CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3214 vulnerabilities reference this CWE, most recent first.
GHSA-WPX8-X78M-JRQQ
Vulnerability from github – Published: 2022-01-13 00:01 – Updated: 2022-01-21 00:01growi is vulnerable to Authorization Bypass Through User-Controlled Key
{
"affected": [],
"aliases": [
"CVE-2021-3852"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-12T11:15:00Z",
"severity": "HIGH"
},
"details": "growi is vulnerable to Authorization Bypass Through User-Controlled Key",
"id": "GHSA-wpx8-x78m-jrqq",
"modified": "2022-01-21T00:01:14Z",
"published": "2022-01-13T00:01:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3852"
},
{
"type": "WEB",
"url": "https://github.com/weseek/growi/commit/863bfd7f622f413bd159b9446166fb1ce78ec863"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/d44def81-2834-4031-9037-e923975c3852"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-WQ8W-54VC-9F9Q
Vulnerability from github – Published: 2026-07-09 12:30 – Updated: 2026-07-09 12:30Authorization bypass through User-Controlled key vulnerability in PAVO Financial Technology Solutions Inc. PAVO Pay allows Exploitation of Trusted Identifiers.
This issue affects PAVO Pay: through 09072026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2026-1989"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-09T10:16:25Z",
"severity": "HIGH"
},
"details": "Authorization bypass through User-Controlled key vulnerability in PAVO Financial Technology Solutions Inc. PAVO Pay allows Exploitation of Trusted Identifiers.\n\nThis issue affects PAVO Pay: through 09072026.\u00a0NOTE: The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-wq8w-54vc-9f9q",
"modified": "2026-07-09T12:30:27Z",
"published": "2026-07-09T12:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1989"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0521"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WQFG-5QCM-9R65
Vulnerability from github – Published: 2025-09-30 12:30 – Updated: 2025-10-08 18:30Insecure Direct Object Reference (IDOR) vulnerability in BOLD Workplanner in versions prior to 2.5.25 (4935b438f9b), consisting of a lack of adequate validation of user input, allowing an authenticated user to access to the list of permissions using unauthorised internal identifiers.
{
"affected": [],
"aliases": [
"CVE-2025-41099"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-30T11:37:40Z",
"severity": "HIGH"
},
"details": "Insecure Direct Object Reference (IDOR) vulnerability in BOLD Workplanner in versions prior to 2.5.25 (4935b438f9b), consisting of a lack of adequate validation of user input, allowing an authenticated user to\u00a0access to the list of permissions using unauthorised internal identifiers.",
"id": "GHSA-wqfg-5qcm-9r65",
"modified": "2025-10-08T18:30:15Z",
"published": "2025-09-30T12:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41099"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/insecure-direct-object-reference-gps-bold-workplanner"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-WQV6-VH6H-52RM
Vulnerability from github – Published: 2024-07-09 12:30 – Updated: 2024-07-09 12:30A BOLA vulnerability in POST /providers allows a low privileged user to create a privileged user (provider) in the system. This results in privilege escalation.
{
"affected": [],
"aliases": [
"CVE-2023-3288"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-09T11:15:12Z",
"severity": "HIGH"
},
"details": "A BOLA vulnerability in POST /providers allows a low privileged user to create a privileged user (provider) in the system. This results in privilege escalation.",
"id": "GHSA-wqv6-vh6h-52rm",
"modified": "2024-07-09T12:30:56Z",
"published": "2024-07-09T12:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3288"
},
{
"type": "WEB",
"url": "https://github.com/alextselegidis/easyappointments"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WR2F-FRVR-F8HG
Vulnerability from github – Published: 2026-07-11 06:31 – Updated: 2026-07-11 06:31The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.14.0 via the generate_document_shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to mint publicly accessible, session-free download links for arbitrary third-party orders, exposing customer names, billing and shipping addresses, email addresses, phone numbers, order and invoice numbers, line items, totals, payment details, and customer notes contained in those orders' invoices and packing slips. Exploitation requires the plugin's Document link access type setting to be configured to 'full'; with the default 'logged_in' value, generated URLs are signed with a per-session nonce rather than the order_key, making the shortcode path unexploitable for unauthorized access to third-party orders.
{
"affected": [],
"aliases": [
"CVE-2026-13116"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-11T05:16:32Z",
"severity": "MODERATE"
},
"details": "The PDF Invoices \u0026 Packing Slips for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.14.0 via the generate_document_shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to mint publicly accessible, session-free download links for arbitrary third-party orders, exposing customer names, billing and shipping addresses, email addresses, phone numbers, order and invoice numbers, line items, totals, payment details, and customer notes contained in those orders\u0027 invoices and packing slips. Exploitation requires the plugin\u0027s Document link access type setting to be configured to \u0027full\u0027; with the default \u0027logged_in\u0027 value, generated URLs are signed with a per-session nonce rather than the order_key, making the shortcode path unexploitable for unauthorized access to third-party orders.",
"id": "GHSA-wr2f-frvr-f8hg",
"modified": "2026-07-11T06:31:16Z",
"published": "2026-07-11T06:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-13116"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/woocommerce-pdf-invoices-packing-slips/tags/5.14.0/includes/Endpoint.php#L111"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/woocommerce-pdf-invoices-packing-slips/tags/5.14.0/includes/Frontend.php#L271"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/woocommerce-pdf-invoices-packing-slips/tags/5.14.0/includes/Frontend.php#L284"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/woocommerce-pdf-invoices-packing-slips/tags/5.9.2/includes/Endpoint.php#L111"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/woocommerce-pdf-invoices-packing-slips/tags/5.9.2/includes/Frontend.php#L271"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/woocommerce-pdf-invoices-packing-slips/tags/5.9.2/includes/Frontend.php#L284"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3590578%40woocommerce-pdf-invoices-packing-slips\u0026new=3590578%40woocommerce-pdf-invoices-packing-slips"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6525195e-5d90-4dd4-b9ee-612a8295c262?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WR66-PX74-574M
Vulnerability from github – Published: 2025-03-14 06:30 – Updated: 2025-03-14 06:30The WP JobHunt plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 7.1. This is due to the plugin not properly validating a user's identity prior to updating their details like email via the account_settings_callback() function. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
{
"affected": [],
"aliases": [
"CVE-2024-11285"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-14T05:15:40Z",
"severity": "CRITICAL"
},
"details": "The WP JobHunt plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 7.1. This is due to the plugin not properly validating a user\u0027s identity prior to updating their details like email via the account_settings_callback() function. This makes it possible for unauthenticated attackers to change arbitrary user\u0027s email addresses, including administrators, and leverage that to reset the user\u0027s password and gain access to their account.",
"id": "GHSA-wr66-px74-574m",
"modified": "2025-03-14T06:30:42Z",
"published": "2025-03-14T06:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11285"
},
{
"type": "WEB",
"url": "https://themeforest.net/item/jobcareer-job-board-responsive-wordpress-theme/14221636"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0e61c98d-a6f4-4ac0-b9f9-2b936c030413?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WR8M-5H2P-4432
Vulnerability from github – Published: 2025-09-11 18:35 – Updated: 2025-12-20 02:57An Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.7, 2024.Q1.1 through 2024.Q1.12, and 7.4 GA through update 92 allows remote authenticated users to access a workflow definition by name via the API.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.liferay:com.liferay.portal.workflow.kaleo.runtime.integration.impl"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.1"
},
{
"fixed": "5.0.48"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-43782"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-15T13:42:17Z",
"nvd_published_at": "2025-09-11T18:15:33Z",
"severity": "MODERATE"
},
"details": "An Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.7, 2024.Q1.1 through 2024.Q1.12, and 7.4 GA through update 92 allows remote authenticated users to access a workflow definition by name via the API.",
"id": "GHSA-wr8m-5h2p-4432",
"modified": "2025-12-20T02:57:55Z",
"published": "2025-09-11T18:35:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43782"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/4e85bafae4c4e17d3f87054d1f1d49a908d79819"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/720f2d3fde180e5c2971a5d01246dfec36f68131"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/acf50c712f7f21c2f52db30883486cb885c8bdd0"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/ad55ef75cb82c8b1ed01f311488475a646481731"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/b61004c960e10d576634096fccc9f71677df0fbd"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/c30a8b729e133f7f40277ce7dc350b87d13d49c7"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal"
},
{
"type": "WEB",
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43782"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Liferay Portal API Allows Authenticated Users to Access Workflow Definitions by Name"
}
GHSA-WR9W-6WCP-7M3P
Vulnerability from github – Published: 2024-05-14 18:31 – Updated: 2024-05-14 18:31An authorization bypass through user-controlled key vulnerability [CWE-639] in FortiVoiceEntreprise version 7.0.0 through 7.0.1 and before 6.4.8 allows an authenticated attacker to read the SIP configuration of other users via crafted HTTP or HTTPS requests.
{
"affected": [],
"aliases": [
"CVE-2023-40720"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T17:15:19Z",
"severity": "HIGH"
},
"details": "An authorization bypass through user-controlled key vulnerability [CWE-639] in FortiVoiceEntreprise version 7.0.0 through 7.0.1 and before 6.4.8 allows an authenticated attacker to read the SIP configuration of other users via crafted HTTP or HTTPS requests.",
"id": "GHSA-wr9w-6wcp-7m3p",
"modified": "2024-05-14T18:31:02Z",
"published": "2024-05-14T18:31:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40720"
},
{
"type": "WEB",
"url": "https://fortiguard.com/psirt/FG-IR-23-282"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-WRF9-6JF3-2W3C
Vulnerability from github – Published: 2023-01-27 21:31 – Updated: 2026-04-08 21:31The Quick Restaurant Menu plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the fact that during menu item deletion/modification, the plugin does not verify that the post ID provided to the AJAX action is indeed a menu item. This makes it possible for authenticated attackers, with subscriber-level access or higher, to modify or delete arbitrary posts.
{
"affected": [],
"aliases": [
"CVE-2023-0550"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-27T21:15:00Z",
"severity": "MODERATE"
},
"details": "The Quick Restaurant Menu plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the fact that during menu item deletion/modification, the plugin does not verify that the post ID provided to the AJAX action is indeed a menu item. This makes it possible for authenticated attackers, with subscriber-level access or higher, to modify or delete arbitrary posts.",
"id": "GHSA-wrf9-6jf3-2w3c",
"modified": "2026-04-08T21:31:47Z",
"published": "2023-01-27T21:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0550"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/quick-restaurant-menu/tags/2.0.2/includes/admin/ajax-functions.php"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/2851871/quick-restaurant-menu/trunk?contextall=1\u0026old=2788636\u0026old_path=%2Fquick-restaurant-menu%2Ftrunk"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/blog/2023/02/multiple-vulnerabilities-patched-in-quick-restaurant-menu-plugin"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/faa4fba5-cd19-4b96-aa09-07ed6d52a107"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/faa4fba5-cd19-4b96-aa09-07ed6d52a107?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WRJ5-H97X-2XCG
Vulnerability from github – Published: 2025-01-09 21:31 – Updated: 2025-01-09 21:31The WPBookit plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.6.4. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts.
{
"affected": [],
"aliases": [
"CVE-2024-10215"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-09T20:15:34Z",
"severity": "CRITICAL"
},
"details": "The WPBookit plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.6.4. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts.",
"id": "GHSA-wrj5-h97x-2xcg",
"modified": "2025-01-09T21:31:31Z",
"published": "2025-01-09T21:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10215"
},
{
"type": "WEB",
"url": "https://documentation.iqonic.design/wpbookit/versions/change-log"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2d23a2b9-8476-4564-a5de-5e6cfc38ce68?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.