CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5550 vulnerabilities reference this CWE, most recent first.
GHSA-F4FW-6M93-MF8V
Vulnerability from github – Published: 2022-03-31 00:00 – Updated: 2022-04-06 00:01In incfs, there is a possible way of mounting on arbitrary paths due to a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-198657657
{
"affected": [],
"aliases": [
"CVE-2022-20002"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-30T16:15:00Z",
"severity": "HIGH"
},
"details": "In incfs, there is a possible way of mounting on arbitrary paths due to a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-198657657",
"id": "GHSA-f4fw-6m93-mf8v",
"modified": "2022-04-06T00:01:48Z",
"published": "2022-03-31T00:00:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20002"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/android-12l"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F4GC-MWRG-Q36R
Vulnerability from github – Published: 2026-03-24 09:30 – Updated: 2026-03-26 17:26Incorrect Authorization (CWE-863) vulnerability in Apache Artemis, Apache ActiveMQ Artemis exists when an application using the OpenWire protocol attempts to create a non-durable JMS topic subscription on an address that doesn't exist with an authenticated user which has the "createDurableQueue" permission but does not have the "createAddress" permission and address auto-creation is disabled. In this circumstance, a temporary address will be created whereas the attempt to create the non-durable subscription should instead fail since the user is not authorized to create the corresponding address. When the OpenWire connection is closed the address is removed.
This issue affects Apache Artemis: from 2.50.0 through 2.52.0; Apache ActiveMQ Artemis: from 2.0.0 through 2.44.0.
Users are recommended to upgrade to version 2.53.0, which fixes the issue.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.artemis:artemis-openwire-protocol"
},
"ranges": [
{
"events": [
{
"introduced": "2.50.0"
},
{
"fixed": "2.53.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.activemq:artemis-openwire-protocol"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.53.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32642"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-26T17:26:29Z",
"nvd_published_at": "2026-03-24T08:16:01Z",
"severity": "LOW"
},
"details": "Incorrect Authorization (CWE-863)\u00a0vulnerability in Apache Artemis, Apache ActiveMQ Artemis exists when an application using the OpenWire protocol attempts to create a non-durable JMS topic subscription on an address that doesn\u0027t exist with an authenticated user which has the \"createDurableQueue\" permission but does not have the \"createAddress\" permission and address auto-creation is disabled. In this circumstance, a temporary address will be created whereas the attempt to create the non-durable subscription should instead fail since the user is not authorized to create the corresponding address. When the OpenWire connection is closed the address is removed.\n\nThis issue affects Apache Artemis: from 2.50.0 through 2.52.0; Apache ActiveMQ Artemis: from 2.0.0 through 2.44.0.\n\nUsers are recommended to upgrade to version 2.53.0, which fixes the issue.",
"id": "GHSA-f4gc-mwrg-q36r",
"modified": "2026-03-26T17:26:29Z",
"published": "2026-03-24T09:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32642"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/artemis"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/4wlrp31ngq2yb54sf4kjb3bl41t4xgtp"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/03/20/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Apache Artemis: Unauthorized Temporary Address Creation via OpenWire Protocol"
}
GHSA-F4GC-PC7J-RFXR
Vulnerability from github – Published: 2022-05-24 17:29 – Updated: 2024-10-21 15:32By holding a reference to the eval() function from an about:blank window, a malicious webpage could have gained access to the InstallTrigger object which would allow them to prompt the user to install an extension. Combined with user confusion, this could result in an unintended or malicious extension being installed. This vulnerability affects Firefox < 80, Thunderbird < 78.2, Thunderbird < 68.12, Firefox ESR < 68.12, Firefox ESR < 78.2, and Firefox for Android < 80.
{
"affected": [],
"aliases": [
"CVE-2020-15664"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-01T19:15:00Z",
"severity": "MODERATE"
},
"details": "By holding a reference to the eval() function from an about:blank window, a malicious webpage could have gained access to the InstallTrigger object which would allow them to prompt the user to install an extension. Combined with user confusion, this could result in an unintended or malicious extension being installed. This vulnerability affects Firefox \u003c 80, Thunderbird \u003c 78.2, Thunderbird \u003c 68.12, Firefox ESR \u003c 68.12, Firefox ESR \u003c 78.2, and Firefox for Android \u003c 80.",
"id": "GHSA-f4gc-pc7j-rfxr",
"modified": "2024-10-21T15:32:23Z",
"published": "2022-05-24T17:29:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15664"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1658214"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2020-36"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2020-37"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2020-38"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2020-39"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2020-40"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2020-41"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F4HQ-CMWG-C83R
Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-07-13 00:00In system properties, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-192535676
{
"affected": [],
"aliases": [
"CVE-2021-0680"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-06T15:15:00Z",
"severity": "MODERATE"
},
"details": "In system properties, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-192535676",
"id": "GHSA-f4hq-cmwg-c83r",
"modified": "2022-07-13T00:00:59Z",
"published": "2022-05-24T19:16:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0680"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2021-09-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F4MM-2R69-MG5F
Vulnerability from github – Published: 2022-10-25 20:21 – Updated: 2023-06-27 21:55Overview
During our internal security assessment, it was discovered that OpenFGA versions v0.2.3 and prior are vulnerable to authorization bypass under certain conditions.
Am I Affected?
You are affected by this vulnerability if you are using openfga/openfga version v0.2.3 or prior, and your model has a relation defined as a tupleset (the right hand side of a ‘from’ statement) that involves anything other than a direct relationship (e.g. ‘as self’)
How to fix that?
Upgrade to version v0.2.4.
Backward Compatibility
This update is not backward compatible. Any model involving rewritten tupleset relations will no longer be acceptable and has to be modified.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.2.3"
},
"package": {
"ecosystem": "Go",
"name": "github.com/openfga/openfga"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.2.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-39342"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2022-10-25T20:21:33Z",
"nvd_published_at": "2022-10-25T17:15:00Z",
"severity": "MODERATE"
},
"details": "### Overview\nDuring our internal security assessment, it was discovered that OpenFGA versions `v0.2.3` and prior are vulnerable to authorization bypass under certain conditions.\n\n### Am I Affected?\nYou are affected by this vulnerability if you are using `openfga/openfga` version `v0.2.3` or prior, and your model has a relation defined as a tupleset (the right hand side of a \u2018from\u2019 statement) that involves anything other than a direct relationship (e.g. \u2018as self\u2019)\n\n### How to fix that?\nUpgrade to version `v0.2.4`.\n\n### Backward Compatibility\nThis update is not backward compatible.\nAny model involving rewritten tupleset relations will no longer be acceptable and has to be modified.\n ",
"id": "GHSA-f4mm-2r69-mg5f",
"modified": "2023-06-27T21:55:58Z",
"published": "2022-10-25T20:21:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openfga/openfga/security/advisories/GHSA-f4mm-2r69-mg5f"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39342"
},
{
"type": "WEB",
"url": "https://github.com/openfga/openfga/commit/c8db1ee3d2a366f18e585dd33236340e76e784c4"
},
{
"type": "PACKAGE",
"url": "https://github.com/openfga/openfga"
},
{
"type": "WEB",
"url": "https://github.com/openfga/openfga/releases/tag/v0.2.4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "OpenFGA Authorization Bypass"
}
GHSA-F4Q6-C8Q7-9MCW
Vulnerability from github – Published: 2022-05-13 01:45 – Updated: 2022-05-13 01:45A vulnerability in the web-based GUI of Cisco UCS Director 6.0.0.0 and 6.0.0.1 could allow an authenticated, local attacker to execute arbitrary workflow items with just an end-user profile, a Privilege Escalation Vulnerability. The vulnerability is due to improper role-based access control (RBAC) after the Developer Menu is enabled in Cisco UCS Director. An attacker could exploit this vulnerability by enabling Developer Mode for his/her user profile with an end-user profile and then adding new catalogs with arbitrary workflow items to his/her profile. An exploit could allow an attacker to perform any actions defined by these workflow items, including actions affecting other tenants. Cisco Bug IDs: CSCvb64765.
{
"affected": [],
"aliases": [
"CVE-2017-3801"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-02-15T20:59:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in the web-based GUI of Cisco UCS Director 6.0.0.0 and 6.0.0.1 could allow an authenticated, local attacker to execute arbitrary workflow items with just an end-user profile, a Privilege Escalation Vulnerability. The vulnerability is due to improper role-based access control (RBAC) after the Developer Menu is enabled in Cisco UCS Director. An attacker could exploit this vulnerability by enabling Developer Mode for his/her user profile with an end-user profile and then adding new catalogs with arbitrary workflow items to his/her profile. An exploit could allow an attacker to perform any actions defined by these workflow items, including actions affecting other tenants. Cisco Bug IDs: CSCvb64765.",
"id": "GHSA-f4q6-c8q7-9mcw",
"modified": "2022-05-13T01:45:54Z",
"published": "2022-05-13T01:45:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-3801"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-ucs"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/96235"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1037830"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F5C9-GCJW-GHVW
Vulnerability from github – Published: 2022-02-22 00:00 – Updated: 2023-07-20 18:33The Coming soon and Maintenance mode WordPress plugin before 3.6.8 does not have authorisation and CSRF checks in its coming_soon_send_mail AJAX action, allowing any authenticated users, with a role as low as subscriber to send arbitrary emails to all subscribed users
{
"affected": [],
"aliases": [
"CVE-2022-0164"
],
"database_specific": {
"cwe_ids": [
"CWE-352",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-21T11:15:00Z",
"severity": "MODERATE"
},
"details": "The Coming soon and Maintenance mode WordPress plugin before 3.6.8 does not have authorisation and CSRF checks in its coming_soon_send_mail AJAX action, allowing any authenticated users, with a role as low as subscriber to send arbitrary emails to all subscribed users",
"id": "GHSA-f5c9-gcjw-ghvw",
"modified": "2023-07-20T18:33:42Z",
"published": "2022-02-22T00:00:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0164"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/2655973"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/942535f9-73bf-4467-872a-20075f03bc51"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F5M5-9GWG-WJ8V
Vulnerability from github – Published: 2022-05-24 19:13 – Updated: 2022-05-24 19:13An issue in the noReentrance() modifier of the Ethereum-based contract Accounting 1.0 allows attackers to carry out a reentrancy attack.
{
"affected": [],
"aliases": [
"CVE-2020-19765"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-07T22:15:00Z",
"severity": "HIGH"
},
"details": "An issue in the noReentrance() modifier of the Ethereum-based contract Accounting 1.0 allows attackers to carry out a reentrancy attack.",
"id": "GHSA-f5m5-9gwg-wj8v",
"modified": "2022-05-24T19:13:54Z",
"published": "2022-05-24T19:13:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-19765"
},
{
"type": "WEB",
"url": "https://github.com/OSUPlayer/CVEs/blob/master/Reentrancy/2019-07-09-01.md"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-F5MF-3R52-R83W
Vulnerability from github – Published: 2026-03-13 20:54 – Updated: 2026-03-13 20:54Summary
OpenClaw's Zalouser allowlist mode accepted mutable group names and normalized slugs as authorization matches instead of requiring stable group IDs. In deployments that used name-based channels.zalouser.groups entries together with permissive sender allowlists, a different group could be accepted by reusing the same display name as an allowlisted group.
Impact
This weakened channel authorization for Zalouser group routing and could allow messages from an unintended group to reach the agent when operators relied on group names instead of stable IDs.
Affected versions
openclaw <= 2026.3.11
Patch
Fixed in openclaw 2026.3.12. Allowlist authorization now matches stable group identifiers, and users should update to 2026.3.12 or later.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.3.11"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-807",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-13T20:54:00Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n\nOpenClaw\u0027s Zalouser allowlist mode accepted mutable group names and normalized slugs as authorization matches instead of requiring stable group IDs. In deployments that used name-based `channels.zalouser.groups` entries together with permissive sender allowlists, a different group could be accepted by reusing the same display name as an allowlisted group.\n\n### Impact\n\nThis weakened channel authorization for Zalouser group routing and could allow messages from an unintended group to reach the agent when operators relied on group names instead of stable IDs.\n\n### Affected versions\n\n`openclaw` `\u003c= 2026.3.11`\n\n### Patch\n\nFixed in `openclaw` `2026.3.12`. Allowlist authorization now matches stable group identifiers, and users should update to `2026.3.12` or later.",
"id": "GHSA-f5mf-3r52-r83w",
"modified": "2026-03-13T20:54:00Z",
"published": "2026-03-13T20:54:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-f5mf-3r52-r83w"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.12"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "OpenClaw\u0027s Zalouser allowlist authorization matched mutable group names by default"
}
GHSA-F5MW-92XQ-F4GF
Vulnerability from github – Published: 2025-07-28 15:31 – Updated: 2025-07-28 15:31In Malwarebytes Binisoft Windows Firewall Control before 6.16.0.0, the installer is vulnerable to local privilege escalation.
{
"affected": [],
"aliases": [
"CVE-2025-54569"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-28T13:15:30Z",
"severity": "MODERATE"
},
"details": "In Malwarebytes Binisoft Windows Firewall Control before 6.16.0.0, the installer is vulnerable to local privilege escalation.",
"id": "GHSA-f5mw-92xq-f4gf",
"modified": "2025-07-28T15:31:39Z",
"published": "2025-07-28T15:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54569"
},
{
"type": "WEB",
"url": "https://www.malwarebytes.com/secure/cves/cve-2025-54569"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.