CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3247 vulnerabilities reference this CWE, most recent first.
CVE-2026-9241 (GCVE-0-2026-9241)
Vulnerability from cvelistv5 – Published: 2026-05-28 03:27 – Updated: 2026-05-28 10:37- CWE-639 - Authorization Bypass Through User-Controlled Key
| Vendor | Product | Version | |
|---|---|---|---|
| realmag777 | FOX – Currency Switcher Professional for WooCommerce |
Affected:
0 , ≤ 1.4.6
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9241",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T10:26:17.893238Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T10:37:45.822Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FOX \u2013 Currency Switcher Professional for WooCommerce",
"vendor": "realmag777",
"versions": [
{
"lessThanOrEqual": "1.4.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Long Lagon"
}
],
"descriptions": [
{
"lang": "en",
"value": "The FOX \u2013 Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 1.4.6. This is due to the `get_value()` function in `classes/fixed/fixed_user_role.php` trusting the attacker-controlled `$_REQUEST[\u0027wooc_order_user_roles\u0027]` parameter to determine the user\u0027s role context for role-based price resolution without any validation, allowing it to override the legitimate role data derived from the authenticated user\u0027s session object via `$user-\u003eroles`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to impersonate higher-privileged roles \u2014 such as wholesale customer or administrator \u2014 and obtain discounted or otherwise restricted pricing that should not be available to their actual role. This vulnerability only has practical impact when the fixed user-role pricing feature is enabled and at least one product has a privileged-role price configured."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T03:27:27.160Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1c8c1fec-0e87-46f7-83c5-8f9e9aa97b4f?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woocommerce-currency-switcher/trunk/classes/fixed/fixed_user_role.php#L228"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woocommerce-currency-switcher/trunk/classes/fixed/fixed_user_role.php#L229"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woocommerce-currency-switcher/trunk/classes/woocs.php#L2271"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3543524%40woocommerce-currency-switcher\u0026new=3543524%40woocommerce-currency-switcher\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-21T19:14:07.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-27T14:49:48.000Z",
"value": "Disclosed"
}
],
"title": "FOX \u2013 Currency Switcher Professional for WooCommerce \u003c= 1.4.6 - Authenticated (Subscriber+) Authorization Bypass via User-Controlled Key to \u0027wooc_order_user_roles\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-9241",
"datePublished": "2026-05-28T03:27:27.160Z",
"dateReserved": "2026-05-21T18:57:33.435Z",
"dateUpdated": "2026-05-28T10:37:45.822Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9228 (GCVE-0-2026-9228)
Vulnerability from cvelistv5 – Published: 2026-05-28 03:27 – Updated: 2026-05-28 10:37- CWE-639 - Authorization Bypass Through User-Controlled Key
| Vendor | Product | Version | |
|---|---|---|---|
| jetmonsters | Timetable and Event Schedule by MotoPress |
Affected:
0 , ≤ 2.4.16
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9228",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T10:25:47.679199Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T10:37:17.809Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Timetable and Event Schedule by MotoPress",
"vendor": "jetmonsters",
"versions": [
{
"lessThanOrEqual": "2.4.16",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jack Pas"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Timetable and Event Schedule by MotoPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.16 via the action_get_event_data due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to enumerate timeslot IDs and read the full WP_Post object \u2014 including post_content, post_excerpt, post_status, and post_author \u2014 of draft, pending, and private mp-event posts belonging to other users, along with their associated raw timeslot descriptions."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T03:27:27.881Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9adf94ac-30ef-4c24-afa6-04248c25bd7f?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mp-timetable/tags/2.4.16/classes/class-core.php#L311"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mp-timetable/tags/2.4.16/classes/controllers/class-controller-events.php#L62"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mp-timetable/tags/2.4.16/classes/models/class-events.php#L102"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mp-timetable/tags/2.4.16/classes/class-hooks.php#L152"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3548166%40mp-timetable\u0026new=3548166%40mp-timetable\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-21T18:48:17.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-27T14:55:48.000Z",
"value": "Disclosed"
}
],
"title": "Timetable and Event Schedule by MotoPress \u003c= 2.4.16 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Exposure via action_get_event_data Function"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-9228",
"datePublished": "2026-05-28T03:27:27.881Z",
"dateReserved": "2026-05-21T18:33:07.265Z",
"dateUpdated": "2026-05-28T10:37:17.809Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9188 (GCVE-0-2026-9188)
Vulnerability from cvelistv5 – Published: 2026-07-02 08:33 – Updated: 2026-07-02 19:41- CWE-639 - Authorization Bypass Through User-Controlled Key
| Vendor | Product | Version | |
|---|---|---|---|
| wappointment | Appointment Bookings for Zoom GoogleMeet and more – Wappointment |
Affected:
0 , ≤ 2.7.6
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9188",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-02T19:35:30.584577Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T19:41:53.548Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Appointment Bookings for Zoom GoogleMeet and more \u2013 Wappointment",
"vendor": "wappointment",
"versions": [
{
"lessThanOrEqual": "2.7.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "davidfdzmorilla"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Appointment Bookings for Zoom GoogleMeet and more \u2013 Wappointment plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to and including 2.7.6 via the `appointmentkey` parameter due to the appointment `edit_key` \u2014 the sole authorization token consumed by `tryCancel()` \u2014 being generated as a predictable, unsalted MD5 hash of only `client_id` (a sequential integer), `start_at` (a publicly observable appointment timestamp), and `staff_id` (a small enumerable integer), with no secret salt or random component, and the unauthenticated cancellation and rescheduling REST endpoints performing no ownership or identity verification beyond matching this reconstructible key. This makes it possible for unauthenticated attackers to compute valid `edit_key` values for appointments belonging to other users and cancel or reschedule those appointments arbitrarily. Exploitation requires the `allow_cancellation` or `allow_rescheduling` setting to be enabled on the site, both of which are common configurations for active booking deployments; an attacker can obtain the inputs needed to reconstruct a victim\u0027s key by booking their own appointment to observe their sequential `client_id` and correlating publicly visible appointment times and enumerable staff identifiers."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T08:33:04.439Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/07069f39-f892-4c19-8e0b-e5e17b1ffb21?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wappointment/tags/2.7.6/app/Services/AppointmentNew.php#L347"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wappointment/tags/2.7.6/app/Services/AppointmentNew.php#L190"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wappointment/tags/2.7.6/app/Models/Client.php#L39"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wappointment/tags/2.7.6/app/Services/AppointmentNew.php#L40"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wappointment/tags/2.7.5/app/Services/AppointmentNew.php#L347"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wappointment/tags/2.7.5/app/Services/AppointmentNew.php#L190"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wappointment/tags/2.7.5/app/Models/Client.php#L39"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wappointment/tags/2.7.5/app/Services/AppointmentNew.php#L40"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3546313%40wappointment\u0026new=3546313%40wappointment\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-23T05:34:21.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-07-01T20:20:27.000Z",
"value": "Disclosed"
}
],
"title": "Appointment Bookings for Zoom GoogleMeet and more \u2013 Wappointment \u003c= 2.7.6 - Unauthenticated Insecure Direct Object Reference via Predictable \u0027edit_key\u0027 / \u0027appointmentkey\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-9188",
"datePublished": "2026-07-02T08:33:04.439Z",
"dateReserved": "2026-05-21T15:04:38.302Z",
"dateUpdated": "2026-07-02T19:41:53.548Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9185 (GCVE-0-2026-9185)
Vulnerability from cvelistv5 – Published: 2026-06-09 03:41 – Updated: 2026-06-09 15:13- CWE-639 - Authorization Bypass Through User-Controlled Key
| Vendor | Product | Version | |
|---|---|---|---|
| sixstorage | 6Storage Rentals |
Affected:
0 , ≤ 2.22.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9185",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T15:01:44.232131Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T15:13:19.602Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "6Storage Rentals",
"vendor": "sixstorage",
"versions": [
{
"lessThanOrEqual": "2.22.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Joy Gilbert"
}
],
"descriptions": [
{
"lang": "en",
"value": "The 6Storage Rentals plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.22.0 via the `userId` parameter of the `six_storage_get_user_info` and `six_storage_update_profile` AJAX actions. This is due to the `six_storage_getUserInfo()` and `six_storage_updateProfile()` functions being registered on `wp_ajax_nopriv_*` hooks and accepting a tenant identifier directly from `$_POST[\u0027userId\u0027]` without performing any ownership verification, session binding, or nonce validation to confirm the requester has a legitimate relationship to the supplied ID. This makes it possible for unauthenticated attackers to read and modify arbitrary tenants\u0027 profile data \u2014 including name, email address, phone number, physical address, and SSN \u2014 by supplying an enumerated `userId` value in a crafted request to either handler."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T03:41:20.509Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/74fa4240-6f62-4db6-b7e7-56998fc29e42?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/6storage-rentals/tags/2.22.0/inc/Base/Six_Storage_DashboardController.php#L998"
},
{
"url": "https://plugins.trac.wordpress.org/browser/6storage-rentals/tags/2.22.0/inc/Base/Six_Storage_DashboardController.php#L1955"
},
{
"url": "https://plugins.trac.wordpress.org/browser/6storage-rentals/tags/2.22.0/inc/Base/Six_Storage_DashboardController.php#L11"
},
{
"url": "https://plugins.trac.wordpress.org/browser/6storage-rentals/tags/2.22.0/inc/Base/Six_Storage_DashboardController.php#L995"
},
{
"url": "https://plugins.trac.wordpress.org/browser/6storage-rentals/tags/2.22.0/inc/Base/Six_Storage_DashboardController.php#L1931"
},
{
"url": "https://plugins.trac.wordpress.org/browser/6storage-rentals/tags/2.20.2/inc/Base/Six_Storage_DashboardController.php#L998"
},
{
"url": "https://plugins.trac.wordpress.org/browser/6storage-rentals/tags/2.20.2/inc/Base/Six_Storage_DashboardController.php#L1955"
},
{
"url": "https://plugins.trac.wordpress.org/browser/6storage-rentals/tags/2.20.2/inc/Base/Six_Storage_DashboardController.php#L11"
},
{
"url": "https://plugins.trac.wordpress.org/browser/6storage-rentals/tags/2.20.2/inc/Base/Six_Storage_DashboardController.php#L995"
},
{
"url": "https://plugins.trac.wordpress.org/browser/6storage-rentals/tags/2.20.2/inc/Base/Six_Storage_DashboardController.php#L1931"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-08T15:06:25.000Z",
"value": "Disclosed"
}
],
"title": "6Storage Rentals \u003c= 2.22.0 - Unauthenticated Insecure Direct Object Reference to Arbitrary User Disclosure and Modification via \u0027userId\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-9185",
"datePublished": "2026-06-09T03:41:20.509Z",
"dateReserved": "2026-05-21T14:57:48.503Z",
"dateUpdated": "2026-06-09T15:13:19.602Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9180 (GCVE-0-2026-9180)
Vulnerability from cvelistv5 – Published: 2026-07-03 04:30 – Updated: 2026-07-06 12:35- CWE-639 - Authorization Bypass Through User-Controlled Key
| Vendor | Product | Version | |
|---|---|---|---|
| jetmonsters | MotoPress Appointment Booking |
Affected:
0 , ≤ 2.4.4
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9180",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-06T12:34:52.499746Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T12:35:03.456Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MotoPress Appointment Booking",
"vendor": "jetmonsters",
"versions": [
{
"lessThanOrEqual": "2.4.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "g0wthr"
}
],
"descriptions": [
{
"lang": "en",
"value": "The MotoPress Appointment Booking plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 2.4.4. This is due to the `POST /motopress/appointment/v1/bookings` REST endpoint being registered with `\u0027permission_callback\u0027 =\u003e \u0027__return_true\u0027`, allowing unauthenticated access, while the `createBooking` handler in `BookingsRestController.php` accepts an attacker-supplied `payment_details.booking_id` value and loads the referenced booking via `findById()` without verifying that the caller owns or has any rights to that booking. This makes it possible for unauthenticated attackers to overwrite the customer name, email address, phone number, and `customer_id` of any non-confirmed victim booking by submitting a request with no reservation items, causing `BookingService::createBooking()` to load the existing victim booking object and persist it with attacker-controlled customer data. Victim booking IDs can be harvested prior to exploitation without authentication by querying the also-publicly-accessible `GET /motopress/appointment/v1/bookings/reservations` endpoint with a guessable `service_id` and date range, and only bookings whose status is not `STATUS_CONFIRMED` (e.g., pending or auto-draft) are valid targets."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-03T04:30:19.902Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e9a6521d-39b2-48f4-834b-888047619df5?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/motopress-appointment-lite/tags/2.4.3/includes/rest/controllers/motopress/appointment/v1/BookingsRestController.php#L98"
},
{
"url": "https://plugins.trac.wordpress.org/browser/motopress-appointment-lite/tags/2.4.3/includes/rest/controllers/motopress/appointment/v1/BookingsRestController.php#L308"
},
{
"url": "https://plugins.trac.wordpress.org/browser/motopress-appointment-lite/tags/2.4.3/includes/rest/controllers/motopress/appointment/v1/BookingsRestController.php#L30"
},
{
"url": "https://plugins.trac.wordpress.org/browser/motopress-appointment-lite/tags/2.4.3/includes/services/BookingService.php#L29"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3583168/motopress-appointment-lite/trunk/includes/rest/controllers/motopress/appointment/v1/BookingsRestController.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-21T15:02:53.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-07-02T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "MotoPress Appointment Booking \u003c= 2.4.4 - Unauthenticated Insecure Direct Object Reference to \u0027payment_details.booking_id\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-9180",
"datePublished": "2026-07-03T04:30:19.902Z",
"dateReserved": "2026-05-21T14:47:44.596Z",
"dateUpdated": "2026-07-06T12:35:03.456Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9152 (GCVE-0-2026-9152)
Vulnerability from cvelistv5 – Published: 2026-05-21 00:47 – Updated: 2026-05-21 12:41 Exclusively Hosted Service| Vendor | Product | Version | |
|---|---|---|---|
| Altium | Altium 365 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9152",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-21T12:41:26.148624Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T12:41:39.633Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"modules": [
"SearchService (SOAP endpoint)"
],
"platforms": [
"Web"
],
"product": "Altium 365",
"vendor": "Altium"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Joris Aerts, Tesla Inc."
}
],
"datePublic": "2026-05-20T23:50:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA missing authentication vulnerability exists in the Altium 365 SearchService. A legacy SOAP endpoint exposes search index operations without requiring authentication, session tokens, or any form of identity verification. An unauthenticated network attacker who can reference a target workspace\u0027s identifier can interact with that workspace\u0027s search index, crossing tenant boundaries.\u003c/p\u003e\n\u003cp\u003eSuccessful exploitation allows reading a workspace\u0027s indexed contents (such as component data, project and folder names, and user metadata) and injecting, modifying, or deleting search index entries. These operations affect the search index only, not the underlying vault data, but they can disclose sensitive workspace information and compromise the integrity and availability of search results. Altium 365 cloud deployments are affected; on-premise Altium Enterprise Server is not affected.\u003c/p\u003e"
}
],
"value": "A missing authentication vulnerability exists in the Altium 365 SearchService. A legacy SOAP endpoint exposes search index operations without requiring authentication, session tokens, or any form of identity verification. An unauthenticated network attacker who can reference a target workspace\u0027s identifier can interact with that workspace\u0027s search index, crossing tenant boundaries.\n\n\n\n\nSuccessful exploitation allows reading a workspace\u0027s indexed contents (such as component data, project and folder names, and user metadata) and injecting, modifying, or deleting search index entries. These operations affect the search index only, not the underlying vault data, but they can disclose sensitive workspace information and compromise the integrity and availability of search results. Altium 365 cloud deployments are affected; on-premise Altium Enterprise Server is not affected."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
},
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing authentication for critical function",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization bypass through User-Controlled key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T00:47:24.365Z",
"orgId": "4760f414-e1ae-4ff1-bdad-c7a9c3538b79",
"shortName": "Altium"
},
"references": [
{
"url": "https://www.altium.com/platform/security-compliance/security-advisories"
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"exclusively-hosted-service"
],
"title": "Unauthenticated SOAP Endpoint in Altium 365 SearchService Allows Cross-Tenant Data Exfiltration and Index Destruction",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "4760f414-e1ae-4ff1-bdad-c7a9c3538b79",
"assignerShortName": "Altium",
"cveId": "CVE-2026-9152",
"datePublished": "2026-05-21T00:47:24.365Z",
"dateReserved": "2026-05-20T23:26:29.928Z",
"dateUpdated": "2026-05-21T12:41:39.633Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9136 (GCVE-0-2026-9136)
Vulnerability from cvelistv5 – Published: 2026-05-20 18:39 – Updated: 2026-05-20 19:27- CWE-639 - Authorization Bypass Through User-Controlled Key
| URL | Tags |
|---|---|
| https://github.com/MISP/MISP/commit/49911b1d4b6e4… | patch |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9136",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T19:27:15.698321Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T19:27:31.091Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"vendor": "misp",
"versions": [
{
"lessThanOrEqual": "2.5.37",
"status": "affected",
"version": "2.5.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Seth Kraft"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA vulnerability was identified in the ShadowAttribute proposal creation workflow. The \u003ccode\u003eadd\u003c/code\u003e action accepted user-controlled \u003ccode\u003eShadowAttribute\u003c/code\u003e request data without removing the \u003ccode\u003eid\u003c/code\u003e field before saving the record. Because the underlying framework treats a supplied primary key as an instruction to update an existing record, an authenticated user able to submit shadow attribute proposals could provide the identifier of an existing \u003ccode\u003eShadowAttribute\u003c/code\u003e and cause that record to be updated instead of creating a new proposal.\u003c/p\u003e\n\u003cp\u003eThis can result in unauthorized modification of existing shadow attributes, potentially affecting proposals associated with events the user should not be able to alter. Depending on deployment configuration and accessible API responses, the issue may also expose or move proposal data across event contexts.\u003c/p\u003e\n\u003cp\u003eThe vulnerability is caused by trusting a client-supplied primary key during object creation. The fix removes the \u003ccode\u003eid\u003c/code\u003e field from incoming \u003ccode\u003eShadowAttribute\u003c/code\u003e data before processing, ensuring that the endpoint always creates a new proposal rather than updating an existing one. This has been fixed in MISP 2.5.38.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "A vulnerability was identified in the ShadowAttribute proposal creation workflow. The add action accepted user-controlled ShadowAttribute request data without removing the id field before saving the record. Because the underlying framework treats a supplied primary key as an instruction to update an existing record, an authenticated user able to submit shadow attribute proposals could provide the identifier of an existing ShadowAttribute and cause that record to be updated instead of creating a new proposal.\n\n\n\n\nThis can result in unauthorized modification of existing shadow attributes, potentially affecting proposals associated with events the user should not be able to alter. Depending on deployment configuration and accessible API responses, the issue may also expose or move proposal data across event contexts.\n\n\n\n\nThe vulnerability is caused by trusting a client-supplied primary key during object creation. The fix removes the id field from incoming ShadowAttribute data before processing, ensuring that the endpoint always creates a new proposal rather than updating an existing one. This has been fixed in MISP 2.5.38."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T18:39:40.231Z",
"orgId": "5a6e4751-2f3f-4070-9419-94fb35b644e8",
"shortName": "CIRCL"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/MISP/MISP/commit/49911b1d4b6e4517d803e50e3d980aaa4d37c16d"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Unauthorized ShadowAttribute modification in MISP via client-supplied identifier",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "5a6e4751-2f3f-4070-9419-94fb35b644e8",
"assignerShortName": "CIRCL",
"cveId": "CVE-2026-9136",
"datePublished": "2026-05-20T18:39:40.231Z",
"dateReserved": "2026-05-20T18:38:29.235Z",
"dateUpdated": "2026-05-20T19:27:31.091Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9099 (GCVE-0-2026-9099)
Vulnerability from cvelistv5 – Published: 2026-06-25 16:16 – Updated: 2026-07-15 00:38- CWE-639 - Authorization Bypass Through User-Controlled Key
| URL | Tags |
|---|---|
| https://access.redhat.com/errata/RHSA-2026:30049 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:30050 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:30083 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:30084 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/security/cve/CVE-2026-9099 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2480182 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| Vendor | Product | Version | |
|---|---|---|---|
| Red Hat | Red Hat build of Keycloak 26.4 |
Unaffected:
26.4.13-1 , < *
(rpm)
cpe:/a:redhat:build_keycloak:26.4::el9 |
|
| Red Hat | Red Hat build of Keycloak 26.4 |
Unaffected:
26.4-19 , < *
(rpm)
cpe:/a:redhat:build_keycloak:26.4::el9 |
|
| Red Hat | Red Hat build of Keycloak 26.4.13 |
cpe:/a:redhat:build_keycloak:26.4::el9 |
|
| Red Hat | Red Hat build of Keycloak 26.6 |
Unaffected:
26.6.4-2 , < *
(rpm)
cpe:/a:redhat:build_keycloak:26.6::el9 |
|
| Red Hat | Red Hat build of Keycloak 26.6 |
Unaffected:
26.6-8 , < *
(rpm)
cpe:/a:redhat:build_keycloak:26.6::el9 |
|
| Red Hat | Red Hat build of Keycloak 26.6.4 |
cpe:/a:redhat:build_keycloak:26.6::el9 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9099",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T20:25:31.782558Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T20:26:06.600Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.4::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-operator-bundle",
"product": "Red Hat build of Keycloak 26.4",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.4.13-1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.4::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-rhel9",
"product": "Red Hat build of Keycloak 26.4",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.4-19",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.4::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-rhel9-operator",
"product": "Red Hat build of Keycloak 26.4",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.4-19",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.4::el9"
],
"defaultStatus": "unaffected",
"packageName": "rhbk/keycloak-rhel9",
"product": "Red Hat build of Keycloak 26.4.13",
"vendor": "Red Hat"
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.6::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-operator-bundle",
"product": "Red Hat build of Keycloak 26.6",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.6.4-2",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.6::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-rhel9",
"product": "Red Hat build of Keycloak 26.6",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.6-8",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.6::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-rhel9-operator",
"product": "Red Hat build of Keycloak 26.6",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.6-8",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.6::el9"
],
"defaultStatus": "unaffected",
"packageName": "rhbk/keycloak-rhel9",
"product": "Red Hat build of Keycloak 26.6.4",
"vendor": "Red Hat"
}
],
"datePublic": "2026-06-25T15:58:51.884Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group (such as one possessing the realm-admin role) under their managed group.\n\nBecause group permissions follow a hierarchical structure, this action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator\u0027s password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T00:38:43.248Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-9099"
},
{
"name": "RHBZ#2480182",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480182"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-9099.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30050"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30084"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30049"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30083"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:30050: Red Hat build of Keycloak 26.4"
},
{
"lang": "en",
"value": "RHSA-2026:30084: Red Hat build of Keycloak 26.6"
},
{
"lang": "en",
"value": "RHSA-2026:30049: Red Hat build of Keycloak 26.4.13"
},
{
"lang": "en",
"value": "RHSA-2026:30083: Red Hat build of Keycloak 26.6.4"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-20T15:05:54.381Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-06-25T15:58:51.884Z",
"value": "Made public."
}
],
"title": "keycloak: Group-Admin Escalation to Realm-Admin",
"workarounds": [
{
"lang": "en",
"value": "To mitigate this issue, restrict network access to the Keycloak Admin REST API to only trusted networks or localhost. This limits the attack surface by preventing unauthorized access to the API endpoints required for exploitation. Consult your network security documentation for specific firewall or network access control configurations. This may impact remote administration capabilities."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.4::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-operator-bundle",
"product": "Red Hat build of Keycloak 26.4",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.4.13-1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.4::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-rhel9",
"product": "Red Hat build of Keycloak 26.4",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.4-19",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.4::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-rhel9-operator",
"product": "Red Hat build of Keycloak 26.4",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.4-19",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.4::el9"
],
"defaultStatus": "unaffected",
"packageName": "rhbk/keycloak-rhel9",
"product": "Red Hat build of Keycloak 26.4.13",
"vendor": "Red Hat"
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.6::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-operator-bundle",
"product": "Red Hat build of Keycloak 26.6",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.6.4-2",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.6::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-rhel9",
"product": "Red Hat build of Keycloak 26.6",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.6-8",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.6::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-rhel9-operator",
"product": "Red Hat build of Keycloak 26.6",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.6-8",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.6::el9"
],
"defaultStatus": "unaffected",
"packageName": "rhbk/keycloak-rhel9",
"product": "Red Hat build of Keycloak 26.6.4",
"vendor": "Red Hat"
}
],
"datePublic": "2026-06-25T15:58:51.884Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group (such as one possessing the realm-admin role) under their managed group.\n\nBecause group permissions follow a hierarchical structure, this action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator\u0027s password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T06:26:57.094Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2026:30049",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30049"
},
{
"name": "RHSA-2026:30050",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30050"
},
{
"name": "RHSA-2026:30083",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30083"
},
{
"name": "RHSA-2026:30084",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30084"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-9099"
},
{
"name": "RHBZ#2480182",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480182"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-20T15:05:54.381Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-06-25T15:58:51.884Z",
"value": "Made public."
}
],
"title": "Keycloak: group-admin escalation to realm-admin",
"workarounds": [
{
"lang": "en",
"value": "To mitigate this issue, restrict network access to the Keycloak Admin REST API to only trusted networks or localhost. This limits the attack surface by preventing unauthorized access to the API endpoints required for exploitation. Consult your network security documentation for specific firewall or network access control configurations. This may impact remote administration capabilities."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-639: Authorization Bypass Through User-Controlled Key"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2026-9099",
"datePublished": "2026-06-25T16:16:43.604Z",
"dateReserved": "2026-05-20T15:12:25.740Z",
"dateUpdated": "2026-07-15T00:38:43.248Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9087 (GCVE-0-2026-9087)
Vulnerability from cvelistv5 – Published: 2026-05-20 16:13 – Updated: 2026-06-26 06:46- CWE-639 - Authorization Bypass Through User-Controlled Key
| URL | Tags |
|---|---|
| https://access.redhat.com/errata/RHSA-2026:25097 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:25098 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:30049 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:30050 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/security/cve/CVE-2026-9087 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2480172 | issue-trackingx_refsource_REDHAT |
| Vendor | Product | Version | |
|---|---|---|---|
| Red Hat | Red Hat build of Keycloak 26.4 |
Unaffected:
26.4.13-1 , < *
(rpm)
cpe:/a:redhat:build_keycloak:26.4::el9 |
|
| Red Hat | Red Hat build of Keycloak 26.4 |
Unaffected:
26.4-19 , < *
(rpm)
cpe:/a:redhat:build_keycloak:26.4::el9 |
|
| Red Hat | Red Hat build of Keycloak 26.4.13 |
cpe:/a:redhat:build_keycloak:26.4::el9 |
|
| Red Hat | Red Hat build of Keycloak 26.6 |
Unaffected:
26.6.3-3 , < *
(rpm)
cpe:/a:redhat:build_keycloak:26.6::el9 |
|
| Red Hat | Red Hat build of Keycloak 26.6 |
Unaffected:
26.6-6 , < *
(rpm)
cpe:/a:redhat:build_keycloak:26.6::el9 |
|
| Red Hat | Red Hat build of Keycloak 26.6.3 |
cpe:/a:redhat:build_keycloak:26.6::el9 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9087",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-21T14:01:27.979329Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T14:02:09.087Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.4::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-operator-bundle",
"product": "Red Hat build of Keycloak 26.4",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.4.13-1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.4::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-rhel9",
"product": "Red Hat build of Keycloak 26.4",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.4-19",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.4::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-rhel9-operator",
"product": "Red Hat build of Keycloak 26.4",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.4-19",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.4::el9"
],
"defaultStatus": "unaffected",
"packageName": "rhbk/keycloak-rhel9",
"product": "Red Hat build of Keycloak 26.4.13",
"vendor": "Red Hat"
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.6::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-operator-bundle",
"product": "Red Hat build of Keycloak 26.6",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.6.3-3",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.6::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-rhel9",
"product": "Red Hat build of Keycloak 26.6",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.6-6",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.6::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-rhel9-operator",
"product": "Red Hat build of Keycloak 26.6",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.6-6",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.6::el9"
],
"defaultStatus": "unaffected",
"packageName": "rhbk/keycloak-rhel9",
"product": "Red Hat build of Keycloak 26.6.3",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-20T14:53:44.238Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId,\nidpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get linked to the victim\u0027s local account."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T06:46:23.414Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2026:25097",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25097"
},
{
"name": "RHSA-2026:25098",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25098"
},
{
"name": "RHSA-2026:30049",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30049"
},
{
"name": "RHSA-2026:30050",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30050"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-9087"
},
{
"name": "RHBZ#2480172",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480172"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-20T14:53:02.458Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-20T14:53:44.238Z",
"value": "Made public."
}
],
"title": "Keycloak: cross-session email verification proof not bound to upstream identity in first-broker-login",
"workarounds": [
{
"lang": "en",
"value": "To mitigate this issue, configure the affected identity provider to set `trustEmail=true`. This ensures that Keycloak trusts the email address provided by the upstream identity provider, bypassing the vulnerable verification flow. This mitigation should only be applied if the upstream identity provider is fully trusted to verify email addresses and prevent malicious account creation with existing email addresses. Configuration changes may require a Keycloak service restart or reload to take effect."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-639: Authorization Bypass Through User-Controlled Key"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2026-9087",
"datePublished": "2026-05-20T16:13:03.022Z",
"dateReserved": "2026-05-20T14:53:18.352Z",
"dateUpdated": "2026-06-26T06:46:23.414Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8890 (GCVE-0-2026-8890)
Vulnerability from cvelistv5 – Published: 2026-05-26 18:23 – Updated: 2026-06-23 16:17- CWE-639 - Authorization Bypass Through User-Controlled Key
| URL | Tags |
|---|---|
| https://github.com/code100x/cms/issues/1924 | issue-tracking |
| https://github.com/code100x/cms/pull/1927 | issue-tracking |
| https://github.com/code100x/cms/pull/1927/changes… | issue-tracking |
| https://github.com/code100x/cms/pull/1927/changes… | issue-tracking |
| https://www.vulncheck.com/advisories/code100x-mob… | third-party-advisory |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8890",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T19:25:26.818588Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T19:25:54.063Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/code100x/cms/issues/1924"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/code100x/cms/pull/1927"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "code100x",
"vendor": "code100x",
"versions": [
{
"lessThan": "90b489ee7c63c301107d6374d4b3f2b8e4060fe5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "88c6c5e94e23da101235c4c7e9c7591ac1016549",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Shravan Manne"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulnCheck"
}
],
"datePublic": "2026-05-26T19:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003ecode100x contains an authentication bypass vulnerability in the Mobile API that allows unauthenticated attackers to impersonate arbitrary users by supplying a crafted JSON payload in the \u0027g\u0027 HTTP header. The middleware in middleware.ts skips identity header generation when an Auth-Key header is present without validating its value, allowing attackers to inject a spoofed user identity header that the downstream route handler in the mobile courses endpoint accepts as trusted, granting unauthorized access to course data belonging to any enrolled user or administrator.\u003c/p\u003e"
}
],
"value": "code100x contains an authentication bypass vulnerability in the Mobile API that allows unauthenticated attackers to impersonate arbitrary users by supplying a crafted JSON payload in the \u0027g\u0027 HTTP header. The middleware in middleware.ts skips identity header generation when an Auth-Key header is present without validating its value, allowing attackers to inject a spoofed user identity header that the downstream route handler in the mobile courses endpoint accepts as trusted, granting unauthorized access to course data belonging to any enrolled user or administrator."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T16:17:11.868Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/code100x/cms/issues/1924"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/code100x/cms/pull/1927"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/code100x/cms/pull/1927/changes/90b489ee7c63c301107d6374d4b3f2b8e4060fe5"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/code100x/cms/pull/1927/changes/88c6c5e94e23da101235c4c7e9c7591ac1016549"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/code100x-mobile-api-authentication-bypass-via-header-spoofing"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "code100x Mobile API Authentication Bypass via Header Spoofing",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-8890",
"datePublished": "2026-05-26T18:23:13.098Z",
"dateReserved": "2026-05-18T20:47:38.669Z",
"dateUpdated": "2026-06-23T16:17:11.868Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.