CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3256 vulnerabilities reference this CWE, most recent first.
GHSA-PMC7-HMMW-G96Q
Vulnerability from github – Published: 2024-03-13 21:31 – Updated: 2024-12-04 22:37Insecure Direct Object Reference (IDOR) in Bagisto v.1.5.0 allows an attacker to obtain sensitive information via the invoice ID parameter.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "bagisto/bagisto"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-36238"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2024-03-15T21:03:01Z",
"nvd_published_at": "2024-03-13T21:15:53Z",
"severity": "MODERATE"
},
"details": "Insecure Direct Object Reference (IDOR) in Bagisto v.1.5.0 allows an attacker to obtain sensitive information via the invoice ID parameter.",
"id": "GHSA-pmc7-hmmw-g96q",
"modified": "2024-12-04T22:37:43Z",
"published": "2024-03-13T21:31:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36238"
},
{
"type": "WEB",
"url": "https://github.com/bagisto/bagisto/pull/4697"
},
{
"type": "WEB",
"url": "https://github.com/bagisto/bagisto/commit/2a24098cb582e072c87177e0ad17be45f240ad17"
},
{
"type": "WEB",
"url": "https://github.com/Ek-Saini/security/blob/main/IDOR-Bagisto"
},
{
"type": "PACKAGE",
"url": "https://github.com/bagisto/bagisto"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Bagisto vulnerable to Insecure Direct Object Reference (IDOR)"
}
GHSA-PMH5-6PJ5-85X2
Vulnerability from github – Published: 2025-02-26 21:30 – Updated: 2025-03-05 00:30SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references (IDOR) via the devService API model.
{
"affected": [],
"aliases": [
"CVE-2024-50687"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T21:15:17Z",
"severity": "CRITICAL"
},
"details": "SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references (IDOR) via the devService API model.",
"id": "GHSA-pmh5-6pj5-85x2",
"modified": "2025-03-05T00:30:33Z",
"published": "2025-02-26T21:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50687"
},
{
"type": "WEB",
"url": "https://en.sungrowpower.com/security-notice-detail-2/6114"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PMJC-X5XH-P27V
Vulnerability from github – Published: 2025-11-12 06:30 – Updated: 2025-11-12 06:30The GeoDirectory – WP Business Directory Plugin and Classified Listings Directory plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.8.139 via the 'post_attachment_upload' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, to attach arbitrary image files to arbitrary places.
{
"affected": [],
"aliases": [
"CVE-2025-12833"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-12T05:15:41Z",
"severity": "MODERATE"
},
"details": "The GeoDirectory \u2013 WP Business Directory Plugin and Classified Listings Directory plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.8.139 via the \u0027post_attachment_upload\u0027 function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, to attach arbitrary image files to arbitrary places.",
"id": "GHSA-pmjc-x5xh-p27v",
"modified": "2025-11-12T06:30:24Z",
"published": "2025-11-12T06:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12833"
},
{
"type": "WEB",
"url": "https://github.com/AyeCode/geodirectory/commit/db655b04be32a160c0abf73217faf0a50585aa92"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3393024%40geodirectory\u0026new=3393024%40geodirectory\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/geodirectory"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/408f0c2a-ef3c-4592-8722-d56afce92e24?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PMJJ-H5JM-VXH4
Vulnerability from github – Published: 2025-12-19 15:31 – Updated: 2025-12-20 17:41An API endpoint allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pretix"
},
"ranges": [
{
"events": [
{
"introduced": "2025.10.0"
},
{
"fixed": "2025.10.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "pretix"
},
"ranges": [
{
"events": [
{
"introduced": "2025.9.0"
},
{
"fixed": "2025.9.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "pretix"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2025.8.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-14882"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-20T17:41:16Z",
"nvd_published_at": "2025-12-19T13:16:02Z",
"severity": "LOW"
},
"details": "An API endpoint allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.",
"id": "GHSA-pmjj-h5jm-vxh4",
"modified": "2025-12-20T17:41:16Z",
"published": "2025-12-19T15:31:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14882"
},
{
"type": "WEB",
"url": "https://github.com/pretix/pretix/commit/4b5651862c57c6e384822d1d23292342126c479a"
},
{
"type": "PACKAGE",
"url": "https://github.com/pretix/pretix"
},
{
"type": "WEB",
"url": "https://pretix.eu/about/en/blog/20251219-release-2025-10-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "pretix has Broken Access Control Allowing Cross-User File Access via UUID"
}
GHSA-PMQC-V2G6-QW5W
Vulnerability from github – Published: 2024-02-08 12:30 – Updated: 2026-05-20 12:30Authorization Bypass Through User-Controlled Key vulnerability in Mia Technology Inc. MİA-MED allows Authentication Abuse.This issue affects MİA-MED: before 1.0.7.
{
"affected": [],
"aliases": [
"CVE-2023-6515"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-08T10:15:11Z",
"severity": "HIGH"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in Mia Technology Inc. M\u0130A-MED allows Authentication Abuse.This issue affects M\u0130A-MED: before 1.0.7.",
"id": "GHSA-pmqc-v2g6-qw5w",
"modified": "2026-05-20T12:30:35Z",
"published": "2024-02-08T12:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6515"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-24-0087"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-24-0087"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PMV9-7F92-57XH
Vulnerability from github – Published: 2024-09-10 15:31 – Updated: 2024-09-25 21:30An authorization bypass through user-controlled key [CWE-639] vulnerability in FortiAnalyzer version 7.4.1 and before 7.2.5 and FortiManager version 7.4.1 and before 7.2.5 may allow a remote attacker with low privileges to read sensitive data via a crafted HTTP request.
{
"affected": [],
"aliases": [
"CVE-2023-44254"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-10T15:15:14Z",
"severity": "MODERATE"
},
"details": "An authorization bypass through user-controlled key\u00a0[CWE-639] vulnerability in FortiAnalyzer version 7.4.1 and before 7.2.5 and FortiManager version 7.4.1 and before 7.2.5 may allow a remote attacker with low privileges to read sensitive data via a crafted HTTP request.",
"id": "GHSA-pmv9-7f92-57xh",
"modified": "2024-09-25T21:30:33Z",
"published": "2024-09-10T15:31:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44254"
},
{
"type": "WEB",
"url": "https://fortiguard.com/psirt/FG-IR-23-204"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PP3P-6JJH-RMG7
Vulnerability from github – Published: 2022-12-28 15:30 – Updated: 2023-01-10 15:42An Improper Access Control vulnerability in usememos/memos 0.9.0 and prior can result in a user deleting others' public and private memos.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.9.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/usememos/memos"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-4806"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-30T22:09:17Z",
"nvd_published_at": "2022-12-28T14:15:00Z",
"severity": "MODERATE"
},
"details": "An Improper Access Control vulnerability in usememos/memos 0.9.0 and prior can result in a user deleting others\u0027 public and private memos.",
"id": "GHSA-pp3p-6jjh-rmg7",
"modified": "2023-01-10T15:42:32Z",
"published": "2022-12-28T15:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4806"
},
{
"type": "WEB",
"url": "https://github.com/usememos/memos/commit/3556ae4e651d9443dc3bb8a170dd3cc726517a53"
},
{
"type": "PACKAGE",
"url": "https://github.com/usememos/memos"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/2c7101bc-e6d8-4cd0-9003-bc8d86f4e4be"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "usememos/memos Improper Access Control vulnerability"
}
GHSA-PP3Q-3FPH-XPQH
Vulnerability from github – Published: 2026-01-28 18:30 – Updated: 2026-01-29 18:31A division-by-zero vulnerability in the flow.floor_divide() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input tensor with zero.
{
"affected": [],
"aliases": [
"CVE-2025-65887"
],
"database_specific": {
"cwe_ids": [
"CWE-369",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-28T17:16:08Z",
"severity": "MODERATE"
},
"details": "A division-by-zero vulnerability in the flow.floor_divide() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input tensor with zero.",
"id": "GHSA-pp3q-3fph-xpqh",
"modified": "2026-01-29T18:31:42Z",
"published": "2026-01-28T18:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65887"
},
{
"type": "WEB",
"url": "https://github.com/Oneflow-Inc/oneflow/issues/10665"
},
{
"type": "WEB",
"url": "https://github.com/Daisy2ang"
},
{
"type": "WEB",
"url": "https://github.com/Oneflow-Inc/oneflow"
},
{
"type": "WEB",
"url": "http://oneflow.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PP44-53WG-RWWX
Vulnerability from github – Published: 2025-07-31 15:35 – Updated: 2025-07-31 18:32CS Cart 4.18.3 is vulnerable to Insecure Direct Object Reference (IDOR). The user profile functionality allows enabling or disabling stickers through a parameter (company_id) sent in the request. However, this operation is not properly validated on the server side. An authenticated user can manipulate the request to target other users' accounts and toggle the sticker setting by modifying the company_id or other object identifiers.
{
"affected": [],
"aliases": [
"CVE-2025-50849"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-31T15:15:36Z",
"severity": "HIGH"
},
"details": "CS Cart 4.18.3 is vulnerable to Insecure Direct Object Reference (IDOR). The user profile functionality allows enabling or disabling stickers through a parameter (company_id) sent in the request. However, this operation is not properly validated on the server side. An authenticated user can manipulate the request to target other users\u0027 accounts and toggle the sticker setting by modifying the company_id or other object identifiers.",
"id": "GHSA-pp44-53wg-rwwx",
"modified": "2025-07-31T18:32:03Z",
"published": "2025-07-31T15:35:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-50849"
},
{
"type": "WEB",
"url": "https://github.com/hackerwahab/CS-Cart-Vulns/blob/main/CVE-2025-50849.md"
},
{
"type": "WEB",
"url": "http://cs.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PP66-R2H3-JCWQ
Vulnerability from github – Published: 2024-01-10 18:30 – Updated: 2024-01-10 18:30An Authorization Bypass Through User-Controlled Key vulnerability [CWE-639] affecting PortiPortal version 7.2.1 and below, version 7.0.6 and below, version 6.0.14 and below, version 5.3.8 and below may allow a remote authenticated user with at least read-only permissions to access to other organization endpoints via crafted GET requests.
{
"affected": [],
"aliases": [
"CVE-2023-48783"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-10T18:15:46Z",
"severity": "MODERATE"
},
"details": "An\u00a0Authorization Bypass Through User-Controlled Key vulnerability [CWE-639] affecting PortiPortal version 7.2.1 and below, version 7.0.6 and below, version 6.0.14 and below, version 5.3.8 and below may allow a remote authenticated user with at least read-only permissions to access to other organization endpoints via crafted GET requests.",
"id": "GHSA-pp66-r2h3-jcwq",
"modified": "2024-01-10T18:30:28Z",
"published": "2024-01-10T18:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48783"
},
{
"type": "WEB",
"url": "https://fortiguard.com/psirt/FG-IR-23-408"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.