerability from github – Published: 2025-03-09 18:30 – Updated: 2025-03-09 18:30A vulnerability has been found in Control iD RH iD 25.2.25.0 and classified as problematic. This vulnerability affects unknown code of the file /v2/report.svc/comprovante_marcacao/?companyId=1 of the component PDF Document Handler. The manipulation of the argument nsr leads to improper control of resource identifiers. The attack can be initiated remotely. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-2125"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-99"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-09T16:15:12Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been found in Control iD RH iD 25.2.25.0 and classified as problematic. This vulnerability affects unknown code of the file /v2/report.svc/comprovante_marcacao/?companyId=1 of the component PDF Document Handler. The manipulation of the argument nsr leads to improper control of resource identifiers. The attack can be initiated remotely. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-p3rh-58j4-qhhq",
"modified": "2025-03-09T18:30:52Z",
"published": "2025-03-09T18:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2125"
},
{
"type": "WEB",
"url": "https://github.com/yago3008/cves"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.299038"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.299038"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.509856"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-P3RQ-F799-8PW3
Vulnerability from github – Published: 2024-11-01 12:30 – Updated: 2024-11-05 09:30A vulnerability has been found in TOTOLINK LR350 up to 9.3.5u.6369 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /formLoginAuth.htm. The manipulation of the argument authCode with the input 1 leads to authorization bypass. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
{
"affected": [],
"aliases": [
"CVE-2024-10654"
],
"database_specific": {
"cwe_ids": [
"CWE-266",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-01T12:15:03Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been found in TOTOLINK LR350 up to 9.3.5u.6369 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /formLoginAuth.htm. The manipulation of the argument authCode with the input 1 leads to authorization bypass. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.",
"id": "GHSA-p3rq-f799-8pw3",
"modified": "2024-11-05T09:30:37Z",
"published": "2024-11-01T12:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10654"
},
{
"type": "WEB",
"url": "https://github.com/c0nyy/IoT_vuln/blob/main/TOTOLINK%20LR350%20Vuln.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.282667"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.282667"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.434801"
},
{
"type": "WEB",
"url": "https://www.totolink.net"
},
{
"type": "WEB",
"url": "https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/231/ids/36.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-P458-C575-82FH
Vulnerability from github – Published: 2023-12-12 09:30 – Updated: 2023-12-12 09:30Archer Platform 6.x before 6.14 P1 HF2 (6.14.0.1.2) contains an insecure direct object reference vulnerability. An authenticated malicious user in a multi-instance installation could potentially exploit this vulnerability by manipulating application resource references in user requests to bypass authorization checks, in order to gain execute access to AWF application resources.
{
"affected": [],
"aliases": [
"CVE-2023-48641"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-12T08:15:07Z",
"severity": "HIGH"
},
"details": "Archer Platform 6.x before 6.14 P1 HF2 (6.14.0.1.2) contains an insecure direct object reference vulnerability. An authenticated malicious user in a multi-instance installation could potentially exploit this vulnerability by manipulating application resource references in user requests to bypass authorization checks, in order to gain execute access to AWF application resources.",
"id": "GHSA-p458-c575-82fh",
"modified": "2023-12-12T09:30:32Z",
"published": "2023-12-12T09:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48641"
},
{
"type": "WEB",
"url": "https://www.archerirm.community/t5/platform-announcements/archer-update-for-multiple-vulnerabilities/ta-p/711859"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-P5HV-VFXR-C3G7
Vulnerability from github – Published: 2022-05-24 19:21 – Updated: 2022-05-24 19:21Insecure Direct Object Reference in edit function of Advanced Forms (Free & Pro) before 1.6.9 allows authenticated remote attacker to change arbitrary user's email address and request for reset password, which could lead to take over of WordPress's administrator account. To exploit this vulnerability, an attacker must register to obtain a valid WordPress's user and use such user to authenticate with WordPress in order to exploit the vulnerable edit function.
{
"affected": [],
"aliases": [
"CVE-2021-24892"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-23T20:15:00Z",
"severity": "HIGH"
},
"details": "Insecure Direct Object Reference in edit function of Advanced Forms (Free \u0026 Pro) before 1.6.9 allows authenticated remote attacker to change arbitrary user\u0027s email address and request for reset password, which could lead to take over of WordPress\u0027s administrator account. To exploit this vulnerability, an attacker must register to obtain a valid WordPress\u0027s user and use such user to authenticate with WordPress in order to exploit the vulnerable edit function.",
"id": "GHSA-p5hv-vfxr-c3g7",
"modified": "2022-05-24T19:21:13Z",
"published": "2022-05-24T19:21:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24892"
},
{
"type": "WEB",
"url": "https://github.com/advancedforms/advanced-forms/commit/2ce3ab6985c3a909eefb01c562995bc6a994d3a2"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/364b0843-a990-4204-848a-60c928cc5bc0"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-P5JR-RFJ3-98F5
Vulnerability from github – Published: 2024-01-02 21:30 – Updated: 2024-01-08 21:30An issue discovered in the Order and Invoice pages in Floorsight Insights Q3 2023 allows an unauthenticated remote attacker to view sensitive customer information.
{
"affected": [],
"aliases": [
"CVE-2023-45892"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-02T21:15:09Z",
"severity": "HIGH"
},
"details": "An issue discovered in the Order and Invoice pages in Floorsight Insights Q3 2023 allows an unauthenticated remote attacker to view sensitive customer information.",
"id": "GHSA-p5jr-rfj3-98f5",
"modified": "2024-01-08T21:30:32Z",
"published": "2024-01-02T21:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45892"
},
{
"type": "WEB",
"url": "https://github.com/Oracle-Security/CVEs/blob/main/FloorsightSoftware/CVE-2023-45892.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P5V5-V74Q-W38H
Vulnerability from github – Published: 2026-06-30 21:31 – Updated: 2026-06-30 21:31IBM Langflow OSS 1.0.0 through 1.10.0 voice mode contains improper shared-state handling that allows reuse of API clients across tenant boundaries. An authenticated attacker can manipulate cache state to cause requests from other users to be processed using incorrect upstream API credentials, leading to cross-tenant billing and accountability misattribution.
{
"affected": [],
"aliases": [
"CVE-2026-10140"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-30T20:17:27Z",
"severity": "CRITICAL"
},
"details": "IBM Langflow OSS 1.0.0 through 1.10.0 voice mode contains improper shared-state handling that allows reuse of API clients across tenant boundaries. An authenticated attacker can manipulate cache state to cause requests from other users to be processed using incorrect upstream API credentials, leading to cross-tenant billing and accountability misattribution.",
"id": "GHSA-p5v5-v74q-w38h",
"modified": "2026-06-30T21:31:44Z",
"published": "2026-06-30T21:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10140"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7278209"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.