Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3256 vulnerabilities reference this CWE, most recent first.

GHSA-PMC7-HMMW-G96Q

Vulnerability from github – Published: 2024-03-13 21:31 – Updated: 2024-12-04 22:37
VLAI
Summary
Bagisto vulnerable to Insecure Direct Object Reference (IDOR)
Details

Insecure Direct Object Reference (IDOR) in Bagisto v.1.5.0 allows an attacker to obtain sensitive information via the invoice ID parameter.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "bagisto/bagisto"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-36238"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-15T21:03:01Z",
    "nvd_published_at": "2024-03-13T21:15:53Z",
    "severity": "MODERATE"
  },
  "details": "Insecure Direct Object Reference (IDOR) in Bagisto v.1.5.0 allows an attacker to obtain sensitive information via the invoice ID parameter.",
  "id": "GHSA-pmc7-hmmw-g96q",
  "modified": "2024-12-04T22:37:43Z",
  "published": "2024-03-13T21:31:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36238"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bagisto/bagisto/pull/4697"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bagisto/bagisto/commit/2a24098cb582e072c87177e0ad17be45f240ad17"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Ek-Saini/security/blob/main/IDOR-Bagisto"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/bagisto/bagisto"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Bagisto vulnerable to Insecure Direct Object Reference (IDOR)"
}

GHSA-PMH5-6PJ5-85X2

Vulnerability from github – Published: 2025-02-26 21:30 – Updated: 2025-03-05 00:30
VLAI
Details

SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references (IDOR) via the devService API model.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-50687"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T21:15:17Z",
    "severity": "CRITICAL"
  },
  "details": "SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references (IDOR) via the devService API model.",
  "id": "GHSA-pmh5-6pj5-85x2",
  "modified": "2025-03-05T00:30:33Z",
  "published": "2025-02-26T21:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50687"
    },
    {
      "type": "WEB",
      "url": "https://en.sungrowpower.com/security-notice-detail-2/6114"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PMJC-X5XH-P27V

Vulnerability from github – Published: 2025-11-12 06:30 – Updated: 2025-11-12 06:30
VLAI
Details

The GeoDirectory – WP Business Directory Plugin and Classified Listings Directory plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.8.139 via the 'post_attachment_upload' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, to attach arbitrary image files to arbitrary places.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-12833"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-12T05:15:41Z",
    "severity": "MODERATE"
  },
  "details": "The GeoDirectory \u2013 WP Business Directory Plugin and Classified Listings Directory plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.8.139 via the \u0027post_attachment_upload\u0027 function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, to attach arbitrary image files to arbitrary places.",
  "id": "GHSA-pmjc-x5xh-p27v",
  "modified": "2025-11-12T06:30:24Z",
  "published": "2025-11-12T06:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12833"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AyeCode/geodirectory/commit/db655b04be32a160c0abf73217faf0a50585aa92"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3393024%40geodirectory\u0026new=3393024%40geodirectory\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/geodirectory"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/408f0c2a-ef3c-4592-8722-d56afce92e24?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PMJJ-H5JM-VXH4

Vulnerability from github – Published: 2025-12-19 15:31 – Updated: 2025-12-20 17:41
VLAI
Summary
pretix has Broken Access Control Allowing Cross-User File Access via UUID
Details

An API endpoint allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pretix"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2025.10.0"
            },
            {
              "fixed": "2025.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pretix"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2025.9.0"
            },
            {
              "fixed": "2025.9.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pretix"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2025.8.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-14882"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-20T17:41:16Z",
    "nvd_published_at": "2025-12-19T13:16:02Z",
    "severity": "LOW"
  },
  "details": "An API endpoint allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.",
  "id": "GHSA-pmjj-h5jm-vxh4",
  "modified": "2025-12-20T17:41:16Z",
  "published": "2025-12-19T15:31:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14882"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pretix/pretix/commit/4b5651862c57c6e384822d1d23292342126c479a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pretix/pretix"
    },
    {
      "type": "WEB",
      "url": "https://pretix.eu/about/en/blog/20251219-release-2025-10-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "pretix has Broken Access Control Allowing Cross-User File Access via UUID"
}

GHSA-PMQC-V2G6-QW5W

Vulnerability from github – Published: 2024-02-08 12:30 – Updated: 2026-05-20 12:30
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in Mia Technology Inc. MİA-MED allows Authentication Abuse.This issue affects MİA-MED: before 1.0.7.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6515"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-08T10:15:11Z",
    "severity": "HIGH"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Mia Technology Inc. M\u0130A-MED allows Authentication Abuse.This issue affects M\u0130A-MED: before 1.0.7.",
  "id": "GHSA-pmqc-v2g6-qw5w",
  "modified": "2026-05-20T12:30:35Z",
  "published": "2024-02-08T12:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6515"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-24-0087"
    },
    {
      "type": "WEB",
      "url": "https://www.usom.gov.tr/bildirim/tr-24-0087"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PMV9-7F92-57XH

Vulnerability from github – Published: 2024-09-10 15:31 – Updated: 2024-09-25 21:30
VLAI
Details

An authorization bypass through user-controlled key [CWE-639] vulnerability in FortiAnalyzer version 7.4.1 and before 7.2.5 and FortiManager version 7.4.1 and before 7.2.5 may allow a remote attacker with low privileges to read sensitive data via a crafted HTTP request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-44254"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-10T15:15:14Z",
    "severity": "MODERATE"
  },
  "details": "An authorization bypass through user-controlled key\u00a0[CWE-639] vulnerability in FortiAnalyzer version 7.4.1 and before 7.2.5 and FortiManager version 7.4.1 and before 7.2.5 may allow a remote attacker with low privileges to read sensitive data via a crafted HTTP request.",
  "id": "GHSA-pmv9-7f92-57xh",
  "modified": "2024-09-25T21:30:33Z",
  "published": "2024-09-10T15:31:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44254"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.com/psirt/FG-IR-23-204"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PP3P-6JJH-RMG7

Vulnerability from github – Published: 2022-12-28 15:30 – Updated: 2023-01-10 15:42
VLAI
Summary
usememos/memos Improper Access Control vulnerability
Details

An Improper Access Control vulnerability in usememos/memos 0.9.0 and prior can result in a user deleting others' public and private memos.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.9.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/usememos/memos"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-4806"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-30T22:09:17Z",
    "nvd_published_at": "2022-12-28T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An Improper Access Control vulnerability in usememos/memos 0.9.0 and prior can result in a user deleting others\u0027 public and private memos.",
  "id": "GHSA-pp3p-6jjh-rmg7",
  "modified": "2023-01-10T15:42:32Z",
  "published": "2022-12-28T15:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4806"
    },
    {
      "type": "WEB",
      "url": "https://github.com/usememos/memos/commit/3556ae4e651d9443dc3bb8a170dd3cc726517a53"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/usememos/memos"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/2c7101bc-e6d8-4cd0-9003-bc8d86f4e4be"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "usememos/memos Improper Access Control vulnerability"
}

GHSA-PP3Q-3FPH-XPQH

Vulnerability from github – Published: 2026-01-28 18:30 – Updated: 2026-01-29 18:31
VLAI
Details

A division-by-zero vulnerability in the flow.floor_divide() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input tensor with zero.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-65887"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-369",
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-28T17:16:08Z",
    "severity": "MODERATE"
  },
  "details": "A division-by-zero vulnerability in the flow.floor_divide() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input tensor with zero.",
  "id": "GHSA-pp3q-3fph-xpqh",
  "modified": "2026-01-29T18:31:42Z",
  "published": "2026-01-28T18:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65887"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Oneflow-Inc/oneflow/issues/10665"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Daisy2ang"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Oneflow-Inc/oneflow"
    },
    {
      "type": "WEB",
      "url": "http://oneflow.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PP44-53WG-RWWX

Vulnerability from github – Published: 2025-07-31 15:35 – Updated: 2025-07-31 18:32
VLAI
Details

CS Cart 4.18.3 is vulnerable to Insecure Direct Object Reference (IDOR). The user profile functionality allows enabling or disabling stickers through a parameter (company_id) sent in the request. However, this operation is not properly validated on the server side. An authenticated user can manipulate the request to target other users' accounts and toggle the sticker setting by modifying the company_id or other object identifiers.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-50849"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-31T15:15:36Z",
    "severity": "HIGH"
  },
  "details": "CS Cart 4.18.3 is vulnerable to Insecure Direct Object Reference (IDOR). The user profile functionality allows enabling or disabling stickers through a parameter (company_id) sent in the request. However, this operation is not properly validated on the server side. An authenticated user can manipulate the request to target other users\u0027 accounts and toggle the sticker setting by modifying the company_id or other object identifiers.",
  "id": "GHSA-pp44-53wg-rwwx",
  "modified": "2025-07-31T18:32:03Z",
  "published": "2025-07-31T15:35:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-50849"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hackerwahab/CS-Cart-Vulns/blob/main/CVE-2025-50849.md"
    },
    {
      "type": "WEB",
      "url": "http://cs.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PP66-R2H3-JCWQ

Vulnerability from github – Published: 2024-01-10 18:30 – Updated: 2024-01-10 18:30
VLAI
Details

An Authorization Bypass Through User-Controlled Key vulnerability [CWE-639] affecting PortiPortal version 7.2.1 and below, version 7.0.6 and below, version 6.0.14 and below, version 5.3.8 and below may allow a remote authenticated user with at least read-only permissions to access to other organization endpoints via crafted GET requests.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-48783"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-10T18:15:46Z",
    "severity": "MODERATE"
  },
  "details": "An\u00a0Authorization Bypass Through User-Controlled Key vulnerability [CWE-639] affecting PortiPortal version 7.2.1 and below, version 7.0.6 and below, version 6.0.14 and below, version 5.3.8 and below may allow a remote authenticated user with at least read-only permissions to access to other organization endpoints via crafted GET requests.",
  "id": "GHSA-pp66-r2h3-jcwq",
  "modified": "2024-01-10T18:30:28Z",
  "published": "2024-01-10T18:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48783"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.com/psirt/FG-IR-23-408"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.