Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3256 vulnerabilities reference this CWE, most recent first.

GHSA-Q3F8-QFX4-GQ35

Vulnerability from github – Published: 2026-02-19 15:30 – Updated: 2026-06-05 12:31
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in MeCODE Informatics and Engineering Services Ltd. Envanty allows Parameter Injection.This issue affects Envanty: before 1.0.6.  

NOTE: The vendor was contacted early about this disclosure but did not respond in any way. The vulnerability was learned to be remediated through reporter information and testing.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-9062"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-19T11:15:57Z",
    "severity": "HIGH"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in MeCODE Informatics and Engineering Services Ltd. Envanty allows Parameter Injection.This issue affects Envanty: before 1.0.6.\u00a0\u00a0\n\nNOTE: The vendor was contacted early about this disclosure but did not respond in any way. \nThe vulnerability was learned to be remediated through reporter information and testing.",
  "id": "GHSA-q3f8-qfx4-gq35",
  "modified": "2026-06-05T12:31:44Z",
  "published": "2026-02-19T15:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9062"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0076"
    },
    {
      "type": "WEB",
      "url": "https://www.usom.gov.tr/bildirim/tr-26-0076"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q3V6-HM2V-PW99

Vulnerability from github – Published: 2024-12-02 15:31 – Updated: 2025-01-24 21:31
VLAI
Summary
Spring Framework has Authorization Bypass for Case Sensitive Comparisons
Details

The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework.security:spring-security-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.7.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework.security:spring-security-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.8.0"
            },
            {
              "fixed": "5.8.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework.security:spring-security-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.0.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework.security:spring-security-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.1.0"
            },
            {
              "fixed": "6.1.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework.security:spring-security-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.2.0"
            },
            {
              "fixed": "6.2.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework.security:spring-security-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.3.0"
            },
            {
              "fixed": "6.3.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-38827"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-02T20:04:17Z",
    "nvd_published_at": "2024-12-02T15:15:11Z",
    "severity": "MODERATE"
  },
  "details": "The usage of String.toLowerCase()\u00a0and String.toUpperCase()\u00a0has some Locale\u00a0dependent exceptions that could potentially result in authorization rules not working properly.",
  "id": "GHSA-q3v6-hm2v-pw99",
  "modified": "2025-01-24T21:31:27Z",
  "published": "2024-12-02T15:31:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38827"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spring-projects/spring-framework/issues/33708"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spring-projects/spring-framework/issues/34232"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spring-projects/spring-framework/commit/11d4272ff48b4a4dabc4b28dfbff0364a4204bc9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/spring-projects/spring-security"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20250124-0007"
    },
    {
      "type": "WEB",
      "url": "https://spring.io/security/cve-2024-38827"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Spring Framework has Authorization Bypass for Case Sensitive Comparisons"
}

GHSA-Q43X-GH6J-72HR

Vulnerability from github – Published: 2025-05-09 09:33 – Updated: 2025-05-09 09:33
VLAI
Details

The Frontend Login and Registration Blocks plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.7. This is due to the plugin not properly validating a user's identity prior to updating their details like email via the flr_blocks_user_settings_handle_ajax_callback() function. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-3605"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-09T07:16:10Z",
    "severity": "CRITICAL"
  },
  "details": "The Frontend Login and Registration Blocks plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.7. This is due to the plugin not properly validating a user\u0027s identity prior to updating their details like email via the flr_blocks_user_settings_handle_ajax_callback() function. This makes it possible for unauthenticated attackers to change arbitrary user\u0027s email addresses, including administrators, and leverage that to reset the user\u0027s password and gain access to their account.",
  "id": "GHSA-q43x-gh6j-72hr",
  "modified": "2025-05-09T09:33:21Z",
  "published": "2025-05-09T09:33:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3605"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/frontend-login-and-registration-blocks/trunk/inc/class-flr-blocks-user-settings.php#L59"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0c11668c-6dc3-4539-b2be-bf6528bed73e?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q477-JXCV-9PXW

Vulnerability from github – Published: 2022-05-24 17:35 – Updated: 2022-05-24 17:35
VLAI
Details

An issue was discovered in Gitlab CE/EE versions >= 13.1 to <13.4.7, >= 13.5 to <13.5.5, and >= 13.6 to <13.6.2 allowed an unauthorized user to access the user list corresponding to a feature flag in a project.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-13357"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-11T04:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Gitlab CE/EE versions \u003e= 13.1 to \u003c13.4.7, \u003e= 13.5 to \u003c13.5.5, and \u003e= 13.6 to \u003c13.6.2 allowed an unauthorized user to access the user list corresponding to a feature flag in a project.",
  "id": "GHSA-q477-jxcv-9pxw",
  "modified": "2022-05-24T17:35:59Z",
  "published": "2022-05-24T17:35:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13357"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/962408"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13357.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/241132"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-Q4CR-CJQ5-H3M4

Vulnerability from github – Published: 2026-05-12 12:32 – Updated: 2026-05-12 12:32
VLAI
Details

Authorization bypass through User-Controlled key vulnerability in ABIS Technology Ltd. Co. BAPSİS allows Exploitation of Trusted Identifiers.

This issue affects BAPSİS: before v.202604152042.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-6001"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-12T10:16:48Z",
    "severity": "HIGH"
  },
  "details": "Authorization bypass through User-Controlled key vulnerability in ABIS Technology Ltd. Co. BAPS\u0130S allows Exploitation of Trusted Identifiers.\n\nThis issue affects BAPS\u0130S: before v.202604152042.",
  "id": "GHSA-q4cr-cjq5-h3m4",
  "modified": "2026-05-12T12:32:15Z",
  "published": "2026-05-12T12:32:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6001"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0223"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q4CX-MM7J-89XJ

Vulnerability from github – Published: 2026-06-09 06:31 – Updated: 2026-06-09 06:31
VLAI
Details

The 6Storage Rentals plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.22.0 via the userId parameter of the six_storage_get_user_info and six_storage_update_profile AJAX actions. This is due to the six_storage_getUserInfo() and six_storage_updateProfile() functions being registered on wp_ajax_nopriv_* hooks and accepting a tenant identifier directly from $_POST['userId'] without performing any ownership verification, session binding, or nonce validation to confirm the requester has a legitimate relationship to the supplied ID. This makes it possible for unauthenticated attackers to read and modify arbitrary tenants' profile data — including name, email address, phone number, physical address, and SSN — by supplying an enumerated userId value in a crafted request to either handler.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-9185"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-09T05:16:41Z",
    "severity": "HIGH"
  },
  "details": "The 6Storage Rentals plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.22.0 via the `userId` parameter of the `six_storage_get_user_info` and `six_storage_update_profile` AJAX actions. This is due to the `six_storage_getUserInfo()` and `six_storage_updateProfile()` functions being registered on `wp_ajax_nopriv_*` hooks and accepting a tenant identifier directly from `$_POST[\u0027userId\u0027]` without performing any ownership verification, session binding, or nonce validation to confirm the requester has a legitimate relationship to the supplied ID. This makes it possible for unauthenticated attackers to read and modify arbitrary tenants\u0027 profile data \u2014 including name, email address, phone number, physical address, and SSN \u2014 by supplying an enumerated `userId` value in a crafted request to either handler.",
  "id": "GHSA-q4cx-mm7j-89xj",
  "modified": "2026-06-09T06:31:59Z",
  "published": "2026-06-09T06:31:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9185"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/6storage-rentals/tags/2.20.2/inc/Base/Six_Storage_DashboardController.php#L11"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/6storage-rentals/tags/2.20.2/inc/Base/Six_Storage_DashboardController.php#L1931"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/6storage-rentals/tags/2.20.2/inc/Base/Six_Storage_DashboardController.php#L1955"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/6storage-rentals/tags/2.20.2/inc/Base/Six_Storage_DashboardController.php#L995"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/6storage-rentals/tags/2.20.2/inc/Base/Six_Storage_DashboardController.php#L998"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/6storage-rentals/tags/2.22.0/inc/Base/Six_Storage_DashboardController.php#L11"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/6storage-rentals/tags/2.22.0/inc/Base/Six_Storage_DashboardController.php#L1931"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/6storage-rentals/tags/2.22.0/inc/Base/Six_Storage_DashboardController.php#L1955"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/6storage-rentals/tags/2.22.0/inc/Base/Six_Storage_DashboardController.php#L995"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/6storage-rentals/tags/2.22.0/inc/Base/Six_Storage_DashboardController.php#L998"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/74fa4240-6f62-4db6-b7e7-56998fc29e42?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q552-8MHX-P6Q2

Vulnerability from github – Published: 2025-02-26 21:30 – Updated: 2025-03-05 00:30
VLAI
Details

SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references (IDOR) via the orgService API model.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-50689"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T21:15:17Z",
    "severity": "CRITICAL"
  },
  "details": "SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references (IDOR) via the orgService API model.",
  "id": "GHSA-q552-8mhx-p6q2",
  "modified": "2025-03-05T00:30:33Z",
  "published": "2025-02-26T21:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50689"
    },
    {
      "type": "WEB",
      "url": "https://en.sungrowpower.com/security-notice-detail-2/6116"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q5P4-G7M4-MHV3

Vulnerability from github – Published: 2026-03-11 12:31 – Updated: 2026-03-11 12:31
VLAI
Details

The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Insecure Direct Object Reference in versions 8.6.0 through 9.0.2. This is due to the store_settings() method in the ExactMetrics_Onboarding class accepting a user-supplied triggered_by parameter that is used instead of the current user's ID to check permissions. This makes it possible for authenticated attackers with the exactmetrics_save_settings capability to bypass the install_plugins capability check by specifying an administrator's user ID in the triggered_by parameter, allowing them to install arbitrary plugins and achieve Remote Code Execution. This vulnerability only affects sites on which administrator has given other user types the permission to view reports and can only be exploited by users of that type.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-1992"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-11T10:16:13Z",
    "severity": "HIGH"
  },
  "details": "The ExactMetrics \u2013 Google Analytics Dashboard for WordPress plugin is vulnerable to Insecure Direct Object Reference in versions 8.6.0 through 9.0.2. This is due to the `store_settings()` method in the `ExactMetrics_Onboarding` class accepting a user-supplied `triggered_by` parameter that is used instead of the current user\u0027s ID to check permissions. This makes it possible for authenticated attackers with the `exactmetrics_save_settings` capability to bypass the `install_plugins` capability check by specifying an administrator\u0027s user ID in the `triggered_by` parameter, allowing them to install arbitrary plugins and achieve Remote Code Execution. This vulnerability only affects sites on which administrator has given other user types the permission to view reports and can only be exploited by users of that type.",
  "id": "GHSA-q5p4-g7m4-mhv3",
  "modified": "2026-03-11T12:31:22Z",
  "published": "2026-03-11T12:31:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1992"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/trunk/includes/admin/class-exactmetrics-onboarding.php#L273"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3473805/google-analytics-dashboard-for-wp/trunk/includes/admin/class-exactmetrics-onboarding.php?old=3309894\u0026old_path=google-analytics-dashboard-for-wp%2Ftrunk%2Fincludes%2Fadmin%2Fclass-exactmetrics-onboarding.php"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/79b6b896-df66-4c3d-a4d4-d3dbeb630134?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q658-FH2M-CGVF

Vulnerability from github – Published: 2024-02-06 00:30 – Updated: 2026-04-08 21:32
VLAI
Details

The Starbox – the Author Box for Humans plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.4.7 via the action function due to missing validation on a user controlled key. This makes it possible for subscribers to view plugin preferences and potentially other user settings.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-0366"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-05T22:16:00Z",
    "severity": "MODERATE"
  },
  "details": "The Starbox \u2013 the Author Box for Humans plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.4.7 via the action function due to missing validation on a user controlled key. This makes it possible for subscribers to view plugin preferences and potentially other user settings.",
  "id": "GHSA-q658-fh2m-cgvf",
  "modified": "2026-04-08T21:32:12Z",
  "published": "2024-02-06T00:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0366"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/starbox/trunk/core/UserSettings.php"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3028775/starbox/trunk?contextall=1\u0026old=3000701\u0026old_path=%2Fstarbox%2Ftrunk"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3028775/starbox/trunk?contextall=1\u0026old=3000701\u0026old_path=/starbox/trunk"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c47601b4-bf16-4f59-b5f3-584a8eac7c67?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q6MX-QVHP-FQMG

Vulnerability from github – Published: 2026-07-15 12:32 – Updated: 2026-07-16 21:30
VLAI
Details

n8n before versions 1.123.61, 2.27.4, and 2.28.1 contains a permission bypass vulnerability in external secrets handling caused by a mismatch between the static validation check and the runtime expression engine. An authenticated user with credential create or update permissions but without the externalSecret:list scope can embed external secret references into credentials in forms the static validation does not detect; these references resolve at workflow execution time, exposing secret values the user is not authorized to access. This issue only affects instances where an external secrets provider is configured and Advanced Permissions are in use.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-59259"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-15T12:18:17Z",
    "severity": "MODERATE"
  },
  "details": "n8n before versions 1.123.61, 2.27.4, and 2.28.1 contains a permission bypass vulnerability in external secrets handling caused by a mismatch between the static validation check and the runtime expression engine. An authenticated user with credential create or update permissions but without the externalSecret:list scope can embed external secret references into credentials in forms the static validation does not detect; these references resolve at workflow execution time, exposing secret values the user is not authorized to access. This issue only affects instances where an external secrets provider is configured and Advanced Permissions are in use.",
  "id": "GHSA-q6mx-qvhp-fqmg",
  "modified": "2026-07-16T21:30:33Z",
  "published": "2026-07-15T12:32:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-jp7m-xcgx-57qm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-59259"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/n8n-permission-bypass-via-expression-parser-mismatch-in-external-secrets"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.