CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3258 vulnerabilities reference this CWE, most recent first.
GHSA-P628-386J-64H8
Vulnerability from github – Published: 2022-05-24 17:32 – Updated: 2022-05-24 17:32An Insecure Direct Object Reference vulnerability in Citadel WebCit through 926 allows authenticated remote attackers to read someone else's emails via the msg_confirm_move template. NOTE: this was reported to the vendor in a publicly archived "Multiple Security Vulnerabilities in WebCit 926" thread.
{
"affected": [],
"aliases": [
"CVE-2020-27742"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-28T19:15:00Z",
"severity": "MODERATE"
},
"details": "An Insecure Direct Object Reference vulnerability in Citadel WebCit through 926 allows authenticated remote attackers to read someone else\u0027s emails via the msg_confirm_move template. NOTE: this was reported to the vendor in a publicly archived \"Multiple Security Vulnerabilities in WebCit 926\" thread.",
"id": "GHSA-p628-386j-64h8",
"modified": "2022-05-24T17:32:37Z",
"published": "2022-05-24T17:32:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27742"
},
{
"type": "WEB",
"url": "https://www.citadel.org"
},
{
"type": "WEB",
"url": "http://uncensored.citadel.org/readfwd?go=Citadel%20Security?start_reading_at=4592834"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-P652-XCGX-F85M
Vulnerability from github – Published: 2024-08-29 17:59 – Updated: 2024-08-30 14:33An issue was discovered in powermail extension through 12.3.5 for TYPO3. It fails to validate the mail parameter of the confirmationAction, resulting in Insecure Direct Object Reference (IDOR). An unauthenticated attacker can use this to display the user-submitted data of all forms persisted by the extension. This can only be exploited when the extension is configured to save submitted form data to the database (plugin.tx_powermail.settings.db.enable=1), which however is the default setting of the extension. The fixed versions are 7.5.0, 8.5.0, 10.9.0, and 12.4.0.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "in2code/powermail"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "12.4.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "in2code/powermail"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "10.9.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "in2code/powermail"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.5.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "in2code/powermail"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-45232"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2024-08-29T17:59:02Z",
"nvd_published_at": "2024-08-29T00:15:09Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in powermail extension through 12.3.5 for TYPO3. It fails to validate the mail parameter of the confirmationAction, resulting in Insecure Direct Object Reference (IDOR). An unauthenticated attacker can use this to display the user-submitted data of all forms persisted by the extension. This can only be exploited when the extension is configured to save submitted form data to the database (`plugin.tx_powermail.settings.db.enable=1`), which however is the default setting of the extension. The fixed versions are 7.5.0, 8.5.0, 10.9.0, and 12.4.0.",
"id": "GHSA-p652-xcgx-f85m",
"modified": "2024-08-30T14:33:54Z",
"published": "2024-08-29T17:59:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45232"
},
{
"type": "WEB",
"url": "https://github.com/in2code-de/powermail/commit/061756732357206f2f13bf39a0676dd266ec9586"
},
{
"type": "WEB",
"url": "https://github.com/in2code-de/powermail/commit/ac402d4972c77dd119c8db6ffe594c15e8ae0bc5"
},
{
"type": "WEB",
"url": "https://github.com/in2code-de/powermail/commit/e2ddfaa06d29019d60be02b5a3da04b237ed760b"
},
{
"type": "WEB",
"url": "https://github.com/in2code-de/powermail/commit/f58d70311799ae5f6acbec52ea9206d21eba91bb"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/in2code/powermail/CVE-2024-45232.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/in2code-de/powermail"
},
{
"type": "WEB",
"url": "https://typo3.org/security/advisory/typo3-ext-sa-2024-006"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:F/RL:O/RC:C",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "\"powermail\" (powermail) Insecure Direct Object Reference (IDOR)"
}
GHSA-P6PV-Q7RC-G4H9
Vulnerability from github – Published: 2026-02-05 21:13 – Updated: 2026-02-13 17:16Unauthenticated users can view completed guest orders by Order ID (GHSL-2026-029)
The OrdersController#show action permits viewing completed guest orders by order number alone, without requiring the associated order token.
Order lookup without enforcing token requirement in OrdersController#show:
@order = complete_order_finder.new(number: params[:id], token: params[:token], store: current_store).execute.first
Authorization bypass for guest orders in authorize_access:
def authorize_access
return true if @order.user_id.nil?
@order.user == try_spree_current_user
end
If the attacker is in possession of a leaked Order ID, they might look it up directly via this API. Alternatively, brute forcing all or parts of the possible Order IDs might be feasible for an attacker. (The Order IDs themselves are securely generated, but with relatively low entropy: by default an order ID has a length of 9 and a base of 10, that would require an attacker to perform 1 billion requests to gather all guest orders. (At an assumed constant rate of 100 requests per second it would take 115 days.)
Proof of Concept
- As a guest create a complete order.
- Fetch the latest Order ID from the database (Table:
spree_orders). - In another clean browser access following URL:
<SPREE-HOST>/orders/<ORDER-ID>. (Sample:http://localhost:3000/orders/R496592563)
=> Full guest order details are disclosed including names, addresses and limited payment info.
Impact
This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers).
CWEs
- CWE-639: Authorization Bypass Through User-Controlled Key
Credit
This issue was discovered with the GitHub Security Lab Taskflow Agent and manually verified by GHSL team members @p- (Peter Stöckli) and @m-y-mo (Man Yue Mo).
Disclosure Policy
This report is subject to a 90-day disclosure deadline, as described in more detail in our coordinated disclosure policy.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "spree_storefront"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.0.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "spree_storefront"
},
"ranges": [
{
"events": [
{
"introduced": "5.1.0"
},
{
"fixed": "5.1.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "spree_storefront"
},
"ranges": [
{
"events": [
{
"introduced": "5.2.0"
},
{
"fixed": "5.2.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "spree_storefront"
},
"ranges": [
{
"events": [
{
"introduced": "5.3.0"
},
{
"fixed": "5.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25757"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-05T21:13:24Z",
"nvd_published_at": "2026-02-06T23:15:54Z",
"severity": "HIGH"
},
"details": "### Unauthenticated users can view completed guest orders by Order ID (`GHSL-2026-029`)\n\nThe `OrdersController#show` action permits viewing completed guest orders by order number alone, without requiring the associated order token.\n\nOrder lookup without enforcing token requirement in [`OrdersController#show`](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L14):\n\n```ruby\n@order = complete_order_finder.new(number: params[:id], token: params[:token], store: current_store).execute.first\n```\n\nAuthorization bypass for guest orders in [`authorize_access`](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L51C1-L55C8):\n```ruby\ndef authorize_access\n return true if @order.user_id.nil?\n\n @order.user == try_spree_current_user\nend\n```\n\nIf the attacker is in possession of a leaked Order ID, they might look it up directly via this API.\nAlternatively, brute forcing all or parts of the possible Order IDs might be feasible for an attacker. (The Order IDs themselves are [securely generated](https://github.com/spree/spree/blob/a878eb4a782ce0445d218ea86fb12075b0e3d7cc/core/lib/spree/core/number_generator.rb#L45), but with relatively low entropy: by default an order ID has a length of 9 and a base of 10, that would require an attacker to perform 1 billion requests to gather all guest orders. (At an assumed constant rate of 100 requests per second it would take 115 days.)\n\n\n#### Proof of Concept\n\n1. As a guest create a complete order.\n2. Fetch the latest Order ID from the database (Table: `spree_orders`).\n3. In another clean browser access following URL: `\u003cSPREE-HOST\u003e/orders/\u003cORDER-ID\u003e`. (Sample: `http://localhost:3000/orders/R496592563`)\n\n=\u003e Full guest order details are disclosed including names, addresses and limited payment info.\n\n#### Impact\n\nThis issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers).\n\n#### CWEs\n\n- CWE-639: Authorization Bypass Through User-Controlled Key\n\n### Credit\n\nThis issue was discovered with the [GitHub Security Lab Taskflow Agent](https://github.com/GitHubSecurityLab/seclab-taskflow-agent) and manually verified by GHSL team members [@p- (Peter St\u00f6ckli)](https://github.com/p-) and [@m-y-mo (Man Yue Mo)](https://github.com/m-y-mo).\n\n### Disclosure Policy\n\nThis report is subject to a 90-day disclosure deadline, as described in more detail in our [coordinated disclosure policy](https://securitylab.github.com/advisories#policy).",
"id": "GHSA-p6pv-q7rc-g4h9",
"modified": "2026-02-13T17:16:21Z",
"published": "2026-02-05T21:13:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/spree/spree/security/advisories/GHSA-p6pv-q7rc-g4h9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25757"
},
{
"type": "WEB",
"url": "https://github.com/spree/spree/commit/3e00be64c128ef4bd4b99731f0c3ab469509cfab"
},
{
"type": "WEB",
"url": "https://github.com/spree/spree/commit/6b32ed7d474aa55fa441990e6aa39740152aa1be"
},
{
"type": "WEB",
"url": "https://github.com/spree/spree/commit/6f6b8a7a28a8bff24a6e20eab04b4bbbdf39384d"
},
{
"type": "WEB",
"url": "https://github.com/spree/spree/commit/ea4a5db590ca753dbc986f2a4e818d9e0edfb1ad"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_storefront/CVE-2026-25757.yml"
},
{
"type": "PACKAGE",
"url": "https://github.com/spree/spree"
},
{
"type": "WEB",
"url": "https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L14"
},
{
"type": "WEB",
"url": "https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L51C1-L55C8"
},
{
"type": "WEB",
"url": "https://github.com/spree/spree/blob/a878eb4a782ce0445d218ea86fb12075b0e3d7cc/core/lib/spree/core/number_generator.rb#L45"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Unauthenticated Spree Commerce users can view completed guest orders by Order ID"
}
GHSA-P6WV-4RVR-M4FH
Vulnerability from github – Published: 2025-01-11 09:30 – Updated: 2026-04-08 18:33The Unlimited Theme Addon For Elementor and WooCommerce plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.1 via the 'uta-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created by Elementor that they should not have access to.
{
"affected": [],
"aliases": [
"CVE-2024-12116"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-11T08:15:24Z",
"severity": "MODERATE"
},
"details": "The Unlimited Theme Addon For Elementor and WooCommerce plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.1 via the \u0027uta-template\u0027 shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created by Elementor that they should not have access to.",
"id": "GHSA-p6wv-4rvr-m4fh",
"modified": "2026-04-08T18:33:47Z",
"published": "2025-01-11T09:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12116"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3220786%40unlimited-theme-addons\u0026new=3220786%40unlimited-theme-addons\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/unlimited-theme-addons"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9dbdb6cc-2a00-4d34-9c11-62f3d1b51c73?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P6XJ-35FM-QGMF
Vulnerability from github – Published: 2025-03-11 21:30 – Updated: 2026-04-01 18:33Authorization Bypass Through User-Controlled Key vulnerability in shanebp BP Email Assign Templates allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects BP Email Assign Templates: from n/a through 1.6.
{
"affected": [],
"aliases": [
"CVE-2025-28874"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-11T21:15:44Z",
"severity": "MODERATE"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in shanebp BP Email Assign Templates allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects BP Email Assign Templates: from n/a through 1.6.",
"id": "GHSA-p6xj-35fm-qgmf",
"modified": "2026-04-01T18:33:56Z",
"published": "2025-03-11T21:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-28874"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/bp-email-assign-templates/vulnerability/wordpress-bp-email-assign-templates-by-shanebp-plugin-1-6-arbitrary-content-deletion-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P76W-G4QC-7G8W
Vulnerability from github – Published: 2023-08-14 21:30 – Updated: 2024-04-04 06:55An issue was discovered in Tigergraph Enterprise 3.7.0. There is unsecured write access to SSH authorized keys file. Any code running as the tigergraph user is able to add their SSH public key into the authorised keys file. This allows an attacker to obtain password-less SSH key access by using their own SSH key.
{
"affected": [],
"aliases": [
"CVE-2023-28481"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-14T19:15:10Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Tigergraph Enterprise 3.7.0. There is unsecured write access to SSH authorized keys file. Any code running as the tigergraph user is able to add their SSH public key into the authorised keys file. This allows an attacker to obtain password-less SSH key access by using their own SSH key.",
"id": "GHSA-p76w-g4qc-7g8w",
"modified": "2024-04-04T06:55:16Z",
"published": "2023-08-14T21:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28481"
},
{
"type": "WEB",
"url": "https://neo4j.com/security/cve-2023-28481"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P79F-679R-6P3W
Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2022-05-13 01:23An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control.
{
"affected": [],
"aliases": [
"CVE-2019-9170"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-17T17:29:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control.",
"id": "GHSA-p79f-679r-6p3w",
"modified": "2022-05-13T01:23:02Z",
"published": "2022-05-13T01:23:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9170"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/2019/03/04/security-release-gitlab-11-dot-8-dot-1-released"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/blog/categories/releases"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/51971"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P8P5-G7RX-Q44C
Vulnerability from github – Published: 2026-07-02 06:34 – Updated: 2026-07-02 06:34The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.8.1. This is due to the '/topics' REST API endpoint being registered with a permission callback set to '__return_true', allowing unauthenticated access to course curriculum data without verifying the course's post status or user enrollment. This makes it possible for unauthenticated attackers to access detailed curriculum information for private, draft, scheduled, or password-protected courses by enumerating course IDs.
{
"affected": [],
"aliases": [
"CVE-2026-5348"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-02T06:16:14Z",
"severity": "MODERATE"
},
"details": "The Academy LMS \u2013 WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.8.1. This is due to the \u0027/topics\u0027 REST API endpoint being registered with a permission callback set to \u0027__return_true\u0027, allowing unauthenticated access to course curriculum data without verifying the course\u0027s post status or user enrollment. This makes it possible for unauthenticated attackers to access detailed curriculum information for private, draft, scheduled, or password-protected courses by enumerating course IDs.",
"id": "GHSA-p8p5-g7rx-q44c",
"modified": "2026-07-02T06:34:05Z",
"published": "2026-07-02T06:34:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5348"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/academy/tags/3.5.3/includes/api/course.php#L50"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/academy/tags/3.5.3/includes/api/course.php#L77"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/academy/tags/3.5.3/includes/traits/courses.php#L1514"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/academy/trunk/includes/api/course.php#L50"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/academy/trunk/includes/api/course.php#L77"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/academy/trunk/includes/traits/courses.php#L1514"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3592849%40academy\u0026new=3592849%40academy\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b84ae3e0-de4f-41d6-8944-fadaf6fdcf79?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P8P9-5953-H9JW
Vulnerability from github – Published: 2026-05-22 00:31 – Updated: 2026-06-24 20:56Concrete CMS 9.5.0 and below is vulnerable to IDOR in AddMessage/UpdateMessage via attachments[] parameter which can lead to file permission bypass. The AddMessage and UpdateMessage conversation controllers accept user-supplied file attachment IDs and load files directly via $em->find(File::class, $attachmentID) without checking per-file permissions (canViewFile()). A user who can post in any conversation can reference any file in the CMS file manager by its sequential ID, effectively bypassing the file permission system. If a site truly has private files, the owner should set up a private storage location https://documentation.concretecms.org/user-guide/editors-reference/dashboard/system-and-maintenance/files/file-storage-locations outside of the webroot so that permissions can be checked on view as well. That way, even if an authorized user attaches a file, or otherwise links to it, unauthorized users won't be able to view the file.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "concrete5/concrete5"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.5.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-7886"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-24T18:52:03Z",
"nvd_published_at": "2026-05-21T22:16:49Z",
"severity": "LOW"
},
"details": "Concrete CMS 9.5.0 and below is vulnerable to\u00a0IDOR in AddMessage/UpdateMessage via attachments[] parameter which can lead to file permission bypass.\u00a0The `AddMessage` and `UpdateMessage` conversation controllers accept user-supplied file attachment IDs and load files directly via `$em-\u003efind(File::class, $attachmentID)` without checking per-file permissions (`canViewFile()`). A user who can post in any conversation can reference any file in the CMS file manager by its sequential ID, effectively bypassing the file permission system. If a site truly has private files, the owner should set up a private storage location https://documentation.concretecms.org/user-guide/editors-reference/dashboard/system-and-maintenance/files/file-storage-locations outside of the webroot so that permissions can be checked on view as well. That way, even if an authorized user attaches a file, or otherwise links to it, unauthorized users won\u0027t be able to view the file.",
"id": "GHSA-p8p9-5953-h9jw",
"modified": "2026-06-24T20:56:41Z",
"published": "2026-05-22T00:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7886"
},
{
"type": "WEB",
"url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes"
},
{
"type": "PACKAGE",
"url": "https://github.com/concretecms/concretecms"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Concrete CMS is vulnerable to\u00a0IDOR in AddMessage/UpdateMessage"
}
GHSA-P99H-PFG6-QRFG
Vulnerability from github – Published: 2023-12-12 03:31 – Updated: 2024-09-30 18:51Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-6mjg-37cp-42x5. This link is maintained to preserve external references.
Original Description
SAP BTP Security Services Integration Library ([Python] sap-xssec) - versions < 4.1.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "sap-xssec"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-639",
"CWE-749"
],
"github_reviewed": true,
"github_reviewed_at": "2023-12-15T03:18:45Z",
"nvd_published_at": "2023-12-12T02:15:08Z",
"severity": "CRITICAL"
},
"details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-6mjg-37cp-42x5. This link is maintained to preserve external references.\n\n## Original Description\nSAP\u00a0BTP\u00a0Security Services Integration Library ([Python]\u00a0sap-xssec) - versions \u003c 4.1.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.\n\n",
"id": "GHSA-p99h-pfg6-qrfg",
"modified": "2024-09-30T18:51:33Z",
"published": "2023-12-12T03:31:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/SAP/cloud-pysec/security/advisories/GHSA-6mjg-37cp-42x5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50423"
},
{
"type": "WEB",
"url": "https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067"
},
{
"type": "PACKAGE",
"url": "https://github.com/SAP/cloud-pysec"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3411067"
},
{
"type": "WEB",
"url": "https://pypi.org/project/sap-xssec"
},
{
"type": "WEB",
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Duplicate Advisory: Privilege escalation in sap-xssec",
"withdrawn": "2024-09-30T18:51:33Z"
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.