Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3247 vulnerabilities reference this CWE, most recent first.

CVE-2026-10038 (GCVE-0-2026-10038)

Vulnerability from cvelistv5 – Published: 2026-06-05 23:28 – Updated: 2026-06-06 11:49
VLAI
Title
Charitable <= 1.8.11.1 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Attachment Deletion via 'avatar' Parameter
Summary
The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Insecure Direct Object Reference / Authorization Bypass leading to Arbitrary Attachment Deletion in versions up to, and including, 1.8.11.1 via the profile avatar update flow. This is due to the save_avatar() function in Charitable_Profile_Form calling wp_delete_attachment() on an attachment ID read from the user's 'avatar' meta without validating that the attachment is owned by the user, combined with Charitable_Data_Processor::process_picture() returning the raw posted value when no file is uploaded, allowing the 'avatar' user meta to be poisoned with any attacker-chosen attachment ID. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary attachments from the Media Library by performing a two-request chain (first poisoning the stored avatar meta value with a target attachment ID, then triggering deletion via a normal avatar upload).
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Credits
Khanh Nguyen
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-10038",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-06T11:39:04.354728Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-06T11:49:30.936Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Charitable \u2013 Donation Plugin for WordPress \u2013 Fundraising with Recurring Donations \u0026 More",
          "vendor": "smub",
          "versions": [
            {
              "lessThanOrEqual": "1.8.11.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Khanh Nguyen"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Charitable \u2013 Donation Plugin for WordPress \u2013 Fundraising with Recurring Donations \u0026 More plugin for WordPress is vulnerable to Insecure Direct Object Reference / Authorization Bypass leading to Arbitrary Attachment Deletion in versions up to, and including, 1.8.11.1 via the profile avatar update flow. This is due to the save_avatar() function in Charitable_Profile_Form calling wp_delete_attachment() on an attachment ID read from the user\u0027s \u0027avatar\u0027 meta without validating that the attachment is owned by the user, combined with Charitable_Data_Processor::process_picture() returning the raw posted value when no file is uploaded, allowing the \u0027avatar\u0027 user meta to be poisoned with any attacker-chosen attachment ID. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary attachments from the Media Library by performing a two-request chain (first poisoning the stored avatar meta value with a target attachment ID, then triggering deletion via a normal avatar upload)."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-05T23:28:26.335Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/657bea00-9709-48b8-807a-c9a18b0aee1d?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10/includes/abstracts/abstract-class-charitable-form.php#L429"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10/includes/utilities/class-charitable-data-processor.php#L270"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10/includes/users/class-charitable-user.php#L986"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10.5/includes/forms/class-charitable-profile-form.php#L728"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10.5/includes/forms/class-charitable-profile-form.php#L724"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10.5/includes/utilities/class-charitable-data-processor.php#L270"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10.5/includes/users/class-charitable-user.php#L986"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10.5/includes/abstracts/abstract-class-charitable-form.php#L429"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10/includes/forms/class-charitable-profile-form.php#L728"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10/includes/forms/class-charitable-profile-form.php#L724"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3557047/charitable/trunk/includes/forms/class-charitable-profile-form.php?old=3435951\u0026old_path=charitable%2Ftrunk%2Fincludes%2Fforms%2Fclass-charitable-profile-form.php"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-05-28T19:47:56.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-06-05T10:28:15.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Charitable \u003c= 1.8.11.1 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Attachment Deletion via \u0027avatar\u0027 Parameter"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-10038",
    "datePublished": "2026-06-05T23:28:26.335Z",
    "dateReserved": "2026-05-28T19:32:46.255Z",
    "dateUpdated": "2026-06-06T11:49:30.936Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-10023 (GCVE-0-2026-10023)

Vulnerability from cvelistv5 – Published: 2026-06-18 03:41 – Updated: 2026-06-18 13:53
VLAI
Title
Dokan: AI Powered WooCommerce Multivendor Marketplace Solution <= 5.0.3 - Insecure Direct Object Reference to Authenticated (Custom+) Arbitrary Order Modification via Multiple AJAX Handlers
Summary
The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.3 via the change_order_status, add_order_note, delete_order_note, add_shipping_tracking_info, grant_access_to_download, and revoke_access_to_download AJAX handlers due to missing ownership validation on a user-controlled order ID key. This makes it possible for authenticated attackers, with custom vendor-level access and above, to modify the status of arbitrary orders, add attacker-controlled notes to any order (including customer-facing notes that trigger WooCommerce notification emails to buyers), delete any order note or WordPress comment by ID regardless of ownership, inject fake shipping tracking information on any order, and grant or revoke downloadable-product permissions on any order in the marketplace. Critically, nonce validity is not a barrier to exploitation: each of these AJAX handlers generates and embeds its nonce on the authenticated vendor's own dashboard order pages (e.g., /dashboard/orders/?order_id=OWN_ORDER_ID), which the attacker legitimately controls. The attacker harvests a valid nonce from their own order detail page and replays it against a victim order ID — the nonce only proves the request originates from a logged-in session, not that the order belongs to that vendor. This directly rebuts the prior rejection reasoning that 'users cannot generate valid nonces on command': vendor users can and do generate valid nonces on demand simply by loading their own dashboard pages. Source-code analysis confirmed the vulnerable code path is present and unpatched through version 5.0.1.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Credits
Kirasec
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-10023",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-18T13:22:19.284505Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-18T13:53:45.913Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Dokan: AI Powered WooCommerce Multivendor Marketplace Solution \u2013 Build Your Own Amazon, eBay, Etsy",
          "vendor": "dokaninc",
          "versions": [
            {
              "lessThanOrEqual": "5.0.3",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Kirasec"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution \u2013 Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.3 via the change_order_status, add_order_note, delete_order_note, add_shipping_tracking_info, grant_access_to_download, and revoke_access_to_download AJAX handlers due to missing ownership validation on a user-controlled order ID key. This makes it possible for authenticated attackers, with custom vendor-level access and above, to modify the status of arbitrary orders, add attacker-controlled notes to any order (including customer-facing notes that trigger WooCommerce notification emails to buyers), delete any order note or WordPress comment by ID regardless of ownership, inject fake shipping tracking information on any order, and grant or revoke downloadable-product permissions on any order in the marketplace. Critically, nonce validity is not a barrier to exploitation: each of these AJAX handlers generates and embeds its nonce on the authenticated vendor\u0027s own dashboard order pages (e.g., /dashboard/orders/?order_id=OWN_ORDER_ID), which the attacker legitimately controls. The attacker harvests a valid nonce from their own order detail page and replays it against a victim order ID \u2014 the nonce only proves the request originates from a logged-in session, not that the order belongs to that vendor. This directly rebuts the prior rejection reasoning that \u0027users cannot generate valid nonces on command\u0027: vendor users can and do generate valid nonces on demand simply by loading their own dashboard pages. Source-code analysis confirmed the vulnerable code path is present and unpatched through version 5.0.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-18T03:41:38.956Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/998e545c-2ad5-48ec-bad1-d346170af408?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.1/includes/Ajax.php#L293"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.1/includes/Ajax.php#L400"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.1/includes/Ajax.php#L511"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.1/includes/Ajax.php#L439"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.1/includes/Ajax.php#L225"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.1/includes/Ajax.php#L378"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.1/includes/Install/Installer.php#L209"
        },
        {
          "url": "https://github.com/getdokan/dokan/pull/3246"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3564542%40dokan-lite\u0026new=3564542%40dokan-lite\u0026sfp_email=\u0026sfph_mail="
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-05-28T17:43:48.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-06-17T14:54:38.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Dokan: AI Powered WooCommerce Multivendor Marketplace Solution \u003c= 5.0.3 - Insecure Direct Object Reference to Authenticated (Custom+) Arbitrary Order Modification via Multiple AJAX Handlers"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-10023",
    "datePublished": "2026-06-18T03:41:38.956Z",
    "dateReserved": "2026-05-28T17:28:38.977Z",
    "dateUpdated": "2026-06-18T13:53:45.913Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-9851 (GCVE-0-2026-9851)

Vulnerability from cvelistv5 – Published: 2026-06-06 04:28 – Updated: 2026-06-06 11:41
VLAI
Title
Booking Package <= 1.7.16 - Authenticated (Editor+) Privilege Escalation via Account Takeover to updateUser AJAX Action
Summary
The Booking Package plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in versions up to, and including, 1.7.16. This is due to a missing capability check on the 'updateUser' branch of the package_app_action AJAX endpoint, where the handler only validates a nonce and the dispatcher invokes Schedule::updateUser() with the $administrator argument hard-coded to 1, bypassing the only owner-restriction check inside that function and allowing the target user to be determined solely by attacker-supplied input passed directly to wp_update_user(). This makes it possible for authenticated attackers, with Editor-level access and above, to change the email address and password of any account, including Administrator accounts, resulting in a full site takeover.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Vendor Product Version
masaakitanaka Booking Package Affected: 0 , ≤ 1.7.16 (semver)
Create a notification for this product.
Credits
Md. Moniruzzaman Prodhan
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-9851",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-06T11:33:35.308170Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-06T11:41:39.564Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Booking Package",
          "vendor": "masaakitanaka",
          "versions": [
            {
              "lessThanOrEqual": "1.7.16",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Md. Moniruzzaman Prodhan"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Booking Package plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in versions up to, and including, 1.7.16. This is due to a missing capability check on the \u0027updateUser\u0027 branch of the package_app_action AJAX endpoint, where the handler only validates a nonce and the dispatcher invokes Schedule::updateUser() with the $administrator argument hard-coded to 1, bypassing the only owner-restriction check inside that function and allowing the target user to be determined solely by attacker-supplied input passed directly to wp_update_user(). This makes it possible for authenticated attackers, with Editor-level access and above, to change the email address and password of any account, including Administrator accounts, resulting in a full site takeover."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-06T04:28:19.979Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/795c1fd6-137b-4414-8d6b-30053bfb5924?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/booking-package/tags/1.7.13/lib/Schedule.php#L868"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/booking-package/tags/1.7.13/index.php#L4477"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/booking-package/tags/1.7.13/index.php#L4416"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3558752%40booking-package\u0026new=3558752%40booking-package\u0026sfp_email=\u0026sfph_mail="
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-05-28T17:30:14.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-06-05T15:42:19.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Booking Package \u003c= 1.7.16 - Authenticated (Editor+) Privilege Escalation via Account Takeover to updateUser AJAX Action"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-9851",
    "datePublished": "2026-06-06T04:28:19.979Z",
    "dateReserved": "2026-05-28T14:49:39.596Z",
    "dateUpdated": "2026-06-06T11:41:39.564Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-9799 (GCVE-0-2026-9799)

Vulnerability from cvelistv5 – Published: 2026-06-25 16:17 – Updated: 2026-06-26 06:46
VLAI
Title
Keycloak: keycloak: unauthorized access to resources via uma permission ticket bypass
Summary
A flaw was found in org.keycloak.authorization. An authenticated user with a granted User-Managed Access (UMA) permission ticket for one resource can exploit this by using a specific permission request prefix to bypass per-resource access control. This allows the user to gain unauthorized access to all resources of that type within the same resource server, even if they do not have a ticket for those specific resources. This vulnerability requires the resource server to be configured in PERMISSIVE policy enforcement mode and affects typed resources with ownerManagedAccess enabled, where no explicit policy protects the resource type. The primary consequence is unauthorized information disclosure or modification of resources.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
URL Tags
https://access.redhat.com/errata/RHSA-2026:30049 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:30050 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:30083 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:30084 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2026-9799 vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2482471 issue-trackingx_refsource_REDHAT
Impacted products
Vendor Product Version
Red Hat Red Hat build of Keycloak 26.4 Unaffected: 26.4.13-1 , < * (rpm)
    cpe:/a:redhat:build_keycloak:26.4::el9
Create a notification for this product.
Red Hat Red Hat build of Keycloak 26.4 Unaffected: 26.4-19 , < * (rpm)
    cpe:/a:redhat:build_keycloak:26.4::el9
Create a notification for this product.
Red Hat Red Hat build of Keycloak 26.4.13     cpe:/a:redhat:build_keycloak:26.4::el9
Create a notification for this product.
Red Hat Red Hat build of Keycloak 26.6 Unaffected: 26.6.4-2 , < * (rpm)
    cpe:/a:redhat:build_keycloak:26.6::el9
Create a notification for this product.
Red Hat Red Hat build of Keycloak 26.6 Unaffected: 26.6-8 , < * (rpm)
    cpe:/a:redhat:build_keycloak:26.6::el9
Create a notification for this product.
Red Hat Red Hat build of Keycloak 26.6.4     cpe:/a:redhat:build_keycloak:26.6::el9
Create a notification for this product.
Date Public
2026-05-19 12:34
Credits
Red Hat would like to thank Omaroo Baniessa for reporting this issue.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-9799",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-26T02:06:38.303071Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-26T02:06:55.475Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.4::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-operator-bundle",
          "product": "Red Hat build of Keycloak 26.4",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "26.4.13-1",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.4::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-rhel9",
          "product": "Red Hat build of Keycloak 26.4",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "26.4-19",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.4::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-rhel9-operator",
          "product": "Red Hat build of Keycloak 26.4",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "26.4-19",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.4::el9"
          ],
          "defaultStatus": "unaffected",
          "packageName": "rhbk/keycloak-rhel9",
          "product": "Red Hat build of Keycloak 26.4.13",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.6::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-operator-bundle",
          "product": "Red Hat build of Keycloak 26.6",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "26.6.4-2",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.6::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-rhel9",
          "product": "Red Hat build of Keycloak 26.6",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "26.6-8",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.6::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-rhel9-operator",
          "product": "Red Hat build of Keycloak 26.6",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "26.6-8",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.6::el9"
          ],
          "defaultStatus": "unaffected",
          "packageName": "rhbk/keycloak-rhel9",
          "product": "Red Hat build of Keycloak 26.6.4",
          "vendor": "Red Hat"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Red Hat would like to thank Omaroo Baniessa for reporting this issue."
        }
      ],
      "datePublic": "2026-05-19T12:34:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in org.keycloak.authorization. An authenticated user with a granted User-Managed Access (UMA) permission ticket for one resource can exploit this by using a specific permission request prefix to bypass per-resource access control. This allows the user to gain unauthorized access to all resources of that type within the same resource server, even if they do not have a ticket for those specific resources. This vulnerability requires the resource server to be configured in PERMISSIVE policy enforcement mode and affects typed resources with ownerManagedAccess enabled, where no explicit policy protects the resource type. The primary consequence is unauthorized information disclosure or modification of resources."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-26T06:46:38.312Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2026:30049",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:30049"
        },
        {
          "name": "RHSA-2026:30050",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:30050"
        },
        {
          "name": "RHSA-2026:30083",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:30083"
        },
        {
          "name": "RHSA-2026:30084",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:30084"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2026-9799"
        },
        {
          "name": "RHBZ#2482471",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482471"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-05-28T03:53:15.687Z",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2026-05-19T12:34:00.000Z",
          "value": "Made public."
        }
      ],
      "title": "Keycloak: keycloak: unauthorized access to resources via uma permission ticket bypass",
      "workarounds": [
        {
          "lang": "en",
          "value": "To mitigate this issue, ensure that the Keycloak client\u0027s policy enforcement mode is set to ENFORCING instead of PERMISSIVE. The PERMISSIVE mode is a non-default configuration that enables the vulnerability. Changing this setting will prevent the unauthorized access to resources of the same type. Consult Keycloak documentation for specific instructions on configuring policy enforcement mode for your client. This change may require a restart or reload of the Keycloak service to take effect and could impact existing authorization policies if not carefully managed."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      },
      "x_redhatCweChain": "CWE-639: Authorization Bypass Through User-Controlled Key"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2026-9799",
    "datePublished": "2026-06-25T16:17:48.486Z",
    "dateReserved": "2026-05-28T03:53:25.960Z",
    "dateUpdated": "2026-06-26T06:46:38.312Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-9712 (GCVE-0-2026-9712)

Vulnerability from cvelistv5 – Published: 2026-05-27 14:35 – Updated: 2026-05-28 15:39
VLAI
Title
Insecure direct object reference
Summary
When creating an export through the pretix API, API clients are returned an UUID value for their export job (a long, random string like 35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client can then request the actual file for download. The same kind of UUID is used in other places in pretix when temporary files are generated for internal use or download. One remaining API endpoint, however, wrongfully did not verify if the UUID used for download actually belongs to a file that is supposed to be downloadable and belongs to the correct user. In reality, this is hard to exploit because an attacker would need to have access to a valid UUID for the file they desire which is unlikely to happen without a separate security problem giving them access to logs etc.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
Vendor Product Version
pretix pretix Affected: 2024.10.0 , < 2026.2.0 (python)
Affected: 2026.2.0 , < 2026.3.0 (python)
Affected: 2026.3.0 , < 2026.4.0 (python)
Affected: 2026.4.0 , < 2026.5.0 (python)
Create a notification for this product.
Credits
Deepjyoti Roy
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-9712",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-28T15:39:22.313424Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-28T15:39:28.686Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pypi.org/",
          "defaultStatus": "unaffected",
          "packageName": "pretix",
          "product": "pretix",
          "repo": "https://github.com/pretix/pretix",
          "vendor": "pretix",
          "versions": [
            {
              "lessThan": "2026.2.0",
              "status": "affected",
              "version": "2024.10.0",
              "versionType": "python"
            },
            {
              "changes": [
                {
                  "at": "2026.2.2",
                  "status": "unaffected"
                }
              ],
              "lessThan": "2026.3.0",
              "status": "affected",
              "version": "2026.2.0",
              "versionType": "python"
            },
            {
              "changes": [
                {
                  "at": "2026.3.2",
                  "status": "unaffected"
                }
              ],
              "lessThan": "2026.4.0",
              "status": "affected",
              "version": "2026.3.0",
              "versionType": "python"
            },
            {
              "changes": [
                {
                  "at": "2026.4.2",
                  "status": "unaffected"
                }
              ],
              "lessThan": "2026.5.0",
              "status": "affected",
              "version": "2026.4.0",
              "versionType": "python"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Deepjyoti Roy"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eWhen creating an export through the pretix API, API clients are \nreturned an UUID value for their export job (a long, random string like \n35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client \ncan then request the actual file for download. The same kind of UUID is \nused in other places in pretix when temporary files are generated for \ninternal use or download.\u003c/p\u003e\n\u003cp\u003eOne remaining API endpoint, however, wrongfully did not verify if the\n UUID used for download actually belongs to a file that is supposed to \nbe downloadable and belongs to the correct user. In reality, this is \nhard to exploit because an attacker would need to have access to a valid\n UUID for the file they desire which is unlikely to happen without a \nseparate security problem giving them access to logs etc.\u003c/p\u003e"
            }
          ],
          "value": "When creating an export through the pretix API, API clients are \nreturned an UUID value for their export job (a long, random string like \n35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client \ncan then request the actual file for download. The same kind of UUID is \nused in other places in pretix when temporary files are generated for \ninternal use or download.\n\n\n\n\nOne remaining API endpoint, however, wrongfully did not verify if the\n UUID used for download actually belongs to a file that is supposed to \nbe downloadable and belongs to the correct user. In reality, this is \nhard to exploit because an attacker would need to have access to a valid\n UUID for the file they desire which is unlikely to happen without a \nseparate security problem giving them access to logs etc."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 3.8,
            "baseSeverity": "LOW",
            "exploitMaturity": "UNREPORTED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T14:35:58.857Z",
        "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "shortName": "rami.io"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://pretix.eu/about/en/blog/20260527-release-2026-4-2/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Insecure direct object reference",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
    "assignerShortName": "rami.io",
    "cveId": "CVE-2026-9712",
    "datePublished": "2026-05-27T14:35:58.857Z",
    "dateReserved": "2026-05-27T14:18:33.470Z",
    "dateUpdated": "2026-05-28T15:39:28.686Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-9708 (GCVE-0-2026-9708)

Vulnerability from cvelistv5 – Published: 2026-07-13 08:00 – Updated: 2026-07-13 14:45
VLAI
Title
Incoming webhook user attribution via unvalidated webhook owner
Summary
Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to validate that an assigned incoming webhook user has access to the target team or channel, which allows a requester with webhook management permissions to create posts or direct messages attributed to another user via crafted incoming webhook configuration and payloads.. Mattermost Advisory ID: MMSA-2026-00683
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
URL Tags
https://mattermost.com/security-updates vendor-advisory
Impacted products
Vendor Product Version
Mattermost Mattermost Affected: 11.7.0 , ≤ 11.7.2 (semver)
Affected: 11.6.0 , ≤ 11.6.4 (semver)
Affected: 10.11.0 , ≤ 10.11.19 (semver)
Unaffected: 11.8.0
Unaffected: 11.7.3
Unaffected: 11.6.5
Unaffected: 10.11.20
Create a notification for this product.
Credits
arang
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-9708",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-13T14:44:57.510921Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-13T14:45:16.207Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Mattermost",
          "vendor": "Mattermost",
          "versions": [
            {
              "lessThanOrEqual": "11.7.2",
              "status": "affected",
              "version": "11.7.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "11.6.4",
              "status": "affected",
              "version": "11.6.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.11.19",
              "status": "affected",
              "version": "10.11.0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "11.8.0"
            },
            {
              "status": "unaffected",
              "version": "11.7.3"
            },
            {
              "status": "unaffected",
              "version": "11.6.5"
            },
            {
              "status": "unaffected",
              "version": "10.11.20"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "arang"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Mattermost versions 11.7.x \u003c= 11.7.2, 11.6.x \u003c= 11.6.4, 10.11.x \u003c= 10.11.19 fail to validate that an assigned incoming webhook user has access to the target team or channel, which allows a requester with webhook management permissions to create posts or direct messages attributed to another user via crafted incoming webhook configuration and payloads.. Mattermost Advisory ID: MMSA-2026-00683"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-13T08:00:10.707Z",
        "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "shortName": "Mattermost"
      },
      "references": [
        {
          "name": "MMSA-2026-00683",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://mattermost.com/security-updates"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Update Mattermost to versions 11.8.0, 11.7.3, 11.6.5, 10.11.20 or higher."
        }
      ],
      "source": {
        "advisory": "MMSA-2026-00683",
        "defect": [
          "https://mattermost.atlassian.net/browse/MM-69009"
        ],
        "discovery": "EXTERNAL"
      },
      "title": "Incoming webhook user attribution via unvalidated webhook owner",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
    "assignerShortName": "Mattermost",
    "cveId": "CVE-2026-9708",
    "datePublished": "2026-07-13T08:00:10.707Z",
    "dateReserved": "2026-05-27T13:46:27.399Z",
    "dateUpdated": "2026-07-13T14:45:16.207Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-9493 (GCVE-0-2026-9493)

Vulnerability from cvelistv5 – Published: 2026-05-29 05:54 – Updated: 2026-05-29 11:43
VLAI
Title
BankPro E-Service Technology|Service Center - Insecure Direct Object Reference
Summary
Service Center developed by BankPro E-Service Technology has an Insecure Direct Object Reference vulnerability, allowing authenticated remote attackers to modify the parameter of a specific query function to access other users' EC order details.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization bypass through User-Controlled key
Assigner
References
Impacted products
Date Public
2026-05-29 05:50
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-9493",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-29T11:43:06.133469Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-29T11:43:24.636Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Service Center",
          "vendor": "BankPro E-Service Technology",
          "versions": [
            {
              "status": "affected",
              "version": "0"
            }
          ]
        }
      ],
      "datePublic": "2026-05-29T05:50:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Service Center developed by BankPro E-Service Technology has an Insecure Direct Object Reference vulnerability, allowing authenticated remote attackers to modify the parameter of a specific query function to access other users\u0027 EC order details."
            }
          ],
          "value": "Service Center developed by BankPro E-Service Technology has an Insecure Direct Object Reference vulnerability, allowing authenticated remote attackers to modify the parameter of a specific query function to access other users\u0027 EC order details."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-21",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-21 Exploitation of Trusted Identifiers"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization bypass through User-Controlled key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-29T05:54:57.126Z",
        "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "shortName": "twcert"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.twcert.org.tw/tw/cp-132-10938-97ddd-1.html"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.twcert.org.tw/en/cp-139-10940-d90bd-2.html"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The vulnerability has been patched server-side. Users do not need to take any action."
            }
          ],
          "value": "The vulnerability has been patched server-side. Users do not need to take any action."
        }
      ],
      "source": {
        "advisory": "TVN-202605002",
        "discovery": "EXTERNAL"
      },
      "title": "BankPro E-Service Technology\uff5cService Center - Insecure Direct Object Reference",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
    "assignerShortName": "twcert",
    "cveId": "CVE-2026-9493",
    "datePublished": "2026-05-29T05:54:57.126Z",
    "dateReserved": "2026-05-25T02:48:26.809Z",
    "dateUpdated": "2026-05-29T11:43:24.636Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-9341 (GCVE-0-2026-9341)

Vulnerability from cvelistv5 – Published: 2026-07-14 11:30 – Updated: 2026-07-14 12:45
VLAI
Title
Academy LMS <= 3.8.0 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'user_id' Parameter
Summary
The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.8.0 via the 'save_lesson_note', 'get_lesson_note', and 'complete_lesson_video' AJAX handlers due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read, overwrite, or delete the private lesson notes of any other user (including administrators), and to falsify lesson-completion progress for arbitrary users.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Vendor Product Version
kodezen Academy LMS Affected: 0 , ≤ 3.8.0 (semver)
Create a notification for this product.
Credits
sorawautsukushiii
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-9341",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-14T12:45:08.070882Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-14T12:45:22.307Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Academy LMS",
          "vendor": "kodezen",
          "versions": [
            {
              "lessThanOrEqual": "3.8.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "sorawautsukushiii"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Academy LMS \u2013 WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.8.0 via the \u0027save_lesson_note\u0027, \u0027get_lesson_note\u0027, and \u0027complete_lesson_video\u0027 AJAX handlers due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read, overwrite, or delete the private lesson notes of any other user (including administrators), and to falsify lesson-completion progress for arbitrary users."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-14T11:30:42.783Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1e9b094a-29ba-4be3-9033-fd915fae1820?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/academy/tags/3.7.4/includes/ajax/lesson.php#L258"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/academy/tags/3.7.4/includes/ajax/lesson.php#L253"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/academy/tags/3.7.4/includes/ajax/lesson.php#L300"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/academy/tags/3.7.4/includes/classes/abstract-ajax-handler.php#L46"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3573111/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-05-23T00:42:37.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-07-13T00:00:00.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Academy LMS \u003c= 3.8.0 - Authenticated (Subscriber+) Insecure Direct Object Reference via \u0027user_id\u0027 Parameter"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-9341",
    "datePublished": "2026-07-14T11:30:42.783Z",
    "dateReserved": "2026-05-23T00:27:13.206Z",
    "dateUpdated": "2026-07-14T12:45:22.307Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-9306 (GCVE-0-2026-9306)

Vulnerability from cvelistv5 – Published: 2026-05-23 15:00 – Updated: 2026-05-26 13:25
VLAI
Title
QuantumNous new-api Midjourney Image Relay Endpoint relay-router.go GetByOnlyMJId authorization
Summary
A security vulnerability has been detected in QuantumNous new-api up to 0.12.1. This affects the function RelayMidjourneyImage/GetByOnlyMJId of the file router/relay-router.go of the component Midjourney Image Relay Endpoint. Such manipulation leads to authorization bypass. The attack can be launched remotely. The attack requires a high level of complexity. The exploitability is reported as difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
URL Tags
https://vuldb.com/vuln/365253 vdb-entrytechnical-description
https://vuldb.com/vuln/365253/cti signaturepermissions-required
https://vuldb.com/submit/812196 third-party-advisory
https://gist.github.com/YLChen-007/13974ead25fc6d… exploit
Impacted products
Vendor Product Version
QuantumNous new-api Affected: 0.12.0
Affected: 0.12.1
    cpe:2.3:a:quantumnous:new-api:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Eric-e (VulDB User) VulDB CNA Team
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-9306",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-26T13:25:45.507682Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-26T13:25:51.641Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:quantumnous:new-api:*:*:*:*:*:*:*:*"
          ],
          "modules": [
            "Midjourney Image Relay Endpoint"
          ],
          "product": "new-api",
          "vendor": "QuantumNous",
          "versions": [
            {
              "status": "affected",
              "version": "0.12.0"
            },
            {
              "status": "affected",
              "version": "0.12.1"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Eric-e (VulDB User)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "VulDB CNA Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A security vulnerability has been detected in QuantumNous new-api up to 0.12.1. This affects the function RelayMidjourneyImage/GetByOnlyMJId of the file router/relay-router.go of the component Midjourney Image Relay Endpoint. Such manipulation leads to authorization bypass. The attack can be launched remotely. The attack requires a high level of complexity. The exploitability is reported as difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 2.6,
            "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "Authorization Bypass",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T15:00:13.553Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-365253 | QuantumNous new-api Midjourney Image Relay Endpoint relay-router.go GetByOnlyMJId authorization",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/vuln/365253"
        },
        {
          "name": "VDB-365253 | CTI Indicators (IOB, IOC, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/365253/cti"
        },
        {
          "name": "Submit #812196 | QuantumNous new-api 0.12.1 Authorization Bypass Through User-Controlled Key (CWE-639)",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/812196"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://gist.github.com/YLChen-007/13974ead25fc6dac42fd7bac62fbb2df"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-05-22T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-05-22T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-05-22T20:08:43.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "QuantumNous new-api Midjourney Image Relay Endpoint relay-router.go GetByOnlyMJId authorization"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-9306",
    "datePublished": "2026-05-23T15:00:13.553Z",
    "dateReserved": "2026-05-22T18:03:30.299Z",
    "dateUpdated": "2026-05-26T13:25:51.641Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-9248 (GCVE-0-2026-9248)

Vulnerability from cvelistv5 – Published: 2026-05-22 15:22 – Updated: 2026-05-22 16:56
VLAI
Summary
Authorization bypass in the entry duplication feature in Devolutions Server allows an authenticated user with write access to any vault to copy documentation and attachments from an entry in a vault they cannot access via a crafted save request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization bypass through user controlled key
Assigner
Impacted products
Vendor Product Version
Devolutions Server Affected: 2026.1.6.0 , ≤ 2026.1.16.0 (custom)
Affected: 0 , ≤ 2025.3.20.0 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 2.6,
              "baseSeverity": "LOW",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-9248",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-22T16:56:40.752057Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-22T16:56:44.768Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Server",
          "vendor": "Devolutions",
          "versions": [
            {
              "lessThanOrEqual": "2026.1.16.0",
              "status": "affected",
              "version": "2026.1.6.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "2025.3.20.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Authorization bypass in the entry duplication feature in Devolutions Server allows an authenticated user with write access to any vault to copy documentation and attachments from an entry in a vault they cannot access via a crafted save request.\u003cp\u003eThis issue affects :\u003c/p\u003e\u003cul\u003e\u003cli\u003eDevolutions Server 2026.1.6.0 through 2026.1.16.0\u003c/li\u003e\u003cli\u003eDevolutions Server 2025.3.20.0 and earlier\u003c/li\u003e\u003c/ul\u003e"
            }
          ],
          "value": "Authorization bypass in the entry duplication feature in Devolutions Server allows an authenticated user with write access to any vault to copy documentation and attachments from an entry in a vault they cannot access via a crafted save request.\n\nThis issue affects :\n\n  *  Devolutions Server 2026.1.6.0 through 2026.1.16.0\n  *  Devolutions Server 2025.3.20.0 and earlier"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization bypass through user controlled key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-22T15:22:31.843Z",
        "orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
        "shortName": "DEVOLUTIONS"
      },
      "references": [
        {
          "url": "https://devolutions.net/security/advisories/DEVO-2026-0013/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
    "assignerShortName": "DEVOLUTIONS",
    "cveId": "CVE-2026-9248",
    "datePublished": "2026-05-22T15:22:31.843Z",
    "dateReserved": "2026-05-21T19:44:28.926Z",
    "dateUpdated": "2026-05-22T16:56:44.768Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.