CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3256 vulnerabilities reference this CWE, most recent first.
GHSA-QGH2-CJFR-4XRC
Vulnerability from github – Published: 2025-01-14 03:31 – Updated: 2025-01-14 03:31In SAP Business Workflow and SAP Flexible Workflow, an authenticated attacker can manipulate a parameter in an otherwise legitimate resource request to view sensitive information that should otherwise be restricted. The attacker does not have the ability to modify the information or to make the information unavailable.
{
"affected": [],
"aliases": [
"CVE-2025-0058"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-14T01:15:16Z",
"severity": "MODERATE"
},
"details": "In SAP Business Workflow and SAP Flexible Workflow, an authenticated attacker can manipulate a parameter in an otherwise legitimate resource request to view sensitive information that should otherwise be restricted. The attacker does not have the ability to modify the information or to make the information unavailable.",
"id": "GHSA-qgh2-cjfr-4xrc",
"modified": "2025-01-14T03:31:41Z",
"published": "2025-01-14T03:31:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0058"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3542698"
},
{
"type": "WEB",
"url": "https://url.sap/sapsecuritypatchday"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QGWF-V74M-338M
Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2025-04-20 03:34Multiple versions of GitLab expose sensitive user credentials when assigning a user to an issue or merge request. A fix was included in versions 8.15.8, 8.16.7, and 8.17.4, which were released on March 20th 2017 at 23:59 UTC.
{
"affected": [],
"aliases": [
"CVE-2017-0882"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-03-28T02:59:00Z",
"severity": "MODERATE"
},
"details": "Multiple versions of GitLab expose sensitive user credentials when assigning a user to an issue or merge request. A fix was included in versions 8.15.8, 8.16.7, and 8.17.4, which were released on March 20th 2017 at 23:59 UTC.",
"id": "GHSA-qgwf-v74m-338m",
"modified": "2025-04-20T03:34:58Z",
"published": "2022-05-13T01:38:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0882"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/2017/03/20/gitlab-8-dot-17-dot-4-security-release"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab-ce/commit/43f5a2739dbf8f5c4c16a79f98e2630888f6b5d1"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab-ce/commit/a70346fc6530aa28a98e4aa4cf0f40e2c3bcef6b"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab-ce/commit/cdf396f456472ef8decd9598daa8dc0097cd30c5"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/29661"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/97157"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-QH29-9J77-HQW6
Vulnerability from github – Published: 2024-04-09 21:31 – Updated: 2026-04-08 18:32The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.6.3 due to missing validation on a user controlled key when looking up order information. This makes it possible for authenticated attackers to obtain information on orders placed by other users and guests, which can be leveraged to sign up for paid courses that were purchased by guests. Emails of other users are also exposed.
{
"affected": [],
"aliases": [
"CVE-2024-1289"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-09T19:15:15Z",
"severity": "MODERATE"
},
"details": "The LearnPress \u2013 WordPress LMS Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.6.3 due to missing validation on a user controlled key when looking up order information. This makes it possible for authenticated attackers to obtain information on orders placed by other users and guests, which can be leveraged to sign up for paid courses that were purchased by guests. Emails of other users are also exposed.",
"id": "GHSA-qh29-9j77-hqw6",
"modified": "2026-04-08T18:32:53Z",
"published": "2024-04-09T21:31:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1289"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3042945%40learnpress%2Ftags%2F4.2.6.3\u0026new=3061851%40learnpress%2Ftags%2F4.2.6.4"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0c410d91-08cc-496d-9c8e-c57f107399da?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QH32-G7XQ-VJJ8
Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-05-24 19:12The vRealize Operations Manager API (8.x prior to 8.5) has insecure object reference vulnerability. A malicious actor with administrative access to vRealize Operations Manager API may be able to modify other users information leading to an account takeover.
{
"affected": [],
"aliases": [
"CVE-2021-22023"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-30T18:15:00Z",
"severity": "HIGH"
},
"details": "The vRealize Operations Manager API (8.x prior to 8.5) has insecure object reference vulnerability. A malicious actor with administrative access to vRealize Operations Manager API may be able to modify other users information leading to an account takeover.",
"id": "GHSA-qh32-g7xq-vjj8",
"modified": "2022-05-24T19:12:29Z",
"published": "2022-05-24T19:12:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22023"
},
{
"type": "WEB",
"url": "https://www.vmware.com/security/advisories/VMSA-2021-0018.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-QH45-9G5P-M2V4
Vulnerability from github – Published: 2026-07-02 18:48 – Updated: 2026-07-02 18:48We have identified an authorization issue in Craft CMS AssetsController::actionReplaceFile that can delete a source asset without source delete permission by supplying both assetId and sourceAssetId.
Description
Craft CMS’s craft\\controllers\\AssetsController::actionReplaceFile() supports replacing a target asset file using another existing asset as the source. The action loads:
$assetToReplacefromassetId$sourceAssetfromsourceAssetId
It then enforces replace permissions using ($assetToReplace ?: $sourceAsset). When both IDs are provided, this expression resolves to the target asset so no permission check is performed against the source asset volume.
$this->requireVolumePermissionByAsset('replaceFiles', $assetToReplace ?: $sourceAsset);
$this->requirePeerVolumePermissionByAsset('replacePeerFiles', $assetToReplace ?: $sourceAsset);
src/controllers/AssetsController.php:L433-L434
In the branch where both assets are present, Craft copies the source file into the target and then deletes the source asset. There is no check for deleteAssets:<sourceVolumeUid> or deletePeerAssets:<sourceVolumeUid> for the source asset before deletion.
$assets->replaceAssetFile($assetToReplace, $tempPath, $assetToReplace->getFilename(), $sourceAsset->getMimeType());
Craft::$app->getElements()->deleteElement($sourceAsset);
src/controllers/AssetsController.php:L462-L463
Impact
An authenticated user who can replace files in one volume can delete assets in another volume where they do not have delete permission, as long as they can obtain a sourceAssetId. This can lead to unauthorized asset deletion, broken content references, and data loss.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "craftcms/cms"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0-RC1"
},
{
"fixed": "5.9.21"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "craftcms/cms"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0-RC1"
},
{
"fixed": "4.17.14"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-50283"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-02T18:48:27Z",
"nvd_published_at": "2026-07-01T23:16:52Z",
"severity": "MODERATE"
},
"details": "We have identified an authorization issue in Craft CMS `AssetsController::actionReplaceFile` that can delete a source asset without source delete permission by supplying both `assetId` and `sourceAssetId`.\n\n### Description\n\nCraft CMS\u2019s `craft\\\\controllers\\\\AssetsController::actionReplaceFile()` supports replacing a target asset file using another existing asset as the source. The action loads:\n\n- `$assetToReplace` from `assetId` \n- `$sourceAsset` from `sourceAssetId`\n\nIt then enforces replace permissions using `($assetToReplace ?: $sourceAsset)`. When both IDs are provided, this expression resolves to the target asset so no permission check is performed against the source asset volume.\n\n```php\n$this-\u003erequireVolumePermissionByAsset(\u0027replaceFiles\u0027, $assetToReplace ?: $sourceAsset);\n$this-\u003erequirePeerVolumePermissionByAsset(\u0027replacePeerFiles\u0027, $assetToReplace ?: $sourceAsset);\n```\n\n[*src/controllers/AssetsController.php:L433-L434*](https://github.com/craftcms/cms/blob/5.x/src/controllers/AssetsController.php#L433-L434)\n\nIn the branch where both assets are present, Craft copies the source file into the target and then deletes the source asset. There is no check for `deleteAssets:\u003csourceVolumeUid\u003e` or `deletePeerAssets:\u003csourceVolumeUid\u003e` for the source asset before deletion.\n\n```php\n$assets-\u003ereplaceAssetFile($assetToReplace, $tempPath, $assetToReplace-\u003egetFilename(), $sourceAsset-\u003egetMimeType());\nCraft::$app-\u003egetElements()-\u003edeleteElement($sourceAsset);\n```\n\n[*src/controllers/AssetsController.php:L462-L463*](https://github.com/craftcms/cms/blob/5.x/src/controllers/AssetsController.php#L462-L463)\n\n### Impact\n\nAn authenticated user who can replace files in one volume can delete assets in another volume where they do not have delete permission, as long as they can obtain a `sourceAssetId`. This can lead to unauthorized asset deletion, broken content references, and data loss.",
"id": "GHSA-qh45-9g5p-m2v4",
"modified": "2026-07-02T18:48:27Z",
"published": "2026-07-02T18:48:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-qh45-9g5p-m2v4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50283"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/commit/2c2579c7f1030872423f268d0c8b48377101961d"
},
{
"type": "PACKAGE",
"url": "https://github.com/craftcms/cms"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Craft CMS: Unauthorized Deletion of Source Assets During File Replacement"
}
GHSA-QH4P-54J2-R4WC
Vulnerability from github – Published: 2025-12-31 18:30 – Updated: 2026-04-28 21:35Authorization Bypass Through User-Controlled Key vulnerability in YoOhw Studio Order Cancellation & Returns for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Order Cancellation & Returns for WooCommerce: from n/a through 1.1.10.
{
"affected": [],
"aliases": [
"CVE-2025-49352"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-31T17:15:44Z",
"severity": "MODERATE"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in YoOhw Studio Order Cancellation \u0026 Returns for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Order Cancellation \u0026 Returns for WooCommerce: from n/a through 1.1.10.",
"id": "GHSA-qh4p-54j2-r4wc",
"modified": "2026-04-28T21:35:52Z",
"published": "2025-12-31T18:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49352"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/wc-order-cancellation-return/vulnerability/wordpress-order-cancellation-returns-for-woocommerce-plugin-1-1-10-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://vdp.patchstack.com/database/wordpress/plugin/wc-order-cancellation-return/vulnerability/wordpress-order-cancellation-returns-for-woocommerce-plugin-1-1-10-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QHGH-C3G3-R5VF
Vulnerability from github – Published: 2023-06-09 06:30 – Updated: 2026-04-08 21:31The Directorist plugin for WordPress is vulnerable to an Insecure Direct Object Reference in versions up to, and including, 7.5.4. This is due to improper validation and authorization checks within the listing_task function. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete arbitrary posts.
{
"affected": [],
"aliases": [
"CVE-2023-1889"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-09T06:15:58Z",
"severity": "MODERATE"
},
"details": "The Directorist plugin for WordPress is vulnerable to an Insecure Direct Object Reference in versions up to, and including, 7.5.4. This is due to improper validation and authorization checks within the listing_task function. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete arbitrary posts.",
"id": "GHSA-qhgh-c3g3-r5vf",
"modified": "2026-04-08T21:31:54Z",
"published": "2023-06-09T06:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1889"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/2920100/directorist"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/blog/2023/06/critical-security-update-directorist-wordpress-plugin-patches-two-high-risk-vulnerabilities"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b47edd57-cac7-463f-88cc-8922f1b34612?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QHQ3-Q3P4-4FXM
Vulnerability from github – Published: 2024-04-05 12:31 – Updated: 2026-05-20 12:30Authorization Bypass Through User-Controlled Key vulnerability in ExtremePacs Extreme XDS allows Authentication Abuse.This issue affects Extreme XDS: before 3914.
{
"affected": [],
"aliases": [
"CVE-2023-6523"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-05T12:15:37Z",
"severity": "HIGH"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in ExtremePacs Extreme XDS allows Authentication Abuse.This issue affects Extreme XDS: before 3914.",
"id": "GHSA-qhq3-q3p4-4fxm",
"modified": "2026-05-20T12:30:35Z",
"published": "2024-04-05T12:31:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6523"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-24-0276"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-24-0276"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QHQF-328W-9GGV
Vulnerability from github – Published: 2023-11-20 21:31 – Updated: 2023-11-30 15:30An Insecure Direct Object Reference (IDOR) vulnerability in the Community Edition version 9.0 of openSIS Classic allows an unauthenticated remote attacker to access any student's files by visiting '/assets/studentfiles/-'
{
"affected": [],
"aliases": [
"CVE-2023-38884"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-20T19:15:08Z",
"severity": "HIGH"
},
"details": "An Insecure Direct Object Reference (IDOR) vulnerability in the Community Edition version 9.0 of openSIS Classic allows an unauthenticated remote attacker to access any student\u0027s files by visiting \u0027/assets/studentfiles/\u003cstudentId\u003e-\u003cfilename\u003e\u0027",
"id": "GHSA-qhqf-328w-9ggv",
"modified": "2023-11-30T15:30:22Z",
"published": "2023-11-20T21:31:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38884"
},
{
"type": "WEB",
"url": "https://github.com/OS4ED/openSIS-Classic"
},
{
"type": "WEB",
"url": "https://github.com/dub-flow/vulnerability-research/tree/main/CVE-2023-38884"
},
{
"type": "WEB",
"url": "https://www.os4ed.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QJ65-C6CR-78RM
Vulnerability from github – Published: 2022-08-16 00:00 – Updated: 2022-08-17 00:00Improper Access Control in GitHub repository openemr/openemr prior to 7.0.0.1.
{
"affected": [],
"aliases": [
"CVE-2022-2824"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-15T16:15:00Z",
"severity": "MODERATE"
},
"details": "Improper Access Control in GitHub repository openemr/openemr prior to 7.0.0.1.",
"id": "GHSA-qj65-c6cr-78rm",
"modified": "2022-08-17T00:00:22Z",
"published": "2022-08-16T00:00:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2824"
},
{
"type": "WEB",
"url": "https://github.com/openemr/openemr/commit/c5d99452c173ef21a8e2241e2bbf4b66e2d7fe11"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/1ccb2d1c-6881-4813-a5bc-1603d29b7141"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.