Common Weakness Enumeration

CWE-863

Allowed-with-Review

Incorrect Authorization

Abstraction: Class · Status: Incomplete

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

5559 vulnerabilities reference this CWE, most recent first.

GHSA-CPM7-MV33-JWF8

Vulnerability from github – Published: 2025-04-25 15:31 – Updated: 2025-04-25 17:28
VLAI
Summary
Moodle's AJAX section delete does not respect course_can_delete_section()
Details

A flaw was found in Moodle. Additional checks were required to prevent users from deleting course sections they did not have permission to modify.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "moodle/moodle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "moodle/moodle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.3.0-beta"
            },
            {
              "fixed": "4.3.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "moodle/moodle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.4.0-beta"
            },
            {
              "fixed": "4.4.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "moodle/moodle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.5.0-beta"
            },
            {
              "fixed": "4.5.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-3644"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-25T17:28:20Z",
    "nvd_published_at": "2025-04-25T15:15:38Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in Moodle. Additional checks were required to prevent users from deleting course sections they did not have permission to modify.",
  "id": "GHSA-cpm7-mv33-jwf8",
  "modified": "2025-04-25T17:28:20Z",
  "published": "2025-04-25T15:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3644"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2025-3644"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359745"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/moodle/moodle"
    },
    {
      "type": "WEB",
      "url": "https://github.com/search?q=repo%3Amoodle%2Fmoodle+MDL-83994\u0026type=commits"
    },
    {
      "type": "WEB",
      "url": "https://moodle.org/mod/forum/discuss.php?d=467605"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Moodle\u0027s AJAX section delete does not respect course_can_delete_section()"
}

GHSA-CPMJ-H4F6-R6PQ

Vulnerability from github – Published: 2026-02-09 17:19 – Updated: 2026-02-09 22:39
VLAI
Summary
Harden-Runner: Bypassing Logging of Outbound Connections Using sendto, sendmsg, and sendmmsg in Harden-Runner (Community Tier)
Details

Summary

A security vulnerability has been identified in the Harden-Runner GitHub Action (Community Tier) that allows outbound network connections to evade audit logging. Specifically, outbound traffic using the sendto, sendmsg, and sendmmsg socket system calls can bypass detection and logging when using egress-policy: audit.

Note: This vulnerability only affects audit mode. When using egress-policy: block, these connections are properly blocked. It requires the attacker to already have code execution capabilities within the GitHub Actions workflow (e.g., through workflow injection or compromised dependencies)

Affected Versions

  • Harden-Runner Community Tier: All versions prior to v2.14.2
  • Harden-Runner Enterprise Tier: NOT AFFECTED

Severity

Medium - This vulnerability affects audit logging capabilities but requires the attacker to already have code execution within the workflow.

Impact

When Harden-Runner is configured in audit mode (egress-policy: audit), attackers with the ability to execute arbitrary code in a workflow can: - Send outbound network traffic without generating audit logs - Bypass network monitoring for UDP-based communications

Important: This vulnerability requires the attacker to already have code execution capabilities within the GitHub Actions workflow (e.g., through workflow injection or compromised dependencies).

Technical Details

The vulnerability stems from incomplete monitoring coverage of certain socket-related system calls. Specifically, the following system calls can be used to send UDP traffic without triggering audit events:

  • sendto()

  • sendmsg()

  • sendmmsg()

An attacker with code execution in a workflow can compile and execute native code that uses these system calls to establish covert communication channels.

Affected Users

This vulnerability ONLY affects users of the Harden-Runner Community Tier.

The Harden-Runner Enterprise Tier is NOT vulnerable to this bypass technique.

Remediation

For Community Tier Users

Upgrade to Harden-Runner v2.14.2 or later. This version includes fixes for the logging bypass vulnerability.

For Enterprise Tier Users

No action required. Enterprise tier customers are not affected by this vulnerability.

Credit

We would like to thank Devansh Batham for responsibly disclosing this vulnerability through our security reporting process. Devansh was communicative throughout the process and verified the fix before the fix before it was made public.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "GitHub Actions",
        "name": "step-security/harden-runner"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.14.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25598"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-221",
      "CWE-778",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-09T17:19:14Z",
    "nvd_published_at": "2026-02-09T20:15:58Z",
    "severity": "MODERATE"
  },
  "details": "## Summary \n\nA security vulnerability has been identified in the Harden-Runner GitHub Action (Community Tier) that allows outbound network connections to evade audit logging. Specifically, outbound traffic using the `sendto`, `sendmsg`, and `sendmmsg` socket system calls can bypass detection and logging when using `egress-policy: audit`. \n\n**Note:** This vulnerability only affects audit mode. When using `egress-policy: block`, these connections are properly blocked. It requires the attacker to already have code execution capabilities within the GitHub Actions workflow (e.g., through workflow injection or compromised dependencies)\n\n## Affected Versions \n\n- Harden-Runner Community Tier: All versions prior to v2.14.2 \n- Harden-Runner Enterprise Tier: **NOT AFFECTED** \n\n## Severity \n\n**Medium** - This vulnerability affects audit logging capabilities but requires the attacker to already have code execution within the workflow. \n\n## Impact \n\nWhen Harden-Runner is configured in audit mode (`egress-policy: audit`), attackers with the ability to execute arbitrary code in a workflow can: \n- Send outbound network traffic without generating audit logs \n- Bypass network monitoring for UDP-based communications \n\n**Important:** This vulnerability requires the attacker to already have code execution capabilities within the GitHub Actions workflow (e.g., through workflow injection or compromised dependencies). \n\n## Technical Details \n\nThe vulnerability stems from incomplete monitoring coverage of certain socket-related system calls. Specifically, the following system calls can be used to send UDP traffic without triggering audit events: \n\n- `sendto()` \n\n- `sendmsg()` \n\n- `sendmmsg()` \n\nAn attacker with code execution in a workflow can compile and execute native code that uses these system calls to establish covert communication channels. \n\n## Affected Users \n\n**This vulnerability ONLY affects users of the Harden-Runner Community Tier.** \n\nThe Harden-Runner Enterprise Tier is **NOT vulnerable** to this bypass technique. \n\n## Remediation \n\n### For Community Tier Users \n \n**Upgrade to Harden-Runner v2.14.2 or later.** This version includes fixes for the logging bypass vulnerability. \n\n### For Enterprise Tier Users \n\nNo action required. Enterprise tier customers are not affected by this vulnerability. \n\n## Credit \n\nWe would like to thank [Devansh Batham](https://github.com/devanshbatham) for responsibly disclosing this vulnerability through our security reporting process. Devansh was communicative throughout the process and verified the fix before the fix before it was made public.",
  "id": "GHSA-cpmj-h4f6-r6pq",
  "modified": "2026-02-09T22:39:28Z",
  "published": "2026-02-09T17:19:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/step-security/harden-runner/security/advisories/GHSA-cpmj-h4f6-r6pq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25598"
    },
    {
      "type": "WEB",
      "url": "https://github.com/step-security/harden-runner/commit/5ef0c079ce82195b2a36a210272d6b661572d83e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/step-security/harden-runner"
    },
    {
      "type": "WEB",
      "url": "https://github.com/step-security/harden-runner/releases/tag/v2.14.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Harden-Runner: Bypassing Logging of Outbound Connections Using sendto, sendmsg, and sendmmsg in Harden-Runner (Community Tier)"
}

GHSA-CQ2F-P9QC-XC92

Vulnerability from github – Published: 2022-10-12 12:00 – Updated: 2022-10-13 19:00
VLAI
Details

Multiple Improper Access Control was discovered in Nokia AirFrame BMC Web GUI < R18 Firmware v4.13.00. It does not properly validate requests for access to (or editing of) data and functionality in all endpoints under /#settings/ and /api/settings/. By not verifying the permissions for access to resources, it allows a potential attacker to view pages, with sensitive data, that are not allowed, and modify system configurations also causing DoS, which should be accessed only by user with administration profile, bypassing all controls (without checking for user identity).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-28866"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-12T00:15:00Z",
    "severity": "HIGH"
  },
  "details": "Multiple Improper Access Control was discovered in Nokia AirFrame BMC Web GUI \u003c R18 Firmware v4.13.00. It does not properly validate requests for access to (or editing of) data and functionality in all endpoints under /#settings/* and /api/settings/*. By not verifying the permissions for access to resources, it allows a potential attacker to view pages, with sensitive data, that are not allowed, and modify system configurations also causing DoS, which should be accessed only by user with administration profile, bypassing all controls (without checking for user identity).",
  "id": "GHSA-cq2f-p9qc-xc92",
  "modified": "2022-10-13T19:00:21Z",
  "published": "2022-10-12T12:00:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28866"
    },
    {
      "type": "WEB",
      "url": "https://www.gruppotim.it/it/footer/red-team.html"
    },
    {
      "type": "WEB",
      "url": "https://www.telecomitalia.com/tit/it/innovazione/cybersecurity/red-team.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CQ2J-C37J-79HH

Vulnerability from github – Published: 2022-12-21 18:30 – Updated: 2022-12-21 18:30
VLAI
Details

Adobe Experience Manager version 6.5.14 (and earlier) is affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could leverage this vulnerability to disclose low level confidentiality information. Exploitation of this issue does not require user interaction.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-42351"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-16T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Adobe Experience Manager version 6.5.14 (and earlier) is affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could leverage this vulnerability to disclose low level confidentiality information. Exploitation of this issue does not require user interaction.",
  "id": "GHSA-cq2j-c37j-79hh",
  "modified": "2022-12-21T18:30:23Z",
  "published": "2022-12-21T18:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42351"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/experience-manager/apsb22-59.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CQ3F-VC6P-68FH

Vulnerability from github – Published: 2026-06-04 14:55 – Updated: 2026-06-09 11:58
VLAI
Summary
Better Auth: Device authorization approve and deny accept any authenticated session while the user code is pending
Details

Am I affected?

You are affected if all of the following are true:

  • You use better-auth at a version >= 1.6.0, < 1.6.11.
  • The deviceAuthorization plugin is enabled in your auth config (deviceAuthorization() in your plugins array).
  • A third party can observe a pending user code before the legitimate user completes verification.

The standard device-flow UX displays user codes to humans, so realistic exposure includes shoulder-surfing, screen-share, voice or video calls, support-chat transcripts, referrer headers, and shared logs.

If your application does not enable the deviceAuthorization plugin, you are not affected.

Fix:

  1. Upgrade to better-auth@1.6.11 or later.
  2. If you cannot upgrade, see workarounds below.

Summary

Better Auth's deviceAuthorization plugin treated any authenticated session as the owner of any pending device code. The ownership gate on POST /device/approve and POST /device/deny short-circuited whenever the row's userId was unset, and the GET /device verification handler did not claim the row. An authenticated attacker who learned a valid user_code before the legitimate user completed approval could bind the polling device to the attacker's account or deny the legitimate flow.

Details

The device authorization flow binds the polling device to the user who entered the user code on the verification page. In affected versions, the plugin only created that binding at approve or deny time, with no claim at the verification step. The ownership check at approve and deny short-circuited when the owner was missing, accepting any authenticated caller instead of rejecting the request.

The fix changes GET /device to claim the pending row for the calling session. The approve and deny gates now require strict equality between the row's owner and the calling session. RFC 8628 §5.5 covers this risk class as Session Spying: a malicious party can hijack a session by completing authorization before the legitimate initiating user does.

Patches

Fixed in better-auth@1.6.11. After the patch, GET /device claims the pending row for the calling session, and POST /device/approve and POST /device/deny reject calls whose session does not match the claimed owner. Custom verification pages must serve GET /device to an authenticated session for the flow to succeed.

Workarounds

If you cannot upgrade immediately:

  • Disable the plugin if you do not use the device flow: remove deviceAuthorization() from your plugins array.
  • Add a before hook on POST /device/approve and POST /device/deny that tracks which session called GET /device for each user code, and rejects calls from a different session.
  • Shorten the pending lifetime of device codes via the expiresIn plugin option to reduce the exploitation window.

Impact

  • Account takeover on the polling device: the attacker's session becomes the device's session, so the device operates as the attacker.
  • Denial of the legitimate sign-in: the attacker can mark the code as denied, blocking the victim's flow.

Credit

Reported by Quikturn Security Team.

References

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "better-auth"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.6.0"
            },
            {
              "fixed": "1.6.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45337"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-345",
      "CWE-639",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-04T14:55:52Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Am I affected?\n\nYou are affected if all of the following are true:\n\n- You use `better-auth` at a version `\u003e= 1.6.0, \u003c 1.6.11`.\n- The `deviceAuthorization` plugin is enabled in your auth config (`deviceAuthorization()` in your `plugins` array).\n- A third party can observe a pending user code before the legitimate user completes verification.\n\nThe standard device-flow UX displays user codes to humans, so realistic exposure includes shoulder-surfing, screen-share, voice or video calls, support-chat transcripts, referrer headers, and shared logs.\n\nIf your application does not enable the `deviceAuthorization` plugin, you are not affected.\n\nFix:\n\n1. Upgrade to `better-auth@1.6.11` or later.\n2. If you cannot upgrade, see workarounds below.\n\n### Summary\n\nBetter Auth\u0027s `deviceAuthorization` plugin treated any authenticated session as the owner of any pending device code. The ownership gate on `POST /device/approve` and `POST /device/deny` short-circuited whenever the row\u0027s `userId` was unset, and the `GET /device` verification handler did not claim the row. An authenticated attacker who learned a valid `user_code` before the legitimate user completed approval could bind the polling device to the attacker\u0027s account or deny the legitimate flow.\n\n### Details\n\nThe device authorization flow binds the polling device to the user who entered the user code on the verification page. In affected versions, the plugin only created that binding at approve or deny time, with no claim at the verification step. The ownership check at approve and deny short-circuited when the owner was missing, accepting any authenticated caller instead of rejecting the request.\n\nThe fix changes `GET /device` to claim the pending row for the calling session. The approve and deny gates now require strict equality between the row\u0027s owner and the calling session. RFC 8628 \u00a75.5 covers this risk class as Session Spying: a malicious party can hijack a session by completing authorization before the legitimate initiating user does.\n\n### Patches\n\nFixed in `better-auth@1.6.11`. After the patch, `GET /device` claims the pending row for the calling session, and `POST /device/approve` and `POST /device/deny` reject calls whose session does not match the claimed owner. Custom verification pages must serve `GET /device` to an authenticated session for the flow to succeed.\n\n### Workarounds\n\nIf you cannot upgrade immediately:\n\n- **Disable the plugin** if you do not use the device flow: remove `deviceAuthorization()` from your `plugins` array.\n- **Add a `before` hook** on `POST /device/approve` and `POST /device/deny` that tracks which session called `GET /device` for each user code, and rejects calls from a different session.\n- **Shorten the pending lifetime of device codes** via the `expiresIn` plugin option to reduce the exploitation window.\n\n### Impact\n\n- **Account takeover on the polling device**: the attacker\u0027s session becomes the device\u0027s session, so the device operates as the attacker.\n- **Denial of the legitimate sign-in**: the attacker can mark the code as denied, blocking the victim\u0027s flow.\n\n### Credit\n\nReported by Quikturn Security Team.\n\n### References\n\n- [CWE-285: Improper Authorization](https://cwe.mitre.org/data/definitions/285.html)\n- [CWE-863: Incorrect Authorization](https://cwe.mitre.org/data/definitions/863.html)\n- [CWE-639: Authorization Bypass Through User-Controlled Key](https://cwe.mitre.org/data/definitions/639.html)\n- [RFC 8628 \u00a75.5: Session Spying](https://datatracker.ietf.org/doc/html/rfc8628#section-5.5)",
  "id": "GHSA-cq3f-vc6p-68fh",
  "modified": "2026-06-09T11:58:19Z",
  "published": "2026-06-04T14:55:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-cq3f-vc6p-68fh"
    },
    {
      "type": "WEB",
      "url": "https://github.com/better-auth/better-auth/pull/9573"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/better-auth/better-auth"
    },
    {
      "type": "WEB",
      "url": "https://github.com/better-auth/better-auth/releases/tag/v1.6.11"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Better Auth: Device authorization approve and deny accept any authenticated session while the user code is pending"
}

GHSA-CQ7V-6GR4-8HX4

Vulnerability from github – Published: 2025-09-05 18:31 – Updated: 2025-09-05 18:31
VLAI
Details

NVIDIA ConnectX contains a vulnerability in the management interface, where an attacker with local access could cause incorrect authorization to modify the configuration. A successful exploit of this vulnerability might lead to denial of service, escalation of privileges, information disclosure, and data tampering.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-23262"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-04T16:15:34Z",
    "severity": "MODERATE"
  },
  "details": "NVIDIA ConnectX contains a vulnerability in the management interface, where an attacker with local access could cause incorrect authorization to modify the configuration. A successful exploit of this vulnerability might lead to denial of service, escalation of privileges, information disclosure, and data tampering.",
  "id": "GHSA-cq7v-6gr4-8hx4",
  "modified": "2025-09-05T18:31:15Z",
  "published": "2025-09-05T18:31:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23262"
    },
    {
      "type": "WEB",
      "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5655"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-23262"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CQC8-8583-C382

Vulnerability from github – Published: 2025-01-28 18:31 – Updated: 2025-01-28 18:31
VLAI
Details

A privilege escalation vulnerability exists in the web-based management interface of HPE Aruba Networking Fabric Composer. Successful exploitation could allow an authenticated low privilege operator user to change the state of certain settings of a vulnerable system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-23053"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-28T18:15:38Z",
    "severity": "MODERATE"
  },
  "details": "A privilege escalation vulnerability exists in the web-based management interface of HPE Aruba Networking Fabric Composer. Successful exploitation could allow an authenticated low privilege operator user to change the state of certain settings of a vulnerable system.",
  "id": "GHSA-cqc8-8583-c382",
  "modified": "2025-01-28T18:31:28Z",
  "published": "2025-01-28T18:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23053"
    },
    {
      "type": "WEB",
      "url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04775en_us\u0026docLocale=en_US"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CQCC-25CV-67XR

Vulnerability from github – Published: 2022-04-03 00:01 – Updated: 2022-04-13 00:00
VLAI
Details

Improper access control in Gitlab CE/EE versions 12.7 to 14.5.4, 14.6 to 14.6.4, and 14.7 to 14.7.1 allowed for project non-members to retrieve issue details when it was linked to an item from the vulnerability dashboard.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-0390"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-01T23:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Improper access control in Gitlab CE/EE versions 12.7 to 14.5.4, 14.6 to 14.6.4, and 14.7 to 14.7.1 allowed for project non-members to retrieve issue details when it was linked to an item from the vulnerability dashboard.",
  "id": "GHSA-cqcc-25cv-67xr",
  "modified": "2022-04-13T00:00:51Z",
  "published": "2022-04-03T00:01:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0390"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1179733"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0390.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/330030"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CQGR-63WX-2GM4

Vulnerability from github – Published: 2024-06-27 21:32 – Updated: 2025-10-15 15:30
VLAI
Details

In version 1.2.7 of lunary-ai/lunary, any authenticated user, regardless of their role, can change the name of an organization due to improper access control. The function checkAccess() is not implemented, allowing users with the lowest privileges, such as the 'Prompt Editor' role, to modify organization attributes without proper authorization.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-6086"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-27T19:15:19Z",
    "severity": "MODERATE"
  },
  "details": "In version 1.2.7 of lunary-ai/lunary, any authenticated user, regardless of their role, can change the name of an organization due to improper access control. The function checkAccess() is not implemented, allowing users with the lowest privileges, such as the \u0027Prompt Editor\u0027 role, to modify organization attributes without proper authorization.",
  "id": "GHSA-cqgr-63wx-2gm4",
  "modified": "2025-10-15T15:30:19Z",
  "published": "2024-06-27T21:32:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6086"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lunary-ai/lunary/commit/3451fcd7b9d95e9091d62c515752f39f2faa6e54"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/9e83f63f-c5c1-422f-8010-95c353f0c643"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CQGW-44WG-44RF

Vulnerability from github – Published: 2026-04-03 03:17 – Updated: 2026-04-28 18:16
VLAI
Summary
OpenClaw: Discord voice manager bypasses channel-level member access allowlist
Details

Summary

Discord voice manager bypasses channel-level member access allowlist

Current Maintainer Triage

  • Status: open
  • Normalized severity: medium
  • Assessment: v2026.3.28 still accepts Discord voice ingress before channel allowlist authorization, and main-only gating means this remains a real shipped access-control bug.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Latest published npm version: 2026.3.31
  • Vulnerable version range: <=2026.3.28
  • Patched versions: >= 2026.3.31
  • First stable tag containing the fix: v2026.3.31

Fix Commit(s)

  • dba96e7507e0900f120e5e28e57755d69bf78759 — 2026-03-31T21:29:13+09:00

Release Process Note

  • The fix is already present in released version 2026.3.31.
  • This draft looks ready for final maintainer disposition or publication, not additional code-fix work.

Thanks @zsxsoft for reporting.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.3.28"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.31"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41381"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-03T03:17:22Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\nDiscord voice manager bypasses channel-level member access allowlist\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: medium\n- Assessment: v2026.3.28 still accepts Discord voice ingress before channel allowlist authorization, and main-only gating means this remains a real shipped access-control bug.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `\u003c=2026.3.28`\n- Patched versions: `\u003e= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `dba96e7507e0900f120e5e28e57755d69bf78759` \u2014 2026-03-31T21:29:13+09:00\n\n## Release Process Note\n- The fix is already present in released version `2026.3.31`.\n- This draft looks ready for final maintainer disposition or publication, not additional code-fix work.\n\nThanks @zsxsoft for reporting.",
  "id": "GHSA-cqgw-44wg-44rf",
  "modified": "2026-04-28T18:16:34Z",
  "published": "2026-04-03T03:17:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cqgw-44wg-44rf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/dba96e7507e0900f120e5e28e57755d69bf78759"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: Discord voice manager bypasses channel-level member access allowlist"
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

No CAPEC attack patterns related to this CWE.