CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3228 vulnerabilities reference this CWE, most recent first.
GHSA-X7W7-5275-WM7P
Vulnerability from github – Published: 2026-06-17 18:35 – Updated: 2026-06-17 18:35Unauthenticated Insecure Direct Object References (IDOR) in Salon booking system <= 10.30.24 versions.
{
"affected": [],
"aliases": [
"CVE-2026-40768"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-17T13:20:37Z",
"severity": "HIGH"
},
"details": "Unauthenticated Insecure Direct Object References (IDOR) in Salon booking system \u003c= 10.30.24 versions.",
"id": "GHSA-x7w7-5275-wm7p",
"modified": "2026-06-17T18:35:50Z",
"published": "2026-06-17T18:35:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40768"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/salon-booking-system/vulnerability/wordpress-salon-booking-system-plugin-10-30-24-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-X7WC-2853-87FV
Vulnerability from github – Published: 2025-10-25 00:30 – Updated: 2025-10-25 00:30GN4 Publishing System versions prior to 2.6 contain an insecure direct object reference (IDOR) vulnerability via the API. Authenticated requests to the API's object endpoints allow an authenticated user to request arbitrary user IDs and receive sensitive account data for those users, including the stored password and the account's security question and answer. The exposed recovery data and encrypted password may be used to reset or take over the target account.
{
"affected": [],
"aliases": [
"CVE-2025-34293"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-24T22:15:40Z",
"severity": "HIGH"
},
"details": "GN4 Publishing System versions prior to 2.6 contain an insecure direct object reference (IDOR) vulnerability via the API. Authenticated requests to the API\u0027s object endpoints allow an authenticated user to request arbitrary user IDs and receive sensitive account data for those users, including the stored password and the account\u0027s security question and answer. The exposed recovery data and encrypted password may be used to reset or take over the target account.",
"id": "GHSA-x7wc-2853-87fv",
"modified": "2025-10-25T00:30:39Z",
"published": "2025-10-25T00:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34293"
},
{
"type": "WEB",
"url": "https://nne.navigacloud.com/GN4Help/gn4_introduction_to_gn4.htm"
},
{
"type": "WEB",
"url": "https://www.miles33.com/news/news/5955/naviga--miles-33--acquisition.html"
},
{
"type": "WEB",
"url": "https://www.miles33.com/section/14/gn4"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/gn4-publishing-system-idor-information-disclosure"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-X7X8-RFPP-V489
Vulnerability from github – Published: 2025-10-16 09:30 – Updated: 2025-10-16 09:30The Truelysell Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.8.6. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. Note: This can only be exploited unauthenticated if the attacker knows which page contains the 'truelysell_edit_staff' shortcode.
{
"affected": [],
"aliases": [
"CVE-2025-10742"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-16T07:15:32Z",
"severity": "CRITICAL"
},
"details": "The Truelysell Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.8.6. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. Note: This can only be exploited unauthenticated if the attacker knows which page contains the \u0027truelysell_edit_staff\u0027 shortcode.",
"id": "GHSA-x7x8-rfpp-v489",
"modified": "2025-10-16T09:30:24Z",
"published": "2025-10-16T09:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10742"
},
{
"type": "WEB",
"url": "https://themeforest.net/item/truelysell-service-booking-wordpress-theme/43398124"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a636e865-9556-4afb-8726-4537a160f379?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X847-VXVJ-G6RJ
Vulnerability from github – Published: 2022-06-03 00:01 – Updated: 2022-06-14 00:00An access control bypass vulnerability found in 389-ds-base. That mishandling of the filter that would yield incorrect results, but as that has progressed, can be determined that it actually is an access control bypass. This may allow any remote unauthenticated user to issue a filter that allows searching for database items they do not have access to, including but not limited to potentially userPassword hashes and other sensitive data.
{
"affected": [],
"aliases": [
"CVE-2022-1949"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-02T14:15:00Z",
"severity": "HIGH"
},
"details": "An access control bypass vulnerability found in 389-ds-base. That mishandling of the filter that would yield incorrect results, but as that has progressed, can be determined that it actually is an access control bypass. This may allow any remote unauthenticated user to issue a filter that allows searching for database items they do not have access to, including but not limited to potentially userPassword hashes and other sensitive data.",
"id": "GHSA-x847-vxvj-g6rj",
"modified": "2022-06-14T00:00:37Z",
"published": "2022-06-03T00:01:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1949"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2091781"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X8P6-MR22-V5C9
Vulnerability from github – Published: 2024-03-31 21:30 – Updated: 2026-04-28 21:34Authorization Bypass Through User-Controlled Key vulnerability in UPQODE Whizz.This issue affects Whizzy: from n/a through 1.1.18.
{
"affected": [],
"aliases": [
"CVE-2024-30543"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-31T19:15:47Z",
"severity": "MODERATE"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in UPQODE Whizz.This issue affects Whizzy: from n/a through 1.1.18.",
"id": "GHSA-x8p6-mr22-v5c9",
"modified": "2026-04-28T21:34:29Z",
"published": "2024-03-31T21:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30543"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/whizzy/wordpress-whizzy-plugin-1-1-18-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X8QQ-M4QC-RPJ5
Vulnerability from github – Published: 2026-07-16 15:33 – Updated: 2026-07-16 15:33Authorization Bypass Through User-Controlled Key (CWE-639) in the Order and OrderItem REST API controllers in Roskus Prospero Flow CRM before 5.5.3 allows a remote, authenticated user to read, modify, and delete orders and order items belonging to any other company (tenant) via a sequential numeric {id} supplied to GET /api/order/{id}, PUT /api/order/{id}, GET /api/order-item/{id}, PUT /api/order-item/{id}, or DELETE /api/order-item/{id}, because the controllers resolve records with Order::find($id) / Item::find($id) without scoping by the authenticated user's company.
{
"affected": [],
"aliases": [
"CVE-2026-59237"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-16T15:16:34Z",
"severity": "MODERATE"
},
"details": "Authorization Bypass Through User-Controlled Key (CWE-639) in the Order and OrderItem REST API controllers in Roskus Prospero Flow CRM before 5.5.3 allows a remote, authenticated user to read, modify, and delete orders and order items belonging to any other company (tenant) via a sequential numeric {id} supplied to GET /api/order/{id}, PUT /api/order/{id}, GET /api/order-item/{id}, PUT /api/order-item/{id}, or DELETE /api/order-item/{id}, because the controllers resolve records with Order::find($id) / Item::find($id) without scoping by the authenticated user\u0027s company.",
"id": "GHSA-x8qq-m4qc-rpj5",
"modified": "2026-07-16T15:33:11Z",
"published": "2026-07-16T15:33:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-59237"
},
{
"type": "WEB",
"url": "https://github.com/Roskus/prospero-flow-crm/commit/9a859c4de3d49674916773d346c60d89ad7febe0"
},
{
"type": "WEB",
"url": "https://github.com/Roskus/prospero-flow-crm/releases/tag/v5.5.3"
},
{
"type": "WEB",
"url": "https://secur0.com/en/cna/cve-list/cve-2026-59237-idor-in-prospero-flow-crm-order-api-allows-cross-tenant-read-and-modification-of-orders"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-X8VJ-X24H-RRFV
Vulnerability from github – Published: 2024-04-24 12:30 – Updated: 2025-02-04 18:30Authorization Bypass Through User-Controlled Key vulnerability in Metagauss ProfileGrid.This issue affects ProfileGrid : from n/a through 5.7.9.
{
"affected": [],
"aliases": [
"CVE-2024-32808"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-24T11:15:48Z",
"severity": "MODERATE"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in Metagauss ProfileGrid.This issue affects ProfileGrid : from n/a through 5.7.9.",
"id": "GHSA-x8vj-x24h-rrfv",
"modified": "2025-02-04T18:30:45Z",
"published": "2024-04-24T12:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32808"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/profilegrid-user-profiles-groups-and-communities/wordpress-profilegrid-plugin-5-7-9-insecure-direct-object-reference-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-X974-724G-RVVR
Vulnerability from github – Published: 2022-10-17 19:00 – Updated: 2022-10-20 19:00An issue has been discovered in GitLab EE affecting all versions starting from 14.5 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. GitLab's Zentao integration has an insecure direct object reference vulnerability that may be exploited by an attacker to leak Zentao project issues.
{
"affected": [],
"aliases": [
"CVE-2022-3331"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-17T16:15:00Z",
"severity": "MODERATE"
},
"details": "An issue has been discovered in GitLab EE affecting all versions starting from 14.5 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. GitLab\u0027s Zentao integration has an insecure direct object reference vulnerability that may be exploited by an attacker to leak Zentao project issues.",
"id": "GHSA-x974-724g-rvvr",
"modified": "2022-10-20T19:00:35Z",
"published": "2022-10-17T19:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3331"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1542834"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3331.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/360372"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X97M-F58V-9CWG
Vulnerability from github – Published: 2026-06-12 18:31 – Updated: 2026-06-30 03:37All V1 collection-level endpoints in ChromaDB's Python project pass None for the tenant and database to the authorization layer, allowing attackers to bypass authorization controls by using the V1 endpoints.
{
"affected": [],
"aliases": [
"CVE-2026-45832"
],
"database_specific": {
"cwe_ids": [
"CWE-551",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-12T16:16:28Z",
"severity": "HIGH"
},
"details": "All V1 collection-level endpoints in ChromaDB\u0027s Python project pass None for the tenant and database to the authorization layer, allowing attackers to bypass authorization controls by using the V1 endpoints.",
"id": "GHSA-x97m-f58v-9cwg",
"modified": "2026-06-30T03:37:02Z",
"published": "2026-06-12T18:31:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45832"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-45832"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488411"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-45832.json"
},
{
"type": "WEB",
"url": "https://www.hiddenlayer.com/sai-security-advisory/2026-06-chromadb-4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-X9CJ-242H-GR3M
Vulnerability from github – Published: 2026-02-08 00:30 – Updated: 2026-02-11 00:30WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers.
{
"affected": [],
"aliases": [
"CVE-2026-25563"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-07T22:16:01Z",
"severity": "HIGH"
},
"details": "WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers.",
"id": "GHSA-x9cj-242h-gr3m",
"modified": "2026-02-11T00:30:14Z",
"published": "2026-02-08T00:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25563"
},
{
"type": "WEB",
"url": "https://github.com/wekan/wekan/commit/5cd875813fdec5a3c40a0358b30a347967c85c14"
},
{
"type": "WEB",
"url": "https://wekan.fi"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/wekan-checklist-creation-cross-board-idor"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.