Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3235 vulnerabilities reference this CWE, most recent first.

GHSA-V9F8-F5JC-6J84

Vulnerability from github – Published: 2025-04-15 21:31 – Updated: 2025-04-15 21:31
VLAI
Details

An unauthenticated attacker can obtain a user's plant list by knowing the username.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-31357"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-15T21:16:03Z",
    "severity": "MODERATE"
  },
  "details": "An unauthenticated attacker can obtain a user\u0027s plant list by knowing the username.",
  "id": "GHSA-v9f8-f5jc-6j84",
  "modified": "2025-04-15T21:31:49Z",
  "published": "2025-04-15T21:31:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31357"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-V9H7-V369-359M

Vulnerability from github – Published: 2023-12-20 15:30 – Updated: 2026-04-28 21:33
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in gVectors Team Comments – wpDiscuz.This issue affects Comments – wpDiscuz: from n/a through 7.6.3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-46311"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-20T14:15:20Z",
    "severity": "LOW"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in gVectors Team Comments \u2013 wpDiscuz.This issue affects Comments \u2013 wpDiscuz: from n/a through 7.6.3.",
  "id": "GHSA-v9h7-v369-359m",
  "modified": "2026-04-28T21:33:27Z",
  "published": "2023-12-20T15:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46311"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/wpdiscuz/wordpress-wpdiscuz-plugin-7-6-3-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VC4G-XC77-7X3Q

Vulnerability from github – Published: 2024-12-19 00:37 – Updated: 2024-12-26 21:30
VLAI
Details

An IDOR vulnerability in the edit-notes.php module of PHPGurukul Online Notes Sharing Management System v1.0 allows unauthorized users to modify notes belonging to other accounts due to missing authorization checks. This flaw exposes sensitive data and enables attackers to alter another user's information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-55231"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-18T22:15:07Z",
    "severity": "MODERATE"
  },
  "details": "An IDOR vulnerability in the edit-notes.php module of PHPGurukul Online Notes Sharing Management System v1.0 allows unauthorized users to modify notes belonging to other accounts due to missing authorization checks. This flaw exposes sensitive data and enables attackers to alter another user\u0027s information.",
  "id": "GHSA-vc4g-xc77-7x3q",
  "modified": "2024-12-26T21:30:36Z",
  "published": "2024-12-19T00:37:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55231"
    },
    {
      "type": "WEB",
      "url": "https://github.com/CV1523/CVEs/blob/main/CVE-2024-55231.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VC6M-GVQM-4JF2

Vulnerability from github – Published: 2026-07-02 21:32 – Updated: 2026-07-02 21:32
VLAI
Details

LobeChat through 2.2.9 server-database deployments are vulnerable to broken object-level authorization in MessageModel. The updateMessagePlugin, updatePluginState, updatePluginError, updateTTS and updateTranslate methods filter target rows by message id alone, omitting the userId scope that sibling methods apply, and findMessagePlugin reads back by id alone. Reachable via the corresponding tRPC message procedures, an authenticated user who knows another user's message identifier can overwrite that victim's plugin tool-call metadata, plugin state/error, text-to-speech and translation records on the same instance, and the tampered content is served back to the victim. Exploitation requires knowledge of the victim's non-enumerable message identifier.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-58580"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-02T20:17:07Z",
    "severity": "MODERATE"
  },
  "details": "LobeChat through 2.2.9 server-database deployments are vulnerable to broken object-level authorization in MessageModel. The updateMessagePlugin, updatePluginState, updatePluginError, updateTTS and updateTranslate methods filter target rows by message id alone, omitting the userId scope that sibling methods apply, and findMessagePlugin reads back by id alone. Reachable via the corresponding tRPC message procedures, an authenticated user who knows another user\u0027s message identifier can overwrite that victim\u0027s plugin tool-call metadata, plugin state/error, text-to-speech and translation records on the same instance, and the tampered content is served back to the victim. Exploitation requires knowledge of the victim\u0027s non-enumerable message identifier.",
  "id": "GHSA-vc6m-gvqm-4jf2",
  "modified": "2026-07-02T21:32:13Z",
  "published": "2026-07-02T21:32:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58580"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lobehub/lobehub/issues/16534"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/lobechat-broken-object-level-authorization-in-message-sub-resource-writes"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-VC6M-W3JH-F5FX

Vulnerability from github – Published: 2023-03-04 00:30 – Updated: 2023-03-10 15:30
VLAI
Details

CleverStupidDog yf-exam v 1.8.0 is vulnerable to Authentication Bypass. The program uses a fixed JWT key, and the stored key uses username format characters. Any user who logged in within 24 hours. A token can be forged with his username to bypass authentication.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-25403"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-03T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "CleverStupidDog yf-exam v 1.8.0 is vulnerable to Authentication Bypass. The program uses a fixed JWT key, and the stored key uses username format characters. Any user who logged in within 24 hours. A token can be forged with his username to bypass authentication.",
  "id": "GHSA-vc6m-w3jh-f5fx",
  "modified": "2023-03-10T15:30:42Z",
  "published": "2023-03-04T00:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25403"
    },
    {
      "type": "WEB",
      "url": "https://github.com/CleverStupidDog/yf-exam/issues/2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Fw-fW-fw/UPDATE-CVE/blob/main/CVE-2023-25403"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VC9H-72V9-5249

Vulnerability from github – Published: 2026-06-03 12:30 – Updated: 2026-06-03 12:30
VLAI
Details

Authorization bypass through User-Controlled key vulnerability in ABB T-MAC Plus.

This issue affects T-MAC Plus: 4.0-24.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-14772"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-03T11:16:18Z",
    "severity": "HIGH"
  },
  "details": "Authorization bypass through User-Controlled key vulnerability in ABB T-MAC Plus.\n\nThis issue affects T-MAC Plus: 4.0-24.",
  "id": "GHSA-vc9h-72v9-5249",
  "modified": "2026-06-03T12:30:26Z",
  "published": "2026-06-03T12:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14772"
    },
    {
      "type": "WEB",
      "url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK108472A7840\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-VCJ3-36CM-3C25

Vulnerability from github – Published: 2023-07-06 19:24 – Updated: 2025-02-20 21:30
VLAI
Details

Auth. (subscriber+) Insecure Direct Object References (IDOR) vulnerability in Comments – wpDiscuz plugin 7.4.2 on WordPress.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-43492"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-18T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "Auth. (subscriber+) Insecure Direct Object References (IDOR) vulnerability in Comments \u2013 wpDiscuz plugin 7.4.2 on WordPress.",
  "id": "GHSA-vcj3-36cm-3c25",
  "modified": "2025-02-20T21:30:43Z",
  "published": "2023-07-06T19:24:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43492"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/wpdiscuz/wordpress-comments-wpdiscuz-plugin-7-4-2-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/wpdiscuz/#developers"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VCJF-9862-C2X8

Vulnerability from github – Published: 2024-03-16 06:30 – Updated: 2024-03-22 00:31
VLAI
Details

An authorization bypass was discovered in the Carrier MASmobile Classic application through 1.16.18 for Android, MASmobile Classic app through 1.7.24 for iOS, and MAS ASP.Net Services through 1.9. It can be achieved via session ID prediction, allowing remote attackers to retrieve sensitive data including customer data, security system status, and event history. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. The affected products cannot simply be updated; they must be removed, but can be replaced by other Carrier software as explained in the Carrier advisory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-36483"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-16T05:15:18Z",
    "severity": "MODERATE"
  },
  "details": "An authorization bypass was discovered in the Carrier MASmobile Classic application through 1.16.18 for Android, MASmobile Classic app through 1.7.24 for iOS, and MAS ASP.Net Services through 1.9. It can be achieved via session ID prediction, allowing remote attackers to retrieve sensitive data including customer data, security system status, and event history. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. The affected products cannot simply be updated; they must be removed, but can be replaced by other Carrier software as explained in the Carrier advisory.",
  "id": "GHSA-vcjf-9862-c2x8",
  "modified": "2024-03-22T00:31:13Z",
  "published": "2024-03-16T06:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36483"
    },
    {
      "type": "WEB",
      "url": "https://www.corporate.carrier.com/Images/CARR-PSA-MASMobile%20Classic%20Authorization%20Bypass-012-0623_tcm558-203964.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.corporate.carrier.com/product-security/advisories-resources"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VF46-VQQ9-HG36

Vulnerability from github – Published: 2022-05-24 19:17 – Updated: 2022-05-24 19:17
VLAI
Details

Authorization bypass through user-controlled key vulnerability in MELSEC iQ-R series Safety CPU R08/16/32/120SFCPU all versions and MELSEC iQ-R series SIL2 Process CPU R08/16/32/120PSFCPU all versions allows an remote unauthenticated attacker to login to a target CPU module by obtaining credentials other than password.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-20599"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-319",
      "CWE-639",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-14T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "Authorization bypass through user-controlled key vulnerability in MELSEC iQ-R series Safety CPU R08/16/32/120SFCPU all versions and MELSEC iQ-R series SIL2 Process CPU R08/16/32/120PSFCPU all versions allows an remote unauthenticated attacker to login to a target CPU module by obtaining credentials other than password.",
  "id": "GHSA-vf46-vqq9-hg36",
  "modified": "2022-05-24T19:17:36Z",
  "published": "2022-05-24T19:17:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20599"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/vu/JVNVU98578731"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-287-03"
    },
    {
      "type": "WEB",
      "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-011_en.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VF5X-8R9F-VM4F

Vulnerability from github – Published: 2022-11-09 12:00 – Updated: 2025-02-20 21:30
VLAI
Details

Insecure direct object references (IDOR) vulnerability in the wpForo Forum plugin <= 2.0.5 on WordPress allows attackers with subscriber or higher user roles to mark any forum post as private/public.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-40206"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-08T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Insecure direct object references (IDOR) vulnerability in the wpForo Forum plugin \u003c= 2.0.5 on WordPress allows attackers with subscriber or higher user roles to mark any forum post as private/public.",
  "id": "GHSA-vf5x-8r9f-vm4f",
  "modified": "2025-02-20T21:30:42Z",
  "published": "2022-11-09T12:00:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40206"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/wpforo/wordpress-wpforo-forum-plugin-2-0-5-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/wpforo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.