Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3214 vulnerabilities reference this CWE, most recent first.

GHSA-X6GW-C4HJ-P3RX

Vulnerability from github – Published: 2025-07-22 15:32 – Updated: 2025-07-23 15:31
VLAI
Details

Insecure Direct Object Reference (IDOR) vulnerability in Deepfiction AI (deepfiction.ai) thru June 3, 2025, allowing attackers to chat with the LLM using other users' credits via sensitive information gained by the /browse/stories endpoint.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-51867"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-22T14:15:36Z",
    "severity": "MODERATE"
  },
  "details": "Insecure Direct Object Reference (IDOR) vulnerability in Deepfiction AI (deepfiction.ai) thru June 3, 2025, allowing attackers to chat with the LLM using other users\u0027 credits via sensitive information gained by the /browse/stories endpoint.",
  "id": "GHSA-x6gw-c4hj-p3rx",
  "modified": "2025-07-23T15:31:09Z",
  "published": "2025-07-22T15:32:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-51867"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Secsys-FDU/CVE-2025-51867"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X6R3-8M97-73MG

Vulnerability from github – Published: 2022-05-13 01:43 – Updated: 2022-05-13 01:43
VLAI
Details

In Kanboard before 1.0.47, by altering form data, an authenticated user can edit swimlanes of a private project of another user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-15195"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-10-11T01:32:00Z",
    "severity": "MODERATE"
  },
  "details": "In Kanboard before 1.0.47, by altering form data, an authenticated user can edit swimlanes of a private project of another user.",
  "id": "GHSA-x6r3-8m97-73mg",
  "modified": "2022-05-13T01:43:40Z",
  "published": "2022-05-13T01:43:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15195"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kanboard/kanboard/commit/074f6c104f3e49401ef0065540338fc2d4be79f0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kanboard/kanboard/commit/3e0f14ae2b0b5a44bd038a472f17eac75f538524"
    },
    {
      "type": "WEB",
      "url": "https://kanboard.net/news/version-1.0.47"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2017/10/04/9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X6W7-V4JH-M22F

Vulnerability from github – Published: 2022-07-18 00:00 – Updated: 2022-07-19 00:00
VLAI
Details

The WP User Manager WordPress plugin before 2.6.3 does not ensure that the user ID to reset the password of is related to the reset key given. As a result, any authenticated user can reset the password (to an arbitrary value) of any user knowing only their ID, and gain access to their account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-24655"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-17T11:15:00Z",
    "severity": "HIGH"
  },
  "details": "The WP User Manager WordPress plugin before 2.6.3 does not ensure that the user ID to reset the password of is related to the reset key given. As a result, any authenticated user can reset the password (to an arbitrary value) of any user knowing only their ID, and gain access to their account.",
  "id": "GHSA-x6w7-v4jh-m22f",
  "modified": "2022-07-19T00:00:28Z",
  "published": "2022-07-18T00:00:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24655"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/cce03550-7f65-4172-819e-025755fb541f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X72P-G37Q-4XR9

Vulnerability from github – Published: 2024-07-22 09:31 – Updated: 2024-07-31 18:42
VLAI
Summary
Withdrawn: SFTPGo's JWT implmentation lacks certain security measures
Details

Withdrawn: The attack vector described in the backing report required that an attacker gain access to a user's session cookie. By gaining access to the session cookie the attacker is for all intents and purposes the valid user and any access to user data would be expected.

~In SFTPGo 2.6.2, the JWT implementation lacks certain security measures, such as using JWT ID (JTI) claims, nonces, and proper expiration and invalidation mechanisms.~

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/drakkan/sftpgo/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.6.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-40430"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-323",
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-22T18:46:59Z",
    "nvd_published_at": "2024-07-22T07:15:02Z",
    "severity": "MODERATE"
  },
  "details": "Withdrawn:\nThe attack vector described in the backing report required that an attacker gain access to a user\u0027s session cookie. By gaining access to the session cookie the attacker is for all intents and purposes the valid user and any access to user data would be expected.\n\n~In SFTPGo 2.6.2, the JWT implementation lacks certain security measures, such as using JWT ID (JTI) claims, nonces, and proper expiration and invalidation mechanisms.~",
  "id": "GHSA-x72p-g37q-4xr9",
  "modified": "2024-07-31T18:42:56Z",
  "published": "2024-07-22T09:31:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40430"
    },
    {
      "type": "WEB",
      "url": "https://github.com/github/advisory-database/pull/4645"
    },
    {
      "type": "WEB",
      "url": "https://alexsecurity.rocks/posts/cve-2024-40430"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/drakkan/sftpgo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Withdrawn: SFTPGo\u0027s JWT implmentation lacks certain security measures",
  "withdrawn": "2024-07-31T18:42:56Z"
}

GHSA-X75G-QM53-H84R

Vulnerability from github – Published: 2026-04-15 18:31 – Updated: 2026-04-15 18:31
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in Mahmudul Hasan Arif FluentBoards fluent-boards allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FluentBoards: from n/a through <= 1.91.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-40784"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-15T11:16:37Z",
    "severity": "HIGH"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Mahmudul Hasan Arif FluentBoards fluent-boards allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FluentBoards: from n/a through \u003c= 1.91.2.",
  "id": "GHSA-x75g-qm53-h84r",
  "modified": "2026-04-15T18:31:55Z",
  "published": "2026-04-15T18:31:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40784"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/fluent-boards/vulnerability/wordpress-fluentboards-plugin-1-91-2-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X769-3CWV-F8HC

Vulnerability from github – Published: 2025-07-22 12:30 – Updated: 2025-07-22 14:37
VLAI
Summary
Powermail extension for TYPO3 allows Insecure Direct Object Reference
Details

The powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of arbitrary files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "in2code/powermail"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "12.0.0"
            },
            {
              "fixed": "12.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "in2code/powermail"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "13.0.0"
            },
            {
              "fixed": "13.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "13.0.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2025-7899"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-22T14:37:09Z",
    "nvd_published_at": "2025-07-22T11:15:24Z",
    "severity": "MODERATE"
  },
  "details": "The powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of\u00a0arbitrary\u00a0files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0.",
  "id": "GHSA-x769-3cwv-f8hc",
  "modified": "2025-07-22T14:37:09Z",
  "published": "2025-07-22T12:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7899"
    },
    {
      "type": "WEB",
      "url": "https://github.com/in2code-de/powermail/commit/b39e129c5e2a797f0ccf271fea220c7933ca77bc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/in2code-de/powermail"
    },
    {
      "type": "WEB",
      "url": "https://typo3.org/security/advisory/typo3-ext-sa-2025-009"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Powermail extension for TYPO3 allows Insecure Direct Object Reference"
}

GHSA-X77X-F67V-G9V4

Vulnerability from github – Published: 2025-12-17 21:30 – Updated: 2025-12-19 21:30
VLAI
Details

AVideo versions prior to 20.0 permit any authenticated user to upload comment images to videos owned by other users. The endpoint validates authentication but omits ownership checks, allowing attackers to perform unauthorized uploads to arbitrary video objects.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-34437"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-17T20:15:54Z",
    "severity": "HIGH"
  },
  "details": "AVideo versions prior to 20.0 permit any authenticated user to upload comment images to videos owned by other users. The endpoint validates authentication but omits ownership checks, allowing attackers to perform unauthorized uploads to arbitrary video objects.",
  "id": "GHSA-x77x-f67v-g9v4",
  "modified": "2025-12-19T21:30:17Z",
  "published": "2025-12-17T21:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34437"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/4a53ab2056"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/d411f91805"
    },
    {
      "type": "WEB",
      "url": "https://chocapikk.com/posts/2025/avideo-security-vulnerabilities"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/avideo-idor-arbitrary-comment-image-upload"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-X7W7-5275-WM7P

Vulnerability from github – Published: 2026-06-17 18:35 – Updated: 2026-06-17 18:35
VLAI
Details

Unauthenticated Insecure Direct Object References (IDOR) in Salon booking system <= 10.30.24 versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-40768"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-17T13:20:37Z",
    "severity": "HIGH"
  },
  "details": "Unauthenticated Insecure Direct Object References (IDOR) in Salon booking system \u003c= 10.30.24 versions.",
  "id": "GHSA-x7w7-5275-wm7p",
  "modified": "2026-06-17T18:35:50Z",
  "published": "2026-06-17T18:35:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40768"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/salon-booking-system/vulnerability/wordpress-salon-booking-system-plugin-10-30-24-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X7WC-2853-87FV

Vulnerability from github – Published: 2025-10-25 00:30 – Updated: 2025-10-25 00:30
VLAI
Details

GN4 Publishing System versions prior to 2.6 contain an insecure direct object reference (IDOR) vulnerability via the API. Authenticated requests to the API's object endpoints allow an authenticated user to request arbitrary user IDs and receive sensitive account data for those users, including the stored password and the account's security question and answer. The exposed recovery data and encrypted password may be used to reset or take over the target account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-34293"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-24T22:15:40Z",
    "severity": "HIGH"
  },
  "details": "GN4 Publishing System versions prior to 2.6 contain an insecure direct object reference (IDOR) vulnerability via the API. Authenticated requests to the API\u0027s object endpoints allow an authenticated user to request arbitrary user IDs and receive sensitive account data for those users, including the stored password and the account\u0027s security question and answer. The exposed recovery data and encrypted password may be used to reset or take over the target account.",
  "id": "GHSA-x7wc-2853-87fv",
  "modified": "2025-10-25T00:30:39Z",
  "published": "2025-10-25T00:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34293"
    },
    {
      "type": "WEB",
      "url": "https://nne.navigacloud.com/GN4Help/gn4_introduction_to_gn4.htm"
    },
    {
      "type": "WEB",
      "url": "https://www.miles33.com/news/news/5955/naviga--miles-33--acquisition.html"
    },
    {
      "type": "WEB",
      "url": "https://www.miles33.com/section/14/gn4"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/gn4-publishing-system-idor-information-disclosure"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-X7X8-RFPP-V489

Vulnerability from github – Published: 2025-10-16 09:30 – Updated: 2025-10-16 09:30
VLAI
Details

The Truelysell Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.8.6. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. Note: This can only be exploited unauthenticated if the attacker knows which page contains the 'truelysell_edit_staff' shortcode.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-10742"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-16T07:15:32Z",
    "severity": "CRITICAL"
  },
  "details": "The Truelysell Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.8.6. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. Note: This can only be exploited unauthenticated if the attacker knows which page contains the \u0027truelysell_edit_staff\u0027 shortcode.",
  "id": "GHSA-x7x8-rfpp-v489",
  "modified": "2025-10-16T09:30:24Z",
  "published": "2025-10-16T09:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10742"
    },
    {
      "type": "WEB",
      "url": "https://themeforest.net/item/truelysell-service-booking-wordpress-theme/43398124"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a636e865-9556-4afb-8726-4537a160f379?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.