Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3252 vulnerabilities reference this CWE, most recent first.

CVE-2026-8839 (GCVE-0-2026-8839)

Vulnerability from cvelistv5 – Published: 2026-06-06 03:28 – Updated: 2026-06-06 11:42
VLAI
Title
MapPress Maps for WordPress <= 2.96.6 - Unauthenticated Insecure Direct Object Reference via REST API Endpoints
Summary
The MapPress Maps for WordPress plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 2.96.6. This is due to missing ownership verification in the REST API routes registered via `Mappress_Api::rest_api_init()`, where the GET `/wp-json/mapp/v1/maps/{mapid}` endpoint uses `'permission_callback' => '__return_true'` and the write endpoints (POST update, DELETE, PATCH mutate, POST clone, POST empty_trash) only check the generic `edit_posts` capability without confirming that the requester owns the targeted map — a gap that is not compensated at the model layer, as `Mappress_Map::get()`, `save()`, `delete()`, `mutate()`, and `empty_trash()` all operate on any caller-supplied map ID without an ownership check. This makes it possible for unauthenticated attackers to read sensitive map data — including POI titles, addresses, coordinates, and body content — for any map on the site by enumerating map IDs, and for authenticated attackers with Contributor-level access and above to modify, delete, trash/restore, or clone any map regardless of its author.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Vendor Product Version
chrisvrichardson MapPress Maps for WordPress Affected: 0 , ≤ 2.96.6 (semver)
Create a notification for this product.
Credits
Kitch Global
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-8839",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-06T11:34:08.719037Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-06T11:42:35.794Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "MapPress Maps for WordPress",
          "vendor": "chrisvrichardson",
          "versions": [
            {
              "lessThanOrEqual": "2.96.6",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Kitch Global"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The MapPress Maps for WordPress plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 2.96.6. This is due to missing ownership verification in the REST API routes registered via `Mappress_Api::rest_api_init()`, where the GET `/wp-json/mapp/v1/maps/{mapid}` endpoint uses `\u0027permission_callback\u0027 =\u003e \u0027__return_true\u0027` and the write endpoints (POST update, DELETE, PATCH mutate, POST clone, POST empty_trash) only check the generic `edit_posts` capability without confirming that the requester owns the targeted map \u2014 a gap that is not compensated at the model layer, as `Mappress_Map::get()`, `save()`, `delete()`, `mutate()`, and `empty_trash()` all operate on any caller-supplied map ID without an ownership check. This makes it possible for unauthenticated attackers to read sensitive map data \u2014 including POI titles, addresses, coordinates, and body content \u2014 for any map on the site by enumerating map IDs, and for authenticated attackers with Contributor-level access and above to modify, delete, trash/restore, or clone any map regardless of its author."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-06T03:28:25.116Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9f402aa7-24d6-448b-a1d3-5ee7c90b39bc?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_api.php#L328"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_api.php#L328"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_api.php#L90"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_api.php#L268"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_api.php#L39"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_api.php#L253"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_api.php#L50"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_api.php#L75"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_map.php#L239"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_map.php#L493"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_map.php#L379"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_map.php#L550"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_api.php#L90"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_api.php#L268"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_api.php#L39"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_api.php#L253"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_api.php#L50"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_api.php#L75"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_map.php#L239"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_map.php#L493"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_map.php#L379"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_map.php#L550"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?old_path=/mappress-google-maps-for-wordpress/tags/2.96.6\u0026new_path=/mappress-google-maps-for-wordpress/tags/2.97.1"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-05-19T04:58:32.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-06-05T14:37:12.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "MapPress Maps for WordPress \u003c= 2.96.6 - Unauthenticated Insecure Direct Object Reference via REST API Endpoints"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-8839",
    "datePublished": "2026-06-06T03:28:25.116Z",
    "dateReserved": "2026-05-18T15:18:31.311Z",
    "dateUpdated": "2026-06-06T11:42:35.794Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-8828 (GCVE-0-2026-8828)

Vulnerability from cvelistv5 – Published: 2026-06-12 14:50 – Updated: 2026-06-12 16:00
VLAI
Summary
A lack of authorization validation in version 1.0.0 or later of the ChromaDB Rust project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collection regardless of which tenant they belong to.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization bypass through User-Controlled key
Assigner
Impacted products
Vendor Product Version
Chroma ChromaDB Affected: 1.0.0 , ≤ * (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-8828",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-12T16:00:30.370494Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-12T16:00:39.467Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageName": "chromadb",
          "product": "ChromaDB",
          "repo": "https://github.com/chroma-core/chroma",
          "vendor": "Chroma",
          "versions": [
            {
              "lessThanOrEqual": "*",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cpre\u003eA lack of authorization validation in version 1.0.0 or later of the ChromaDB Rust project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant\u0027s collection regardless of which tenant they belong to.\u003c/pre\u003e"
            }
          ],
          "value": "A lack of authorization validation in version 1.0.0 or later of the ChromaDB Rust project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant\u0027s collection regardless of which tenant they belong to."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-1",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization bypass through User-Controlled key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-12T14:50:32.788Z",
        "orgId": "6f8de1f0-f67e-45a6-b68f-98777fdb759c",
        "shortName": "HiddenLayer"
      },
      "references": [
        {
          "url": "https://www.hiddenlayer.com/sai-security-advisory/2026-06-chromadb-2"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6f8de1f0-f67e-45a6-b68f-98777fdb759c",
    "assignerShortName": "HiddenLayer",
    "cveId": "CVE-2026-8828",
    "datePublished": "2026-06-12T14:50:32.788Z",
    "dateReserved": "2026-05-18T13:23:36.281Z",
    "dateUpdated": "2026-06-12T16:00:39.467Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-8786 (GCVE-0-2026-8786)

Vulnerability from cvelistv5 – Published: 2026-05-18 03:00 – Updated: 2026-05-18 14:28
VLAI
Title
Tencent WeKnora Config API Endpoint initialization.go getKnowledgeBaseForInitialization authorization
Summary
A vulnerability has been found in Tencent WeKnora up to 0.3.6. Affected by this issue is the function getKnowledgeBaseForInitialization of the file internal/handler/initialization.go of the component Config API Endpoint. The manipulation of the argument kbId leads to authorization bypass. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
URL Tags
https://vuldb.com/vuln/364410 vdb-entrytechnical-description
https://vuldb.com/vuln/364410/cti signaturepermissions-required
https://vuldb.com/submit/812172 third-party-advisory
https://gist.github.com/YLChen-007/1cdc50418f29af… exploit
Impacted products
Vendor Product Version
Tencent WeKnora Affected: 0.3.0
Affected: 0.3.1
Affected: 0.3.2
Affected: 0.3.3
Affected: 0.3.4
Affected: 0.3.5
Affected: 0.3.6
    cpe:2.3:a:tencent:weknora:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Eric-z (VulDB User) VulDB CNA Team
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-8786",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-18T14:28:11.260470Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-18T14:28:23.593Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:tencent:weknora:*:*:*:*:*:*:*:*"
          ],
          "modules": [
            "Config API Endpoint"
          ],
          "product": "WeKnora",
          "vendor": "Tencent",
          "versions": [
            {
              "status": "affected",
              "version": "0.3.0"
            },
            {
              "status": "affected",
              "version": "0.3.1"
            },
            {
              "status": "affected",
              "version": "0.3.2"
            },
            {
              "status": "affected",
              "version": "0.3.3"
            },
            {
              "status": "affected",
              "version": "0.3.4"
            },
            {
              "status": "affected",
              "version": "0.3.5"
            },
            {
              "status": "affected",
              "version": "0.3.6"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Eric-z (VulDB User)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "VulDB CNA Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability has been found in Tencent WeKnora up to 0.3.6. Affected by this issue is the function getKnowledgeBaseForInitialization of the file internal/handler/initialization.go of the component Config API Endpoint. The manipulation of the argument kbId leads to authorization bypass. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 6.5,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "Authorization Bypass",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-18T03:00:14.994Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-364410 | Tencent WeKnora Config API Endpoint initialization.go getKnowledgeBaseForInitialization authorization",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/vuln/364410"
        },
        {
          "name": "VDB-364410 | CTI Indicators (IOB, IOC, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/364410/cti"
        },
        {
          "name": "Submit #812172 | Tencent WeKnora \u003c= v0.3.6 Insecure Direct Object Reference (CWE-639)",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/812172"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://gist.github.com/YLChen-007/1cdc50418f29af7ae671466425e52c7b"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-05-17T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-05-17T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-05-17T12:28:46.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Tencent WeKnora Config API Endpoint initialization.go getKnowledgeBaseForInitialization authorization"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-8786",
    "datePublished": "2026-05-18T03:00:14.994Z",
    "dateReserved": "2026-05-17T10:23:37.846Z",
    "dateUpdated": "2026-05-18T14:28:23.593Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-8679 (GCVE-0-2026-8679)

Vulnerability from cvelistv5 – Published: 2026-05-22 07:50 – Updated: 2026-05-22 10:20
VLAI
Title
AudioIgniter Music Player <= 2.0.2 - Unauthenticated Insecure Direct Object Reference to 'audioigniter_playlist_id' Parameter
Summary
The AudioIgniter plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the handle_playlist_endpoint() function (hooked to template_redirect) accepting a user-controlled playlist ID via the audioigniter_playlist_id query var or the /audioigniter/playlist/{id}/ rewrite rule and returning playlist track data without performing any authentication, capability, or post_status check — only the post_type is validated. This makes it possible for unauthenticated attackers to view track metadata (titles, artists, audio URLs, buy links, download URLs, and cover images) of any playlist on the site, including those in draft, private, pending, or trash status.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Vendor Product Version
cssigniterteam AudioIgniter Music Player Affected: 0 , ≤ 2.0.2 (semver)
Create a notification for this product.
Credits
nudien udin alfito ardi pratama
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-8679",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-22T10:19:53.000491Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-22T10:20:11.498Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "AudioIgniter Music Player",
          "vendor": "cssigniterteam",
          "versions": [
            {
              "lessThanOrEqual": "2.0.2",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "nudien udin"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "alfito ardi pratama"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The AudioIgniter plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the handle_playlist_endpoint() function (hooked to template_redirect) accepting a user-controlled playlist ID via the audioigniter_playlist_id query var or the /audioigniter/playlist/{id}/ rewrite rule and returning playlist track data without performing any authentication, capability, or post_status check \u2014 only the post_type is validated. This makes it possible for unauthenticated attackers to view track metadata (titles, artists, audio URLs, buy links, download URLs, and cover images) of any playlist on the site, including those in draft, private, pending, or trash status."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-22T07:50:27.202Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fe573d64-036e-4f6f-bcc1-5183bb9ad2b9?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/audioigniter/tags/2.0.2/audioigniter.php#L1315"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/audioigniter/tags/2.0.2/audioigniter.php#L1263"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/audioigniter/tags/2.0.2/audioigniter.php#L1257"
        },
        {
          "url": "https://github.com/cssigniter/audioigniter/commit/35a0508583c26c01b6ac446404ad6fe1d440d8d4"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-05-15T13:46:48.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-05-21T19:33:26.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "AudioIgniter Music Player \u003c= 2.0.2 - Unauthenticated Insecure Direct Object Reference to \u0027audioigniter_playlist_id\u0027 Parameter"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-8679",
    "datePublished": "2026-05-22T07:50:27.202Z",
    "dateReserved": "2026-05-15T13:31:39.001Z",
    "dateUpdated": "2026-05-22T10:20:11.498Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-8629 (GCVE-0-2026-8629)

Vulnerability from cvelistv5 – Published: 2026-05-14 19:11 – Updated: 2026-07-14 22:03 X_Open Source
VLAI
Title
Crabbox < v0.12.0 Privilege Escalation via Agent Ticket Endpoints
Summary
Crabbox prior to v0.12.0 contains a privilege escalation vulnerability that allows users with shared visibility-only access to obtain Code, WebVNC, and Egress agent tickets by sending POST requests to ticket endpoints. Attackers can exploit insufficient access control checks on the /v1/leases/:id/code/ticket, /v1/leases/:id/webvnc/ticket, and /v1/leases/:id/egress/ticket endpoints to obtain bridge-agent tickets and impersonate trusted lease-side bridges despite having only visibility permissions.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Vendor Product Version
openclaw crabbox Affected: 0 , < 0.12.0 (semver)
Unaffected: 95cb30dc7dbaa1fef690a42ef6ac1cb6e307a191 (git)
Create a notification for this product.
Date Public
2026-05-14 19:11
Credits
Chia Min Jun Lennon
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-8629",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T19:50:02.258030Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T19:50:08.966Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/openclaw/crabbox/pull/71"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "packageURL": "pkg:github/openclaw/crabbox",
          "product": "crabbox",
          "repo": "https://github.com/openclaw/crabbox",
          "vendor": "openclaw",
          "versions": [
            {
              "lessThan": "0.12.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "95cb30dc7dbaa1fef690a42ef6ac1cb6e307a191",
              "versionType": "git"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Chia Min Jun Lennon"
        }
      ],
      "datePublic": "2026-05-14T19:11:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eCrabbox prior to v0.12.0 contains a privilege escalation vulnerability that allows users with shared visibility-only access to obtain Code, WebVNC, and Egress agent tickets by sending POST requests to ticket endpoints. Attackers can exploit insufficient access control checks on the /v1/leases/:id/code/ticket, /v1/leases/:id/webvnc/ticket, and /v1/leases/:id/egress/ticket endpoints to obtain bridge-agent tickets and impersonate trusted lease-side bridges despite having only visibility permissions.\u003c/p\u003e"
            }
          ],
          "value": "Crabbox prior to v0.12.0 contains a privilege escalation vulnerability that allows users with shared visibility-only access to obtain Code, WebVNC, and Egress agent tickets by sending POST requests to ticket endpoints. Attackers can exploit insufficient access control checks on the /v1/leases/:id/code/ticket, /v1/leases/:id/webvnc/ticket, and /v1/leases/:id/egress/ticket endpoints to obtain bridge-agent tickets and impersonate trusted lease-side bridges despite having only visibility permissions."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-14T22:03:59.017Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://github.com/openclaw/crabbox/releases/tag/v0.12.0"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/openclaw/crabbox/pull/71"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openclaw/crabbox/commit/95cb30dc7dbaa1fef690a42ef6ac1cb6e307a191"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/crabbox-privilege-escalation-via-agent-ticket-endpoints"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "tags": [
        "x_open-source"
      ],
      "title": "Crabbox \u003c v0.12.0 Privilege Escalation via Agent Ticket Endpoints",
      "x_generator": {
        "engine": "vulncheck"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2026-8629",
    "datePublished": "2026-05-14T19:11:59.982Z",
    "dateReserved": "2026-05-14T18:50:29.577Z",
    "dateUpdated": "2026-07-14T22:03:59.017Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-8611 (GCVE-0-2026-8611)

Vulnerability from cvelistv5 – Published: 2026-06-06 03:28 – Updated: 2026-06-06 11:42
VLAI
Title
Klamra Paycal for Aspaclaria <= 1.1.4 - Insecure Direct Object Reference to Authenticated (Subscriber+) Sensitive Information Exposure via 'invoice_id' Parameter
Summary
The Klamra Paycal for Aspaclaria plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.4 via the 'invoice_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to download arbitrary customer invoices by enumerating sequential post IDs, exposing sensitive billing PII including full name, email address, phone number, order total, line items, and customer notes belonging to other customers.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Vendor Product Version
klamra22 Klamra Paycal for Aspaclaria Affected: 0 , ≤ 1.1.4 (semver)
Create a notification for this product.
Credits
KEVIN LEE
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-8611",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-06T11:33:58.894533Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-06T11:42:22.209Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Klamra Paycal for Aspaclaria",
          "vendor": "klamra22",
          "versions": [
            {
              "lessThanOrEqual": "1.1.4",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "KEVIN LEE"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Klamra Paycal for Aspaclaria plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.4 via the \u0027invoice_id\u0027 parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to download arbitrary customer invoices by enumerating sequential post IDs, exposing sensitive billing PII including full name, email address, phone number, order total, line items, and customer notes belonging to other customers."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-06T03:28:25.476Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b07dc6ff-f88d-4c5a-8cd5-7c20f1755ece?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/klamra-paycal-for-aspaclaria/tags/1.1.1/includes/Modules/Invoices/Legacy/includes/pdf/download.php#L4"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/klamra-paycal-for-aspaclaria/tags/1.1.1/includes/Modules/Invoices/Legacy/includes/pdf/download.php#L7"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/klamra-paycal-for-aspaclaria/tags/1.1.1/includes/Modules/Invoices/Legacy/includes/render.php#L72"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/klamra-paycal-for-aspaclaria/tags/1.0.2/includes/Modules/Invoices/Legacy/includes/pdf/download.php#L4"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/klamra-paycal-for-aspaclaria/tags/1.0.2/includes/Modules/Invoices/Legacy/includes/pdf/download.php#L7"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/klamra-paycal-for-aspaclaria/tags/1.0.2/includes/Modules/Invoices/Legacy/includes/render.php#L72"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3555026%40klamra-paycal-for-aspaclaria\u0026new=3555026%40klamra-paycal-for-aspaclaria\u0026sfp_email=\u0026sfph_mail="
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-05-30T18:14:50.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-06-05T14:28:53.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Klamra Paycal for Aspaclaria \u003c= 1.1.4 - Insecure Direct Object Reference to Authenticated (Subscriber+) Sensitive Information Exposure via \u0027invoice_id\u0027 Parameter"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-8611",
    "datePublished": "2026-06-06T03:28:25.476Z",
    "dateReserved": "2026-05-14T16:04:08.456Z",
    "dateUpdated": "2026-06-06T11:42:22.209Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-8406 (GCVE-0-2026-8406)

Vulnerability from cvelistv5 – Published: 2026-06-11 13:32 – Updated: 2026-06-11 14:28
VLAI
Title
openSIS Classic 9.3 - Insecure Direct Object Reference in Sent Mail
Summary
openSIS Classic 9.3 contains an insecure direct object reference vulnerability in the messaging module. Any authenticated user with access to the messaging module can request sent-message details from modules/messaging/SentMail.php by supplying an arbitrary mail_id value.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Credits
Daniel Celis
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-8406",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-11T14:28:36.670105Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-11T14:28:42.669Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://fluidattacks.com/es/advisories/melanie"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Windows",
            "Linux",
            "MacOS"
          ],
          "product": "openSIS-Classic",
          "vendor": "OS4ED",
          "versions": [
            {
              "status": "affected",
              "version": "9.3"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:os4ed:opensis-classic:9.3:*:windows:*:*:*:*:*",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:os4ed:opensis-classic:9.3:*:linux:*:*:*:*:*",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:os4ed:opensis-classic:9.3:*:macos:*:*:*:*:*",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Daniel Celis"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eopenSIS Classic 9.3 contains an insecure direct object reference vulnerability in the messaging module. Any authenticated user with access to the messaging module can request sent-message details from \u003c/span\u003e\u003ccode\u003emodules/messaging/SentMail.php\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e by supplying an arbitrary \u003c/span\u003e\u003ccode\u003email_id\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e value.\u003c/span\u003e\u003cp\u003e\u003c/p\u003e"
            }
          ],
          "value": "openSIS Classic 9.3 contains an insecure direct object reference vulnerability in the messaging module. Any authenticated user with access to the messaging module can request sent-message details from modules/messaging/SentMail.php by supplying an arbitrary mail_id value."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-21",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-21 Exploitation of Trusted Identifiers"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-11T13:35:26.247Z",
        "orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
        "shortName": "Fluid Attacks"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://fluidattacks.com/es/advisories/melanie"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/OS4ED/openSIS-Classic/commit/c45d43146167324bae06bdf09de3e4bd2e5e478f"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://github.com/OS4ED/openSIS-Classic"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "openSIS Classic 9.3 - Insecure Direct Object Reference in Sent Mail",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
    "assignerShortName": "Fluid Attacks",
    "cveId": "CVE-2026-8406",
    "datePublished": "2026-06-11T13:32:36.738Z",
    "dateReserved": "2026-05-12T15:47:59.042Z",
    "dateUpdated": "2026-06-11T14:28:42.669Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-8347 (GCVE-0-2026-8347)

Vulnerability from cvelistv5 – Published: 2026-05-22 14:06 – Updated: 2026-05-22 17:21
VLAI
Title
Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in Express association Reorder dialog
Summary
Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in the Express association Reorder dialog.  This can cause Cross-entity state tampering with view-only permission on one entry. To be affected, a website has to be using express and relying on express entity ordering. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization bypass through User-Controlled key
Assigner
References
Impacted products
Vendor Product Version
Concrete CMS Concrete CMS Affected: 5.0 , ≤ 9.5.0 (git)
Create a notification for this product.
Credits
Winston Crooker
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-8347",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-22T17:19:06.763707Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-22T17:21:46.546Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/concretecms/concretecms",
          "defaultStatus": "unaffected",
          "product": "Concrete CMS",
          "repo": "https://github.com/concretecms/concretecms",
          "vendor": "Concrete CMS",
          "versions": [
            {
              "lessThanOrEqual": "9.5.0",
              "status": "affected",
              "version": "5.0",
              "versionType": "git"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Winston Crooker"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003eConcrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in the Express association Reorder dialog.\u0026nbsp; This can cause\u0026nbsp;\u003cspan\u003eCross-entity state tampering\u003c/span\u003e\u003cspan\u003e\u0026nbsp;\u003c/span\u003e\u003cspan\u003ewith view-only permission on one entry.\u0026nbsp;\u003c/span\u003e\u003cspan\u003eTo be affected, a web\u003c/span\u003e\u003cspan\u003esite has to be using express and relying on express entity ordering.\u0026nbsp;\u003c/span\u003e\u003cspan\u003eThe Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector\u0026nbsp;CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting.\u0026nbsp;\u003c/span\u003e\u003c/div\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003c/div\u003e"
            }
          ],
          "value": "Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in the Express association Reorder dialog.\u00a0 This can cause\u00a0Cross-entity state tampering\u00a0with view-only permission on one entry.\u00a0To be affected, a website has to be using express and relying on express entity ordering.\u00a0The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector\u00a0CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-1",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
            }
          ]
        },
        {
          "capecId": "CAPEC-122",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-122 Privilege Abuse"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 2.3,
            "baseSeverity": "LOW",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization bypass through User-Controlled key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-22T14:06:34.257Z",
        "orgId": "ff5b8ace-8b95-4078-9743-eac1ca5451de",
        "shortName": "ConcreteCMS"
      },
      "references": [
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes"
        }
      ],
      "source": {
        "advisory": "https://hackerone.com/reports/3682859",
        "defect": [
          "HackerOne"
        ],
        "discovery": "EXTERNAL"
      },
      "title": "Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in Express association Reorder dialog",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ff5b8ace-8b95-4078-9743-eac1ca5451de",
    "assignerShortName": "ConcreteCMS",
    "cveId": "CVE-2026-8347",
    "datePublished": "2026-05-22T14:06:34.257Z",
    "dateReserved": "2026-05-11T16:28:20.551Z",
    "dateUpdated": "2026-05-22T17:21:46.546Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-8337 (GCVE-0-2026-8337)

Vulnerability from cvelistv5 – Published: 2026-05-21 21:13 – Updated: 2026-05-22 13:13
VLAI
Title
Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys when sites are running concurrent public surveys and private surveys
Summary
Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys. To be vulnerable, a site would have to be configured in such a way that both public and private surveys are present on the site. An unauthenticated attacker can vote in the restricted survey by submitting the restricted optionID through the public survey’s endpoint. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks  Zer0daySec https://github.com/Zee99y  for reporting
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization bypass through User-Controlled key
  • CWE-565 - Reliance on cookies without validation and integrity checking
Assigner
References
Impacted products
Vendor Product Version
Concrete CMS Concrete CMS Affected: 5.0 , ≤ 9.5.0 (git)
Create a notification for this product.
Credits
Zer0daySec (GitHub: https://github.com/Zee99y)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-8337",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-22T13:13:50.327710Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-22T13:13:57.212Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/concretecms/concretecms",
          "defaultStatus": "unaffected",
          "product": "Concrete CMS",
          "repo": "https://github.com/concretecms/concretecms",
          "vendor": "Concrete CMS",
          "versions": [
            {
              "lessThanOrEqual": "9.5.0",
              "status": "affected",
              "version": "5.0",
              "versionType": "git"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Zer0daySec (GitHub: https://github.com/Zee99y)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003eConcrete CMS 9.5.0 and below is vulnerable to IDOR in surveys.\u0026nbsp;\u003cspan\u003eTo be vulnerable, a\u003c/span\u003e\u003cspan\u003e\u0026nbsp;site would have to be configured in such a way that both public and private surveys are present on the site. An\u0026nbsp;\u003c/span\u003e\u003cspan\u003eunauthenticated attacker can vote in the restricted survey by submitting the restricted \u003c/span\u003e\u003ccode\u003eoptionID\u003c/code\u003e\u003cspan\u003e through the public survey\u2019s endpoint.\u0026nbsp;\u003c/span\u003e\u003cspan\u003eThe Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of\u003c/span\u003e\u003cspan\u003e\u0026nbsp;6.3 with vector\u0026nbsp;\u003c/span\u003e\u003cspan\u003eCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks\u0026nbsp;\u003c/span\u003e\u003cspan\u003e\u003ca href=\"https://github.com/Zee99y\"\u003eZer0daySec\u003c/a\u003e\u0026nbsp;for reporting\u003c/span\u003e\u003c/div\u003e"
            }
          ],
          "value": "Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys.\u00a0To be vulnerable, a\u00a0site would have to be configured in such a way that both public and private surveys are present on the site. An\u00a0unauthenticated attacker can vote in the restricted survey by submitting the restricted optionID through the public survey\u2019s endpoint.\u00a0The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of\u00a06.3 with vector\u00a0CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks\u00a0 Zer0daySec https://github.com/Zee99y \u00a0for reporting"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-31",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-31 Accessing/Intercepting/Modifying HTTP Cookies"
            }
          ]
        },
        {
          "capecId": "CAPEC-1",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization bypass through User-Controlled key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-565",
              "description": "CWE-565 Reliance on cookies without validation and integrity checking",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-21T21:13:07.640Z",
        "orgId": "ff5b8ace-8b95-4078-9743-eac1ca5451de",
        "shortName": "ConcreteCMS"
      },
      "references": [
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes"
        }
      ],
      "source": {
        "advisory": "https://hackerone.com/reports/3647015",
        "defect": [
          "HackerOne"
        ],
        "discovery": "EXTERNAL"
      },
      "title": "Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys when sites are running concurrent public surveys and private surveys",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ff5b8ace-8b95-4078-9743-eac1ca5451de",
    "assignerShortName": "ConcreteCMS",
    "cveId": "CVE-2026-8337",
    "datePublished": "2026-05-21T21:13:07.640Z",
    "dateReserved": "2026-05-11T15:59:55.797Z",
    "dateUpdated": "2026-05-22T13:13:57.212Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-8204 (GCVE-0-2026-8204)

Vulnerability from cvelistv5 – Published: 2026-05-21 20:56 – Updated: 2026-05-22 12:27
VLAI
Title
Concrete CMS 9.5.0 and below is vulnerable to Authorization Bypass in the Calendar Event Frontend Dialog
Summary
Concrete CMS 9.5.0 and below is vulnerable to authorization Bypass in the Calendar Event Frontend Dialog which can allow cross-calendar data disclosure. A public calendar block can be used as a pivot point to access private calendar data. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization bypass through User-Controlled key
Assigner
References
Impacted products
Vendor Product Version
Concrete CMS Concrete CMS Affected: 5 , ≤ 9.5.0 (git)
Create a notification for this product.
Credits
Winston Crooker
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-8204",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-22T12:27:29.187587Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-22T12:27:38.540Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/concretecms/concretecms",
          "defaultStatus": "unaffected",
          "product": "Concrete CMS",
          "repo": "https://github.com/concretecms/concretecms",
          "vendor": "Concrete CMS",
          "versions": [
            {
              "lessThanOrEqual": "9.5.0",
              "status": "affected",
              "version": "5",
              "versionType": "git"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Winston Crooker"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Concrete CMS 9.5.0 and below is vulnerable to authorization Bypass in the Calendar Event Frontend Dialog which can allow cross-calendar data disclosure. A public calendar block can be used as a pivot point to access private calendar data. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of\u0026nbsp;6.3 with vector\u0026nbsp;CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks\u0026nbsp;Winston Crooker for reporting.\u0026nbsp;"
            }
          ],
          "value": "Concrete CMS 9.5.0 and below is vulnerable to authorization Bypass in the Calendar Event Frontend Dialog which can allow cross-calendar data disclosure. A public calendar block can be used as a pivot point to access private calendar data. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of\u00a06.3 with vector\u00a0CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks\u00a0Winston Crooker for reporting."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-116",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-116 Excavation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization bypass through User-Controlled key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-21T20:56:33.018Z",
        "orgId": "ff5b8ace-8b95-4078-9743-eac1ca5451de",
        "shortName": "ConcreteCMS"
      },
      "references": [
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes"
        }
      ],
      "source": {
        "advisory": "https://hackerone.com/reports/3641132",
        "defect": [
          "HackerOne"
        ],
        "discovery": "EXTERNAL"
      },
      "title": "Concrete CMS 9.5.0 and below is vulnerable to Authorization Bypass in the Calendar Event Frontend Dialog",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ff5b8ace-8b95-4078-9743-eac1ca5451de",
    "assignerShortName": "ConcreteCMS",
    "cveId": "CVE-2026-8204",
    "datePublished": "2026-05-21T20:56:33.018Z",
    "dateReserved": "2026-05-09T00:11:45.659Z",
    "dateUpdated": "2026-05-22T12:27:38.540Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.