CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3234 vulnerabilities reference this CWE, most recent first.
GHSA-VFH4-9WWJ-77FX
Vulnerability from github – Published: 2025-09-10 09:30 – Updated: 2025-09-10 09:30The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 67.7.0 via the 'MJ_gmgt_gmgt_add_user' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the email, password, and other details of any user, including Administrator users.
{
"affected": [],
"aliases": [
"CVE-2025-7049"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-10T07:15:45Z",
"severity": "HIGH"
},
"details": "The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 67.7.0 via the \u0027MJ_gmgt_gmgt_add_user\u0027 function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the email, password, and other details of any user, including Administrator users.",
"id": "GHSA-vfh4-9wwj-77fx",
"modified": "2025-09-10T09:30:58Z",
"published": "2025-09-10T09:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7049"
},
{
"type": "WEB",
"url": "https://codecanyon.net/item/-wpgym-wordpress-gym-management-system/13352964"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/17951f68-8481-477b-a940-cce637f6ec54?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VG32-RQH8-J8PM
Vulnerability from github – Published: 2026-06-25 21:31 – Updated: 2026-06-25 21:31NewsBlur before 14.5.0 contains a broken access control vulnerability that allows authenticated users to read private notification feeds by supplying arbitrary user_id values to the GET /social/interactions endpoint without ownership verification. Attackers can enumerate user_id values to access another user's follows, replies, and social activity without authorization.
{
"affected": [],
"aliases": [
"CVE-2026-56772"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-25T19:16:44Z",
"severity": "MODERATE"
},
"details": "NewsBlur before 14.5.0 contains a broken access control vulnerability that allows authenticated users to read private notification feeds by supplying arbitrary user_id values to the GET /social/interactions endpoint without ownership verification. Attackers can enumerate user_id values to access another user\u0027s follows, replies, and social activity without authorization.",
"id": "GHSA-vg32-rqh8-j8pm",
"modified": "2026-06-25T21:31:30Z",
"published": "2026-06-25T21:31:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56772"
},
{
"type": "WEB",
"url": "https://github.com/samuelclay/NewsBlur/commit/613c60b67cc46b3f4cae1dc2dfd8d717a39bc483"
},
{
"type": "WEB",
"url": "https://github.com/samuelclay/NewsBlur/releases/tag/Android_14.5.0"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/newsblur-insecure-direct-object-reference-in-social-interactions-endpoint"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-VGF3-FPXC-H968
Vulnerability from github – Published: 2026-06-11 15:31 – Updated: 2026-06-11 15:31openSIS Classic 9.3 contains an insecure direct object reference vulnerability in the messaging module. Any authenticated user with access to the messaging module can request sent-message details from modules/messaging/SentMail.php by supplying an arbitrary mail_id value.
{
"affected": [],
"aliases": [
"CVE-2026-8406"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-11T14:16:32Z",
"severity": "HIGH"
},
"details": "openSIS Classic 9.3 contains an insecure direct object reference vulnerability in the messaging module. Any authenticated user with access to the messaging module can request sent-message details from modules/messaging/SentMail.php by supplying an arbitrary mail_id value.",
"id": "GHSA-vgf3-fpxc-h968",
"modified": "2026-06-11T15:31:34Z",
"published": "2026-06-11T15:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8406"
},
{
"type": "WEB",
"url": "https://github.com/OS4ED/openSIS-Classic/commit/c45d43146167324bae06bdf09de3e4bd2e5e478f"
},
{
"type": "WEB",
"url": "https://fluidattacks.com/es/advisories/melanie"
},
{
"type": "WEB",
"url": "https://github.com/OS4ED/openSIS-Classic"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-VH24-W6W7-Q6MW
Vulnerability from github – Published: 2026-07-07 09:37 – Updated: 2026-07-07 09:37Authorization bypass through User-Controlled key vulnerability in Idvlabs Software and Consulting Services Inc. Ontime allows Exploitation of Trusted Identifiers.
This issue affects Ontime: through 04052026.
{
"affected": [],
"aliases": [
"CVE-2026-5799"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-07T08:16:25Z",
"severity": "HIGH"
},
"details": "Authorization bypass through User-Controlled key vulnerability in Idvlabs Software and Consulting Services Inc. Ontime allows Exploitation of Trusted Identifiers.\n\nThis issue affects Ontime: through 04052026.",
"id": "GHSA-vh24-w6w7-q6mw",
"modified": "2026-07-07T09:37:54Z",
"published": "2026-07-07T09:37:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5799"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0503"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VH45-GFXF-VR42
Vulnerability from github – Published: 2026-02-24 09:31 – Updated: 2026-02-24 09:31An Insecure Direct Object Reference (IDOR) vulnerability exists in Serv-U, which when exploited, gives a malicious actor the ability to execute native code as a privileged account.
This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.
{
"affected": [],
"aliases": [
"CVE-2025-40541"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-704"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-24T08:16:28Z",
"severity": "CRITICAL"
},
"details": "An Insecure Direct Object Reference (IDOR) vulnerability exists in Serv-U, which when exploited, gives a malicious actor the ability to execute native code as a privileged account.\n\nThis issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.",
"id": "GHSA-vh45-gfxf-vr42",
"modified": "2026-02-24T09:31:21Z",
"published": "2026-02-24T09:31:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40541"
},
{
"type": "WEB",
"url": "https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-5-4_release_notes.htm"
},
{
"type": "WEB",
"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40541"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VHFH-VMQ7-84JF
Vulnerability from github – Published: 2024-11-22 09:33 – Updated: 2026-04-08 21:32The Easy Twitter Feed – Twitter feeds plugin for WP plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.6 via the [etf] shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to.
{
"affected": [],
"aliases": [
"CVE-2024-10666"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-22T06:15:18Z",
"severity": "MODERATE"
},
"details": "The Easy Twitter Feed \u2013 Twitter feeds plugin for WP plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.6 via the [etf] shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to.",
"id": "GHSA-vhfh-vmq7-84jf",
"modified": "2026-04-08T21:32:56Z",
"published": "2024-11-22T09:33:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10666"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3206719%40easy-twitter-feeds\u0026new=3206719%40easy-twitter-feeds\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/easy-twitter-feeds"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d9cd3168-3261-4e36-8fbe-2058cd821937?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VJ33-3XG6-G6WW
Vulnerability from github – Published: 2026-07-02 12:31 – Updated: 2026-07-02 12:31Unauthenticated Insecure Direct Object References (IDOR) in Kirki <= 6.0.11 versions.
{
"affected": [],
"aliases": [
"CVE-2026-57680"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-02T12:17:38Z",
"severity": "MODERATE"
},
"details": "Unauthenticated Insecure Direct Object References (IDOR) in Kirki \u003c= 6.0.11 versions.",
"id": "GHSA-vj33-3xg6-g6ww",
"modified": "2026-07-02T12:31:01Z",
"published": "2026-07-02T12:31:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57680"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/kirki/vulnerability/wordpress-kirki-plugin-6-0-11-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-VJ6P-V8M8-9CJQ
Vulnerability from github – Published: 2023-09-27 15:30 – Updated: 2023-09-27 15:30Sensitive information disclosure and manipulation due to improper authorization. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 35979.
{
"affected": [],
"aliases": [
"CVE-2023-44206"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-27T15:19:39Z",
"severity": "HIGH"
},
"details": "Sensitive information disclosure and manipulation due to improper authorization. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 35979.",
"id": "GHSA-vj6p-v8m8-9cjq",
"modified": "2023-09-27T15:30:39Z",
"published": "2023-09-27T15:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44206"
},
{
"type": "WEB",
"url": "https://security-advisory.acronis.com/advisories/SEC-5839"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VJF2-9278-JMJ7
Vulnerability from github – Published: 2025-11-12 09:30 – Updated: 2025-11-12 09:30The Payment Plugins Braintree For WooCommerce plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the wc-braintree/v1/3ds/vaulted_nonce REST API endpoint in all versions up to, and including, 3.2.78. This is due to the endpoint being registered with permission_callback set to __return_true and processing user-supplied token IDs without verifying ownership or authentication. This makes it possible for unauthenticated attackers to retrieve payment method nonces for any stored payment token in the system, which can be used to create fraudulent transactions, charge customer credit cards, or attach payment methods to other subscriptions.
{
"affected": [],
"aliases": [
"CVE-2025-12903"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-12T09:15:40Z",
"severity": "HIGH"
},
"details": "The Payment Plugins Braintree For WooCommerce plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the wc-braintree/v1/3ds/vaulted_nonce REST API endpoint in all versions up to, and including, 3.2.78. This is due to the endpoint being registered with permission_callback set to __return_true and processing user-supplied token IDs without verifying ownership or authentication. This makes it possible for unauthenticated attackers to retrieve payment method nonces for any stored payment token in the system, which can be used to create fraudulent transactions, charge customer credit cards, or attach payment methods to other subscriptions.",
"id": "GHSA-vjf2-9278-jmj7",
"modified": "2025-11-12T09:30:27Z",
"published": "2025-11-12T09:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12903"
},
{
"type": "WEB",
"url": "https://developer.wordpress.org/rest-api/using-the-rest-api/authentication"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/woo-payment-gateway/tags/3.2.78/includes/api/class-wc-braintree-controller-3ds.php#L23"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/woo-payment-gateway/tags/3.2.78/includes/api/class-wc-braintree-controller-3ds.php#L35"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/woo-payment-gateway/tags/3.2.78/includes/api/class-wc-braintree-controller-3ds.php#L41"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3392259%40woo-payment-gateway\u0026new=3392259%40woo-payment-gateway\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/89cd5429-39a0-441f-ba69-dea111eae5ed?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VJF8-PC55-P8GM
Vulnerability from github – Published: 2024-06-21 09:30 – Updated: 2024-06-21 09:30The User Profile Picture plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.6.1 via the 'rest_api_change_profile_image' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to update the profile picture of any user.
{
"affected": [],
"aliases": [
"CVE-2024-5639"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-21T07:15:10Z",
"severity": "MODERATE"
},
"details": "The User Profile Picture plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.6.1 via the \u0027rest_api_change_profile_image\u0027 function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to update the profile picture of any user.",
"id": "GHSA-vjf8-pc55-p8gm",
"modified": "2024-06-21T09:30:26Z",
"published": "2024-06-21T09:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5639"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/metronet-profile-picture/tags/2.6.1/metronet-profile-picture.php#L1122"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/metronet-profile-picture/tags/2.6.1/metronet-profile-picture.php#L989"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3105132"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/01a3b9ba-b18a-48d9-8365-d10f79fc6a6b?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.