CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3214 vulnerabilities reference this CWE, most recent first.
GHSA-X6GW-C4HJ-P3RX
Vulnerability from github – Published: 2025-07-22 15:32 – Updated: 2025-07-23 15:31Insecure Direct Object Reference (IDOR) vulnerability in Deepfiction AI (deepfiction.ai) thru June 3, 2025, allowing attackers to chat with the LLM using other users' credits via sensitive information gained by the /browse/stories endpoint.
{
"affected": [],
"aliases": [
"CVE-2025-51867"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-22T14:15:36Z",
"severity": "MODERATE"
},
"details": "Insecure Direct Object Reference (IDOR) vulnerability in Deepfiction AI (deepfiction.ai) thru June 3, 2025, allowing attackers to chat with the LLM using other users\u0027 credits via sensitive information gained by the /browse/stories endpoint.",
"id": "GHSA-x6gw-c4hj-p3rx",
"modified": "2025-07-23T15:31:09Z",
"published": "2025-07-22T15:32:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-51867"
},
{
"type": "WEB",
"url": "https://github.com/Secsys-FDU/CVE-2025-51867"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X6R3-8M97-73MG
Vulnerability from github – Published: 2022-05-13 01:43 – Updated: 2022-05-13 01:43In Kanboard before 1.0.47, by altering form data, an authenticated user can edit swimlanes of a private project of another user.
{
"affected": [],
"aliases": [
"CVE-2017-15195"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-10-11T01:32:00Z",
"severity": "MODERATE"
},
"details": "In Kanboard before 1.0.47, by altering form data, an authenticated user can edit swimlanes of a private project of another user.",
"id": "GHSA-x6r3-8m97-73mg",
"modified": "2022-05-13T01:43:40Z",
"published": "2022-05-13T01:43:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15195"
},
{
"type": "WEB",
"url": "https://github.com/kanboard/kanboard/commit/074f6c104f3e49401ef0065540338fc2d4be79f0"
},
{
"type": "WEB",
"url": "https://github.com/kanboard/kanboard/commit/3e0f14ae2b0b5a44bd038a472f17eac75f538524"
},
{
"type": "WEB",
"url": "https://kanboard.net/news/version-1.0.47"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2017/10/04/9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X6W7-V4JH-M22F
Vulnerability from github – Published: 2022-07-18 00:00 – Updated: 2022-07-19 00:00The WP User Manager WordPress plugin before 2.6.3 does not ensure that the user ID to reset the password of is related to the reset key given. As a result, any authenticated user can reset the password (to an arbitrary value) of any user knowing only their ID, and gain access to their account.
{
"affected": [],
"aliases": [
"CVE-2021-24655"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-17T11:15:00Z",
"severity": "HIGH"
},
"details": "The WP User Manager WordPress plugin before 2.6.3 does not ensure that the user ID to reset the password of is related to the reset key given. As a result, any authenticated user can reset the password (to an arbitrary value) of any user knowing only their ID, and gain access to their account.",
"id": "GHSA-x6w7-v4jh-m22f",
"modified": "2022-07-19T00:00:28Z",
"published": "2022-07-18T00:00:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24655"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/cce03550-7f65-4172-819e-025755fb541f"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X72P-G37Q-4XR9
Vulnerability from github – Published: 2024-07-22 09:31 – Updated: 2024-07-31 18:42Withdrawn: The attack vector described in the backing report required that an attacker gain access to a user's session cookie. By gaining access to the session cookie the attacker is for all intents and purposes the valid user and any access to user data would be expected.
~In SFTPGo 2.6.2, the JWT implementation lacks certain security measures, such as using JWT ID (JTI) claims, nonces, and proper expiration and invalidation mechanisms.~
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/drakkan/sftpgo/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.6.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-40430"
],
"database_specific": {
"cwe_ids": [
"CWE-323",
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2024-07-22T18:46:59Z",
"nvd_published_at": "2024-07-22T07:15:02Z",
"severity": "MODERATE"
},
"details": "Withdrawn:\nThe attack vector described in the backing report required that an attacker gain access to a user\u0027s session cookie. By gaining access to the session cookie the attacker is for all intents and purposes the valid user and any access to user data would be expected.\n\n~In SFTPGo 2.6.2, the JWT implementation lacks certain security measures, such as using JWT ID (JTI) claims, nonces, and proper expiration and invalidation mechanisms.~",
"id": "GHSA-x72p-g37q-4xr9",
"modified": "2024-07-31T18:42:56Z",
"published": "2024-07-22T09:31:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40430"
},
{
"type": "WEB",
"url": "https://github.com/github/advisory-database/pull/4645"
},
{
"type": "WEB",
"url": "https://alexsecurity.rocks/posts/cve-2024-40430"
},
{
"type": "PACKAGE",
"url": "https://github.com/drakkan/sftpgo"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Withdrawn: SFTPGo\u0027s JWT implmentation lacks certain security measures",
"withdrawn": "2024-07-31T18:42:56Z"
}
GHSA-X75G-QM53-H84R
Vulnerability from github – Published: 2026-04-15 18:31 – Updated: 2026-04-15 18:31Authorization Bypass Through User-Controlled Key vulnerability in Mahmudul Hasan Arif FluentBoards fluent-boards allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FluentBoards: from n/a through <= 1.91.2.
{
"affected": [],
"aliases": [
"CVE-2026-40784"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-15T11:16:37Z",
"severity": "HIGH"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in Mahmudul Hasan Arif FluentBoards fluent-boards allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FluentBoards: from n/a through \u003c= 1.91.2.",
"id": "GHSA-x75g-qm53-h84r",
"modified": "2026-04-15T18:31:55Z",
"published": "2026-04-15T18:31:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40784"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/fluent-boards/vulnerability/wordpress-fluentboards-plugin-1-91-2-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-X769-3CWV-F8HC
Vulnerability from github – Published: 2025-07-22 12:30 – Updated: 2025-07-22 14:37The powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of arbitrary files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "in2code/powermail"
},
"ranges": [
{
"events": [
{
"introduced": "12.0.0"
},
{
"fixed": "12.5.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "in2code/powermail"
},
"ranges": [
{
"events": [
{
"introduced": "13.0.0"
},
{
"fixed": "13.0.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"13.0.0"
]
}
],
"aliases": [
"CVE-2025-7899"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-22T14:37:09Z",
"nvd_published_at": "2025-07-22T11:15:24Z",
"severity": "MODERATE"
},
"details": "The powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of\u00a0arbitrary\u00a0files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0.",
"id": "GHSA-x769-3cwv-f8hc",
"modified": "2025-07-22T14:37:09Z",
"published": "2025-07-22T12:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7899"
},
{
"type": "WEB",
"url": "https://github.com/in2code-de/powermail/commit/b39e129c5e2a797f0ccf271fea220c7933ca77bc"
},
{
"type": "PACKAGE",
"url": "https://github.com/in2code-de/powermail"
},
{
"type": "WEB",
"url": "https://typo3.org/security/advisory/typo3-ext-sa-2025-009"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Powermail extension for TYPO3 allows Insecure Direct Object Reference"
}
GHSA-X77X-F67V-G9V4
Vulnerability from github – Published: 2025-12-17 21:30 – Updated: 2025-12-19 21:30AVideo versions prior to 20.0 permit any authenticated user to upload comment images to videos owned by other users. The endpoint validates authentication but omits ownership checks, allowing attackers to perform unauthorized uploads to arbitrary video objects.
{
"affected": [],
"aliases": [
"CVE-2025-34437"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-17T20:15:54Z",
"severity": "HIGH"
},
"details": "AVideo versions prior to 20.0 permit any authenticated user to upload comment images to videos owned by other users. The endpoint validates authentication but omits ownership checks, allowing attackers to perform unauthorized uploads to arbitrary video objects.",
"id": "GHSA-x77x-f67v-g9v4",
"modified": "2025-12-19T21:30:17Z",
"published": "2025-12-17T21:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34437"
},
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/commit/4a53ab2056"
},
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/commit/d411f91805"
},
{
"type": "WEB",
"url": "https://chocapikk.com/posts/2025/avideo-security-vulnerabilities"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/avideo-idor-arbitrary-comment-image-upload"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-X7W7-5275-WM7P
Vulnerability from github – Published: 2026-06-17 18:35 – Updated: 2026-06-17 18:35Unauthenticated Insecure Direct Object References (IDOR) in Salon booking system <= 10.30.24 versions.
{
"affected": [],
"aliases": [
"CVE-2026-40768"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-17T13:20:37Z",
"severity": "HIGH"
},
"details": "Unauthenticated Insecure Direct Object References (IDOR) in Salon booking system \u003c= 10.30.24 versions.",
"id": "GHSA-x7w7-5275-wm7p",
"modified": "2026-06-17T18:35:50Z",
"published": "2026-06-17T18:35:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40768"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/salon-booking-system/vulnerability/wordpress-salon-booking-system-plugin-10-30-24-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-X7WC-2853-87FV
Vulnerability from github – Published: 2025-10-25 00:30 – Updated: 2025-10-25 00:30GN4 Publishing System versions prior to 2.6 contain an insecure direct object reference (IDOR) vulnerability via the API. Authenticated requests to the API's object endpoints allow an authenticated user to request arbitrary user IDs and receive sensitive account data for those users, including the stored password and the account's security question and answer. The exposed recovery data and encrypted password may be used to reset or take over the target account.
{
"affected": [],
"aliases": [
"CVE-2025-34293"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-24T22:15:40Z",
"severity": "HIGH"
},
"details": "GN4 Publishing System versions prior to 2.6 contain an insecure direct object reference (IDOR) vulnerability via the API. Authenticated requests to the API\u0027s object endpoints allow an authenticated user to request arbitrary user IDs and receive sensitive account data for those users, including the stored password and the account\u0027s security question and answer. The exposed recovery data and encrypted password may be used to reset or take over the target account.",
"id": "GHSA-x7wc-2853-87fv",
"modified": "2025-10-25T00:30:39Z",
"published": "2025-10-25T00:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34293"
},
{
"type": "WEB",
"url": "https://nne.navigacloud.com/GN4Help/gn4_introduction_to_gn4.htm"
},
{
"type": "WEB",
"url": "https://www.miles33.com/news/news/5955/naviga--miles-33--acquisition.html"
},
{
"type": "WEB",
"url": "https://www.miles33.com/section/14/gn4"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/gn4-publishing-system-idor-information-disclosure"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-X7X8-RFPP-V489
Vulnerability from github – Published: 2025-10-16 09:30 – Updated: 2025-10-16 09:30The Truelysell Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.8.6. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. Note: This can only be exploited unauthenticated if the attacker knows which page contains the 'truelysell_edit_staff' shortcode.
{
"affected": [],
"aliases": [
"CVE-2025-10742"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-16T07:15:32Z",
"severity": "CRITICAL"
},
"details": "The Truelysell Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.8.6. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. Note: This can only be exploited unauthenticated if the attacker knows which page contains the \u0027truelysell_edit_staff\u0027 shortcode.",
"id": "GHSA-x7x8-rfpp-v489",
"modified": "2025-10-16T09:30:24Z",
"published": "2025-10-16T09:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10742"
},
{
"type": "WEB",
"url": "https://themeforest.net/item/truelysell-service-booking-wordpress-theme/43398124"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a636e865-9556-4afb-8726-4537a160f379?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.