CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5562 vulnerabilities reference this CWE, most recent first.
GHSA-CQGR-63WX-2GM4
Vulnerability from github – Published: 2024-06-27 21:32 – Updated: 2025-10-15 15:30In version 1.2.7 of lunary-ai/lunary, any authenticated user, regardless of their role, can change the name of an organization due to improper access control. The function checkAccess() is not implemented, allowing users with the lowest privileges, such as the 'Prompt Editor' role, to modify organization attributes without proper authorization.
{
"affected": [],
"aliases": [
"CVE-2024-6086"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-27T19:15:19Z",
"severity": "MODERATE"
},
"details": "In version 1.2.7 of lunary-ai/lunary, any authenticated user, regardless of their role, can change the name of an organization due to improper access control. The function checkAccess() is not implemented, allowing users with the lowest privileges, such as the \u0027Prompt Editor\u0027 role, to modify organization attributes without proper authorization.",
"id": "GHSA-cqgr-63wx-2gm4",
"modified": "2025-10-15T15:30:19Z",
"published": "2024-06-27T21:32:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6086"
},
{
"type": "WEB",
"url": "https://github.com/lunary-ai/lunary/commit/3451fcd7b9d95e9091d62c515752f39f2faa6e54"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/9e83f63f-c5c1-422f-8010-95c353f0c643"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CQGW-44WG-44RF
Vulnerability from github – Published: 2026-04-03 03:17 – Updated: 2026-04-28 18:16Summary
Discord voice manager bypasses channel-level member access allowlist
Current Maintainer Triage
- Status: open
- Normalized severity: medium
- Assessment: v2026.3.28 still accepts Discord voice ingress before channel allowlist authorization, and main-only gating means this remains a real shipped access-control bug.
Affected Packages / Versions
- Package:
openclaw(npm) - Latest published npm version:
2026.3.31 - Vulnerable version range:
<=2026.3.28 - Patched versions:
>= 2026.3.31 - First stable tag containing the fix:
v2026.3.31
Fix Commit(s)
dba96e7507e0900f120e5e28e57755d69bf78759— 2026-03-31T21:29:13+09:00
Release Process Note
- The fix is already present in released version
2026.3.31. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work.
Thanks @zsxsoft for reporting.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.3.28"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.31"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41381"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-03T03:17:22Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\nDiscord voice manager bypasses channel-level member access allowlist\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: medium\n- Assessment: v2026.3.28 still accepts Discord voice ingress before channel allowlist authorization, and main-only gating means this remains a real shipped access-control bug.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `\u003c=2026.3.28`\n- Patched versions: `\u003e= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `dba96e7507e0900f120e5e28e57755d69bf78759` \u2014 2026-03-31T21:29:13+09:00\n\n## Release Process Note\n- The fix is already present in released version `2026.3.31`.\n- This draft looks ready for final maintainer disposition or publication, not additional code-fix work.\n\nThanks @zsxsoft for reporting.",
"id": "GHSA-cqgw-44wg-44rf",
"modified": "2026-04-28T18:16:34Z",
"published": "2026-04-03T03:17:22Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cqgw-44wg-44rf"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/dba96e7507e0900f120e5e28e57755d69bf78759"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: Discord voice manager bypasses channel-level member access allowlist"
}
GHSA-CQQG-QHCP-9MQR
Vulnerability from github – Published: 2024-11-29 06:35 – Updated: 2024-11-29 21:31In Click Studios Passwordstate before build 9920, there is a potential permission escalation on the edit folder screen.
{
"affected": [],
"aliases": [
"CVE-2024-54124"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-29T04:15:04Z",
"severity": "HIGH"
},
"details": "In Click Studios Passwordstate before build 9920, there is a potential permission escalation on the edit folder screen.",
"id": "GHSA-cqqg-qhcp-9mqr",
"modified": "2024-11-29T21:31:03Z",
"published": "2024-11-29T06:35:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54124"
},
{
"type": "WEB",
"url": "https://www.clickstudios.com.au/passwordstate-changelog.aspx"
},
{
"type": "WEB",
"url": "https://www.clickstudios.com.au/security/advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CQRW-J4QC-7F9W
Vulnerability from github – Published: 2026-05-15 21:31 – Updated: 2026-06-08 23:59Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-289f-fq7w-6q2w. This link is maintained to preserve external references.
Original Description
phpMyFAQ before 4.1.2 contains an information disclosure vulnerability in the getIdFromSolutionId() method that lacks permission filtering, allowing unauthenticated attackers to enumerate restricted FAQ entries and read their titles via the /solution_id_{id}.html endpoint. Attackers can sequentially iterate solution IDs to discover all FAQs including those restricted to specific users or groups, leaking sensitive metadata through redirect Location headers and page canonical links.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "thorsten/phpmyfaq"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "phpmyfaq/phpmyfaq"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-08T23:59:55Z",
"nvd_published_at": "2026-05-15T19:17:03Z",
"severity": "HIGH"
},
"details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-289f-fq7w-6q2w. This link is maintained to preserve external references.\n\n### Original Description\nphpMyFAQ before 4.1.2 contains an information disclosure vulnerability in the getIdFromSolutionId() method that lacks permission filtering, allowing unauthenticated attackers to enumerate restricted FAQ entries and read their titles via the /solution_id_{id}.html endpoint. Attackers can sequentially iterate solution IDs to discover all FAQs including those restricted to specific users or groups, leaking sensitive metadata through redirect Location headers and page canonical links.",
"id": "GHSA-cqrw-j4qc-7f9w",
"modified": "2026-06-08T23:59:55Z",
"published": "2026-05-15T21:31:32Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-99qv-g4x9-mgc3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46366"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/phpmyfaq-unauthenticated-information-disclosure-via-getidfromsolutionid-permission-bypass"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "Duplicate Advisory: phpMyFAQ has unauthenticated FAQ permission bypass via getFaqBySolutionId fallback query",
"withdrawn": "2026-06-08T23:59:55Z"
}
GHSA-CQWH-GP47-J7Q9
Vulnerability from github – Published: 2021-12-22 00:00 – Updated: 2022-07-13 00:01Stormshield Endpoint Security 2.x before 2.1.2 has Incorrect Access Control.
{
"affected": [],
"aliases": [
"CVE-2021-45089"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-21T16:15:00Z",
"severity": "MODERATE"
},
"details": "Stormshield Endpoint Security 2.x before 2.1.2 has Incorrect Access Control.",
"id": "GHSA-cqwh-gp47-j7q9",
"modified": "2022-07-13T00:01:50Z",
"published": "2021-12-22T00:00:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45089"
},
{
"type": "WEB",
"url": "https://advisories.stormshield.eu/2021-071"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CR22-WJX7-2W6M
Vulnerability from github – Published: 2026-05-21 20:33 – Updated: 2026-06-12 19:26Summary
mcp-server-kubernetes exposes three environment variables (ALLOW_ONLY_READONLY_TOOLS, ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS, ALLOWED_TOOLS) documented as access controls for restricting which Kubernetes operations are available. These controls are enforced at the tool discovery layer (tools/list) but not at the execution layer (tools/call). Any client that knows a tool name can invoke it directly regardless of the configured restriction mode. The access control was effectively cosmetic.
Fixed in v3.6.0.
Impact
An attacker or misconfigured AI agent with network access to the MCP server's HTTP endpoint could invoke any Kubernetes tool regardless of the restriction mode configured by the operator -- including kubectl_delete, exec_in_pod, kubectl_generic, and node_management.
The project explicitly supports and documents multi-client HTTP deployment scenarios (Streamable HTTP and SSE transports, in-cluster deployments, Codex CLI and Gemini CLI integrations). In these deployments, operators relied on the tool restriction env vars to enforce least-privilege access across users or roles. The bypass invalidated that model entirely.
Severity scales with the Kubernetes service account's permissions. In environments where the MCP server runs with cluster-admin (common in dev/staging), this is equivalent to full cluster compromise for any client that can reach the endpoint.
The MCP_AUTH_TOKEN / X-MCP-AUTH mechanism controls who can reach the endpoint but provides no per-tool authorization. An authenticated client restricted to ALLOWED_TOOLS=kubectl_get could still invoke kubectl_delete after authentication.
Root Cause
In src/index.ts, the ListToolsRequestSchema handler applied the configured filtering logic before returning available tools. The CallToolRequestSchema handler dispatched directly by tool name with no equivalent check -- every tool was reachable unconditionally.
Proof of Concept
Tested across all three restriction modes against a live kind cluster. In each case, kubectl_delete was absent from tools/list but executed successfully via a direct tools/call request:
curl -s http://<HOST>:3003/mcp \
-H 'Content-Type: application/json' \
-H 'Accept: application/json, text/event-stream' \
-d '{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"kubectl_delete","arguments":{"resourceType":"pod","name":"test-pod","namespace":"default"}}}'
Result: {"result":{"content":[{"type":"text","text":"pod \"test-pod\" deleted\n"}]}}
Confirmed across ALLOW_ONLY_READONLY_TOOLS=true, ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS=true, and ALLOWED_TOOLS=kubectl_get.
Remediation
The fix applies the same filtering logic from ListToolsRequestSchema at the start of the CallToolRequestSchema handler, returning an error for any tool call outside the active allowed set. Fixed in v3.6.0.
Credit
Discovered by Francisco Rosales of Manifold Security, coordinated by Ax Sharma, Head of Research at Manifold Security.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "mcp-server-kubernetes"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.6.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-46519"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-21T20:33:46Z",
"nvd_published_at": "2026-06-11T19:16:42Z",
"severity": "HIGH"
},
"details": "## Summary\n\n`mcp-server-kubernetes` exposes three environment variables (`ALLOW_ONLY_READONLY_TOOLS`, `ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS`, `ALLOWED_TOOLS`) documented as access controls for restricting which Kubernetes operations are available. These controls are enforced at the tool discovery layer (`tools/list`) but not at the execution layer (`tools/call`). Any client that knows a tool name can invoke it directly regardless of the configured restriction mode. The access control was effectively cosmetic.\n\nFixed in v3.6.0.\n\n## Impact\n\nAn attacker or misconfigured AI agent with network access to the MCP server\u0027s HTTP endpoint could invoke any Kubernetes tool regardless of the restriction mode configured by the operator -- including `kubectl_delete`, `exec_in_pod`, `kubectl_generic`, and `node_management`.\n\nThe project explicitly supports and documents multi-client HTTP deployment scenarios (Streamable HTTP and SSE transports, in-cluster deployments, Codex CLI and Gemini CLI integrations). In these deployments, operators relied on the tool restriction env vars to enforce least-privilege access across users or roles. The bypass invalidated that model entirely.\n\nSeverity scales with the Kubernetes service account\u0027s permissions. In environments where the MCP server runs with `cluster-admin` (common in dev/staging), this is equivalent to full cluster compromise for any client that can reach the endpoint.\n\nThe `MCP_AUTH_TOKEN` / `X-MCP-AUTH` mechanism controls who can reach the endpoint but provides no per-tool authorization. An authenticated client restricted to `ALLOWED_TOOLS=kubectl_get` could still invoke `kubectl_delete` after authentication.\n\n## Root Cause\n\nIn `src/index.ts`, the `ListToolsRequestSchema` handler applied the configured filtering logic before returning available tools. The `CallToolRequestSchema` handler dispatched directly by tool name with no equivalent check -- every tool was reachable unconditionally.\n\n## Proof of Concept\n\nTested across all three restriction modes against a live kind cluster. In each case, `kubectl_delete` was absent from `tools/list` but executed successfully via a direct `tools/call` request:\n\n```shell\ncurl -s http://\u003cHOST\u003e:3003/mcp \\\n -H \u0027Content-Type: application/json\u0027 \\\n -H \u0027Accept: application/json, text/event-stream\u0027 \\\n -d \u0027{\"jsonrpc\":\"2.0\",\"id\":2,\"method\":\"tools/call\",\"params\":{\"name\":\"kubectl_delete\",\"arguments\":{\"resourceType\":\"pod\",\"name\":\"test-pod\",\"namespace\":\"default\"}}}\u0027\n```\n\nResult: `{\"result\":{\"content\":[{\"type\":\"text\",\"text\":\"pod \\\"test-pod\\\" deleted\\n\"}]}}`\n\nConfirmed across `ALLOW_ONLY_READONLY_TOOLS=true`, `ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS=true`, and `ALLOWED_TOOLS=kubectl_get`.\n\n## Remediation\n\nThe fix applies the same filtering logic from `ListToolsRequestSchema` at the start of the `CallToolRequestSchema` handler, returning an error for any tool call outside the active allowed set. Fixed in v3.6.0.\n\n## Credit\n\nDiscovered by [Francisco Rosales](https://www.linkedin.com/in/francisco-rosales-celis/) of [Manifold Security](https://manifold.security), coordinated by [Ax Sharma](https://www.linkedin.com/in/axsharma/), Head of Research at Manifold Security.",
"id": "GHSA-cr22-wjx7-2w6m",
"modified": "2026-06-12T19:26:31Z",
"published": "2026-05-21T20:33:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Flux159/mcp-server-kubernetes/security/advisories/GHSA-cr22-wjx7-2w6m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46519"
},
{
"type": "PACKAGE",
"url": "https://github.com/Flux159/mcp-server-kubernetes"
},
{
"type": "WEB",
"url": "https://github.com/Flux159/mcp-server-kubernetes/releases/tag/v3.6.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "MCP Server Kubernetes: Tool Access Control Bypass via Presentation-Layer Filtering Without Execution-Layer Enforcement"
}
GHSA-CR2H-5RWF-JG3M
Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2022-08-31 00:00The Insert Pages WordPress plugin before 3.7.0 allows users with a role as low as Contributor to access content and metadata from arbitrary posts/pages regardless of their author and status (ie private), using a shortcode. Password protected posts/pages are not affected by such issue.
{
"affected": [],
"aliases": [
"CVE-2021-24851"
],
"database_specific": {
"cwe_ids": [
"CWE-862",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-17T11:15:00Z",
"severity": "MODERATE"
},
"details": "The Insert Pages WordPress plugin before 3.7.0 allows users with a role as low as Contributor to access content and metadata from arbitrary posts/pages regardless of their author and status (ie private), using a shortcode. Password protected posts/pages are not affected by such issue.",
"id": "GHSA-cr2h-5rwf-jg3m",
"modified": "2022-08-31T00:00:21Z",
"published": "2022-05-24T19:20:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24851"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/2614442/insert-pages"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/919e67a1-3a50-4940-bb4f-5c5cc2017a83"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CR2M-6C94-6P5P
Vulnerability from github – Published: 2022-05-13 01:17 – Updated: 2022-05-13 01:17A vulnerability in the management console of Cisco Firepower System Software could allow an unauthenticated, remote attacker to access sensitive data about the system. The vulnerability is due to improper cross-origin domain protections for the WebSocket protocol. An attacker could exploit this vulnerability by convincing a user to visit a malicious website designed to send requests to the affected application while the user is logged into the application with an active session cookie. A successful exploit could allow the attacker to retrieve policy or configuration information from the affected software and to perform another attack against the management console. Cisco Bug IDs: CSCvh68311.
{
"affected": [],
"aliases": [
"CVE-2018-0278"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-05-02T22:29:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the management console of Cisco Firepower System Software could allow an unauthenticated, remote attacker to access sensitive data about the system. The vulnerability is due to improper cross-origin domain protections for the WebSocket protocol. An attacker could exploit this vulnerability by convincing a user to visit a malicious website designed to send requests to the affected application while the user is logged into the application with an active session cookie. A successful exploit could allow the attacker to retrieve policy or configuration information from the affected software and to perform another attack against the management console. Cisco Bug IDs: CSCvh68311.",
"id": "GHSA-cr2m-6c94-6p5p",
"modified": "2022-05-13T01:17:27Z",
"published": "2022-05-13T01:17:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0278"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180502-fpwr-dos"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/104122"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CR3F-R24J-3CHW
Vulnerability from github – Published: 2021-10-05 17:53 – Updated: 2024-09-13 17:50Cobbler before 3.3.0 allows authorization bypass for modification of settings.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "cobbler"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-40325"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2021-10-05T16:00:07Z",
"nvd_published_at": "2021-10-04T06:15:00Z",
"severity": "HIGH"
},
"details": "Cobbler before 3.3.0 allows authorization bypass for modification of settings.",
"id": "GHSA-cr3f-r24j-3chw",
"modified": "2024-09-13T17:50:35Z",
"published": "2021-10-05T17:53:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40325"
},
{
"type": "WEB",
"url": "https://github.com/cobbler/cobbler/commit/d8f60bbf14a838c8c8a1dba98086b223e35fe70a"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-cr3f-r24j-3chw"
},
{
"type": "PACKAGE",
"url": "https://github.com/cobbler/cobbler"
},
{
"type": "WEB",
"url": "https://github.com/cobbler/cobbler/releases/tag/v3.3.0"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/cobbler/PYSEC-2021-375.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Cobbler before 3.3.0 allows authorization bypass for modification of settings."
}
GHSA-CR4G-F395-H25H
Vulnerability from github – Published: 2026-06-16 23:42 – Updated: 2026-06-16 23:42Summary
PR #37698 added checkDownloadTokenScope to /raw/, /media/, and attachment download web endpoints. The /archive/* endpoint (repo.Download in routers/web/repo/repo.go:372) was not included in the fix. This endpoint accepts OAuth2 tokens via webAuth.AllowOAuth2 (registered at routers/web/web.go:1649-1652) but does not call checkDownloadTokenScope or CheckRepoScopedToken.
A personal access token with any non-repository scope (e.g., read:issue or read:misc) can download full repository archives (zip/tar.gz) of private repositories the token owner has access to.
Impact
Scope escalation: tokens scoped to non-repository categories can access full repository content through the archive download endpoint. Higher impact than endpoints fixed in #37698 because /archive/* serves the entire repository.
Steps to Reproduce
- Create a personal access token with ONLY read:misc scope
- Access: GET /{owner}/{private-repo}/archive/main.tar.gz
- Archive is served (200 OK) instead of being rejected (403 Forbidden)
Compare with fixed endpoints: - GET /{owner}/{private-repo}/raw/branch/main/README.md correctly returns 403
Root Cause
Download function in routers/web/repo/repo.go:372 does not call checkDownloadTokenScope. The outer group middleware reqUnitCodeReader checks repository permission but not token scope.
The API equivalent (/api/v1/repos/{owner}/{repo}/archive/*) IS properly scoped via tokenRequiresScopes(AccessTokenScopeCategoryRepository). The git HTTP endpoints are scoped via CheckRepoScopedToken in httpBase.
Suggested Fix
Add checkDownloadTokenScope(ctx) to Download and InitiateDownload in routers/web/repo/repo.go. The function already exists in routers/web/repo/download.go (same package).
Discovery Method
Variant analysis of PR #37698 — reviewed all web routes with webAuth.AllowOAuth2 middleware.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.26.1"
},
"package": {
"ecosystem": "Go",
"name": "code.gitea.io/gitea"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.26.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-20706"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-16T23:42:04Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\nPR #37698 added checkDownloadTokenScope to /raw/*, /media/*, and attachment download web endpoints. The /archive/* endpoint (repo.Download in routers/web/repo/repo.go:372) was not included in the fix. This endpoint accepts OAuth2 tokens via webAuth.AllowOAuth2 (registered at routers/web/web.go:1649-1652) but does not call checkDownloadTokenScope or CheckRepoScopedToken.\n\nA personal access token with any non-repository scope (e.g., read:issue or read:misc) can download full repository archives (zip/tar.gz) of private repositories the token owner has access to.\n\n## Impact\n\nScope escalation: tokens scoped to non-repository categories can access full repository content through the archive download endpoint. Higher impact than endpoints fixed in #37698 because /archive/* serves the entire repository.\n\n## Steps to Reproduce\n\n1. Create a personal access token with ONLY read:misc scope\n2. Access: GET /{owner}/{private-repo}/archive/main.tar.gz\n3. Archive is served (200 OK) instead of being rejected (403 Forbidden)\n\nCompare with fixed endpoints:\n- GET /{owner}/{private-repo}/raw/branch/main/README.md correctly returns 403\n\n## Root Cause\n\nDownload function in routers/web/repo/repo.go:372 does not call checkDownloadTokenScope. The outer group middleware reqUnitCodeReader checks repository permission but not token scope.\n\nThe API equivalent (/api/v1/repos/{owner}/{repo}/archive/*) IS properly scoped via tokenRequiresScopes(AccessTokenScopeCategoryRepository). The git HTTP endpoints are scoped via CheckRepoScopedToken in httpBase.\n\n## Suggested Fix\n\nAdd checkDownloadTokenScope(ctx) to Download and InitiateDownload in routers/web/repo/repo.go. The function already exists in routers/web/repo/download.go (same package).\n\n## Discovery Method\n\nVariant analysis of PR #37698 \u2014 reviewed all web routes with webAuth.AllowOAuth2 middleware.",
"id": "GHSA-cr4g-f395-h25h",
"modified": "2026-06-16T23:42:04Z",
"published": "2026-06-16T23:42:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-cr4g-f395-h25h"
},
{
"type": "PACKAGE",
"url": "https://github.com/go-gitea/gitea"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Gitea: Token scope bypass on web archive download endpoint"
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.