Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3237 vulnerabilities reference this CWE, most recent first.

GHSA-V492-QVFP-R274

Vulnerability from github – Published: 2022-08-16 00:00 – Updated: 2022-08-17 00:00
VLAI
Details

The SearchWP Live Ajax Search WordPress plugin before 1.6.2 does not ensure that users making a live search are limited to published posts only, allowing unauthenticated users to make a crafted query disclosing private/draft/pending post titles along with their permalink

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2535"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-15T11:21:00Z",
    "severity": "MODERATE"
  },
  "details": "The SearchWP Live Ajax Search WordPress plugin before 1.6.2 does not ensure that users making a live search are limited to published posts only, allowing unauthenticated users to make a crafted query disclosing private/draft/pending post titles along with their permalink",
  "id": "GHSA-v492-qvfp-r274",
  "modified": "2022-08-17T00:00:23Z",
  "published": "2022-08-16T00:00:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2535"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/0e13c375-044c-4c2e-ab8e-48cb89d90d02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V574-8M96-8MP9

Vulnerability from github – Published: 2024-08-15 21:31 – Updated: 2024-08-16 18:30
VLAI
Details

Insecure Permissions vulnerability in Friendica v.2023.12 allows a remote attacker to obtain sensitive information and execute arbitrary code via the cid parameter of the calendar event feature.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-27730"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-15T19:15:18Z",
    "severity": "CRITICAL"
  },
  "details": "Insecure Permissions vulnerability in Friendica v.2023.12 allows a remote attacker to obtain sensitive information and execute arbitrary code via the cid parameter of the calendar event feature.",
  "id": "GHSA-v574-8m96-8mp9",
  "modified": "2024-08-16T18:30:57Z",
  "published": "2024-08-15T21:31:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27730"
    },
    {
      "type": "WEB",
      "url": "https://github.com/friendica/friendica/pull/13927"
    },
    {
      "type": "WEB",
      "url": "https://leo.oliver.nz/posts/2024/05/friendica-cve-disclosures"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V5HG-WG2P-R5PM

Vulnerability from github – Published: 2025-10-22 18:30 – Updated: 2025-11-25 18:32
VLAI
Details

Improper authorization in the temporary access workflow of Devolutions Server 2025.2.12.0 and earlier allows an authenticated basic user to self-approve or approve the temporary access requests of other users and gain unauthorized access to vaults and entries via crafted API requests.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-11957"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-22T17:15:56Z",
    "severity": "HIGH"
  },
  "details": "Improper authorization in the temporary access workflow of Devolutions Server 2025.2.12.0 and earlier allows an authenticated basic user to self-approve or approve the temporary access requests of other users and gain unauthorized access to vaults and entries via crafted API requests.",
  "id": "GHSA-v5hg-wg2p-r5pm",
  "modified": "2025-11-25T18:32:21Z",
  "published": "2025-10-22T18:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11957"
    },
    {
      "type": "WEB",
      "url": "https://devolutions.net/security/advisories/DEVO-2025-0015"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-V5M8-5455-QW2X

Vulnerability from github – Published: 2026-06-10 15:31 – Updated: 2026-06-10 15:31
VLAI
Details

A flaw was found in migration-planner. An authenticated attacker could exploit an improper access control vulnerability in the /api/v1/sources/{id}/image-url endpoint. This flaw allows the attacker to bypass an ownership check and obtain presigned S3 URLs for Open Virtual Appliance (OVA) images belonging to other users. Consequently, the attacker can download OVA images containing sensitive information, such as long-lived agent JSON Web Tokens (JWTs) and source configurations, potentially leading to unauthorized access and modification of the victim's source.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-53470"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-10T15:16:41Z",
    "severity": "CRITICAL"
  },
  "details": "A flaw was found in migration-planner. An authenticated attacker could exploit an improper access control vulnerability in the `/api/v1/sources/{id}/image-url` endpoint. This flaw allows the attacker to bypass an ownership check and obtain presigned S3 URLs for Open Virtual Appliance (OVA) images belonging to other users. Consequently, the attacker can download OVA images containing sensitive information, such as long-lived agent JSON Web Tokens (JWTs) and source configurations, potentially leading to unauthorized access and modification of the victim\u0027s source.",
  "id": "GHSA-v5m8-5455-qw2x",
  "modified": "2026-06-10T15:31:33Z",
  "published": "2026-06-10T15:31:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53470"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kubev2v/migration-planner/pull/1218"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-53470"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487069"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V5QF-WV6G-QJJ7

Vulnerability from github – Published: 2025-05-26 15:30 – Updated: 2025-05-26 15:30
VLAI
Details

Insecure Direct Object Reference (IDOR) vulnerability in Clickedu. This vulnerability could allow an attacker to retrieve information about student report cards.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-40650"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-26T13:15:19Z",
    "severity": "HIGH"
  },
  "details": "Insecure Direct Object Reference (IDOR) vulnerability in Clickedu. This vulnerability could allow an attacker to retrieve information about student report cards.",
  "id": "GHSA-v5qf-wv6g-qjj7",
  "modified": "2025-05-26T15:30:33Z",
  "published": "2025-05-26T15:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40650"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/insecure-direct-object-reference-idor-clickedu"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-V5RP-5HX5-3VWQ

Vulnerability from github – Published: 2025-05-09 03:30 – Updated: 2025-05-09 03:30
VLAI
Details

The WPBookit plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.2. This is due to the plugin not properly validating a user's identity prior to updating their details like email through the edit_newdata_customer_callback() function. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-3811"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-09T03:15:24Z",
    "severity": "CRITICAL"
  },
  "details": "The WPBookit plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.2. This is due to the plugin not properly validating a user\u0027s identity prior to updating their details like email through the edit_newdata_customer_callback() function. This makes it possible for unauthenticated attackers to change arbitrary user\u0027s email addresses, including administrators, and leverage that to reset the user\u0027s password and gain access to their account.",
  "id": "GHSA-v5rp-5hx5-3vwq",
  "modified": "2025-05-09T03:30:25Z",
  "published": "2025-05-09T03:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3811"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3278939/wpbookit/trunk/core/admin/classes/controllers/class.wpb-customer-controller.php"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a61cce43-0df7-4ca9-8897-24c7d131b505?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V6FM-W4P3-P8MV

Vulnerability from github – Published: 2024-08-26 21:30 – Updated: 2024-08-26 21:30
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in Dylan James Zephyr Project Manager.This issue affects Zephyr Project Manager: from n/a through 3.3.102.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-43916"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-26T21:15:29Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Dylan James Zephyr Project Manager.This issue affects Zephyr Project Manager: from n/a through 3.3.102.",
  "id": "GHSA-v6fm-w4p3-p8mv",
  "modified": "2024-08-26T21:30:35Z",
  "published": "2024-08-26T21:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43916"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/zephyr-project-manager/wordpress-zephyr-project-manager-plugin-3-3-102-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V6FX-FW28-5WWR

Vulnerability from github – Published: 2022-07-20 00:00 – Updated: 2022-07-28 00:00
VLAI
Details

Insecure Direct Object Reference vulnerability in HYPR Server before version 6.14.1 allows remote authenticated attackers to add a FIDO2 authenticator to arbitrary accounts via parameter tampering in the Device Manager page. This issue affects: HYPR Server versions prior to 6.14.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2193"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-19T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "Insecure Direct Object Reference vulnerability in HYPR Server before version 6.14.1 allows remote authenticated attackers to add a FIDO2 authenticator to arbitrary accounts via parameter tampering in the Device Manager page. This issue affects: HYPR Server versions prior to 6.14.1.",
  "id": "GHSA-v6fx-fw28-5wwr",
  "modified": "2022-07-28T00:00:51Z",
  "published": "2022-07-20T00:00:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2193"
    },
    {
      "type": "WEB",
      "url": "https://www.hypr.com/security-advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V6XR-V2QG-H22H

Vulnerability from github – Published: 2025-08-18 15:30 – Updated: 2025-12-20 05:31
VLAI
Summary
Liferay Portal Vulnerable to Insecure Direct Object Reference
Details

Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.10, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.17 and 7.4 GA through update 92 is vulnerable to Insecure Direct Object Reference (IDOR) in the groupId parameter of the _com_liferay_roles_selector_web_portlet_RolesSelectorPortlet_groupId. When an organization administrator modifies this parameter id value, they can gain unauthorized access to user lists from other organizations.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.liferay:com.liferay.roles.selector.web"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.0.32"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-43732"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-18T23:18:02Z",
    "nvd_published_at": "2025-08-18T14:15:29Z",
    "severity": "MODERATE"
  },
  "details": "Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.10, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.17 and 7.4 GA through update 92 is vulnerable to Insecure Direct Object Reference (IDOR) in the groupId parameter of the _com_liferay_roles_selector_web_portlet_RolesSelectorPortlet_groupId. When an organization administrator modifies this parameter id value, they can gain unauthorized access to user lists from other organizations.",
  "id": "GHSA-v6xr-v2qg-h22h",
  "modified": "2025-12-20T05:31:50Z",
  "published": "2025-08-18T15:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43732"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/1ab3de8142d9201d10d89f5eeb1edeea64599d57"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/830140e15ccfeb105641681c4f2bb375c12582ba"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/f07339e42a5788aa44016c4ca566b92399643442"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/liferay/liferay-portal"
    },
    {
      "type": "WEB",
      "url": "https://liferay.atlassian.net/browse/LPE-18221"
    },
    {
      "type": "WEB",
      "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43732"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Liferay Portal Vulnerable to Insecure Direct Object Reference"
}

GHSA-V72C-9VQ7-W8X4

Vulnerability from github – Published: 2026-07-09 12:30 – Updated: 2026-07-09 12:30
VLAI
Details

The Hydra Booking – Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 1.2.1 via the /wp-json/hydra-booking/v1/booking/details/{id} REST endpoint. This is due to the getBookingDetails() callback only enforcing the tfhb_manage_options capability via tfhb_manage_options_permission(), without verifying that the requested booking belongs to the currently authenticated host (the lookup in getBookingDetailsData() filters solely on the booking id supplied in the URL). This makes it possible for authenticated attackers, with Hydra Host-level access and above (a role created by the plugin which grants tfhb_manage_options), to view sensitive booking records belonging to other hosts, including attendee names, emails, phone numbers, addresses, meeting details, payment method and status, transaction history, and internal notes by iterating booking IDs.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-12433"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-09T10:16:23Z",
    "severity": "MODERATE"
  },
  "details": "The Hydra Booking \u2013 Appointment Scheduling \u0026 Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 1.2.1 via the /wp-json/hydra-booking/v1/booking/details/{id} REST endpoint. This is due to the getBookingDetails() callback only enforcing the tfhb_manage_options capability via tfhb_manage_options_permission(), without verifying that the requested booking belongs to the currently authenticated host (the lookup in getBookingDetailsData() filters solely on the booking id supplied in the URL). This makes it possible for authenticated attackers, with Hydra Host-level access and above (a role created by the plugin which grants tfhb_manage_options), to view sensitive booking records belonging to other hosts, including attendee names, emails, phone numbers, addresses, meeting details, payment method and status, transaction history, and internal notes by iterating booking IDs.",
  "id": "GHSA-v72c-9vq7-w8x4",
  "modified": "2026-07-09T12:30:27Z",
  "published": "2026-07-09T12:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12433"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/hydra-booking/tags/1.1.41/admin/Controller/BookingController.php#L100"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/hydra-booking/tags/1.1.41/admin/Controller/BookingController.php#L1418"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/hydra-booking/tags/1.1.41/admin/Controller/RouteController.php#L55"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/hydra-booking/tags/1.1.41/includes/hooks/ActivationHooks.php#L38"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/hydra-booking/tags/1.1.44/admin/Controller/BookingController.php#L100"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/hydra-booking/tags/1.1.44/admin/Controller/BookingController.php#L1418"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/hydra-booking/tags/1.1.44/admin/Controller/RouteController.php#L55"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/hydra-booking/tags/1.1.44/includes/hooks/ActivationHooks.php#L38"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3600170%40hydra-booking\u0026new=3600170%40hydra-booking"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aa00fe53-dc65-4200-80bb-9167b4230194?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.