CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5537 vulnerabilities reference this CWE, most recent first.
GHSA-FVQW-WG8V-HMCW
Vulnerability from github – Published: 2024-06-10 21:30 – Updated: 2026-04-02 21:31This issue was addressed with improved permissions checking. This issue is fixed in macOS Sonoma 14.5, iOS 17.5 and iPadOS 17.5. A malicious app may be able to gain root privileges.
{
"affected": [],
"aliases": [
"CVE-2024-27848"
],
"database_specific": {
"cwe_ids": [
"CWE-277",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-10T21:15:51Z",
"severity": "HIGH"
},
"details": "This issue was addressed with improved permissions checking. This issue is fixed in macOS Sonoma 14.5, iOS 17.5 and iPadOS 17.5. A malicious app may be able to gain root privileges.",
"id": "GHSA-fvqw-wg8v-hmcw",
"modified": "2026-04-02T21:31:46Z",
"published": "2024-06-10T21:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27848"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120903"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120905"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214101"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214106"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214101"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214106"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FW62-7JCP-752G
Vulnerability from github – Published: 2025-11-11 21:30 – Updated: 2025-11-11 21:30Adobe Pass versions 3.7.3 and earlier are affected by an Incorrect Authorization vulnerability. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read and write access. Exploitation of this issue requires user interaction in that a victim must install a malicious SDK.
{
"affected": [],
"aliases": [
"CVE-2025-61830"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-11T19:15:35Z",
"severity": "HIGH"
},
"details": "Adobe Pass versions 3.7.3 and earlier are affected by an Incorrect Authorization vulnerability. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read and write access. Exploitation of this issue requires user interaction in that a victim must install a malicious SDK.",
"id": "GHSA-fw62-7jcp-752g",
"modified": "2025-11-11T21:30:27Z",
"published": "2025-11-11T21:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61830"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/pass/apsb25-112.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FWCM-GWWR-6JW8
Vulnerability from github – Published: 2022-05-24 17:43 – Updated: 2022-05-24 17:43Zoho ManageEngine Desktop Central before build 10.0.647 allows a single authentication secret from multiple agents to communicate with the server.
{
"affected": [],
"aliases": [
"CVE-2020-28050"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-05T17:15:00Z",
"severity": "CRITICAL"
},
"details": "Zoho ManageEngine Desktop Central before build 10.0.647 allows a single authentication secret from multiple agents to communicate with the server.",
"id": "GHSA-fwcm-gwwr-6jw8",
"modified": "2022-05-24T17:43:43Z",
"published": "2022-05-24T17:43:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28050"
},
{
"type": "WEB",
"url": "https://www.manageengine.com/products/desktop-central/cve-2020-28050.html"
},
{
"type": "WEB",
"url": "https://www.manageengine.com/products/desktop-central/fixing-multiple-vulnerabilities.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-FWCM-RQVW-J3P7
Vulnerability from github – Published: 2026-05-26 23:41 – Updated: 2026-05-26 23:41Summary
An authorization bypass in the /api/getTagValue endpoint allows unauthenticated access to tag values when the referenced script does not exist.
### Details The issue is caused by the combination of these code paths:
server/api/apikeys/verify-api-or-token.js:45sends requests withoutx-api-keytoauthJwt.verifyToken(req, res, next).server/api/jwt-helper.js:46-64creates a signed guest token when nox-access-tokenis provided:if (!token) { token = getGuestToken(); }and then populatesreq.userId/req.userGroupsfrom that guest token.server/api/command/index.js:76-105exposes/api/getTagValue.server/runtime/scripts/index.js:106-111returnstruewhen the referenced script does not exist:if (!script) { return true; }
As a result, an unauthenticated request reaches /api/getTagValue as guest, and the authorization check is bypassed because isAuthorisedByScriptName() returns true when sourceScriptName is omitted or does not match a real script. The endpoint then returns arbitrary tag values by ID.
### PoC
Requests to /api/getTagValue without authentication could succeed when the authorization logic evaluated a non-existent sourceScriptName as authorized.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "fuxa-server"
},
"ranges": [
{
"events": [
{
"introduced": "1.3.0"
},
{
"fixed": "1.3.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.3.0"
]
}
],
"aliases": [
"CVE-2026-43946"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-26T23:41:45Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n An authorization bypass in the /api/getTagValue endpoint allows unauthenticated access to tag values when the referenced script does not exist.\n\n ### Details\n The issue is caused by the combination of these code paths:\n\n - `server/api/apikeys/verify-api-or-token.js:45` sends requests without `x-api-key` to `authJwt.verifyToken(req, res, next)`.\n - `server/api/jwt-helper.js:46-64` creates a signed guest token when no `x-access-token` is provided:\n `if (!token) { token = getGuestToken(); }`\n and then populates `req.userId` / `req.userGroups` from that guest token.\n - `server/api/command/index.js:76-105` exposes `/api/getTagValue`.\n - `server/runtime/scripts/index.js:106-111` returns `true` when the referenced script does not exist:\n `if (!script) { return true; }`\n\n As a result, an unauthenticated request reaches `/api/getTagValue` as `guest`, and the authorization check is bypassed because `isAuthorisedByScriptName()` returns `true` when `sourceScriptName` is omitted or does not match a real script. The endpoint then returns arbitrary tag values by ID.\n\n ### PoC\n\nRequests to /api/getTagValue without authentication could succeed when the authorization logic evaluated a non-existent sourceScriptName as authorized.",
"id": "GHSA-fwcm-rqvw-j3p7",
"modified": "2026-05-26T23:41:45Z",
"published": "2026-05-26T23:41:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/frangoteam/FUXA/security/advisories/GHSA-fwcm-rqvw-j3p7"
},
{
"type": "WEB",
"url": "https://github.com/frangoteam/FUXA/pull/2260"
},
{
"type": "WEB",
"url": "https://github.com/frangoteam/FUXA/commit/78534da61a91613712b44bb63c8d7da8c5df5ca4"
},
{
"type": "PACKAGE",
"url": "https://github.com/frangoteam/FUXA"
},
{
"type": "WEB",
"url": "https://github.com/frangoteam/FUXA/releases/tag/v1.3.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "FUXA has an unauthenticated arbitrary tag value disclosure via /api/getTagValue"
}
GHSA-FWH6-GC6C-W62Q
Vulnerability from github – Published: 2025-11-12 18:31 – Updated: 2025-11-12 18:31Fujitsu iRMC S6 on M5 before 1.37S mishandles Redfish/WebUI access if the length of a username is exactly 16 characters.
{
"affected": [],
"aliases": [
"CVE-2025-65002"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-12T18:15:36Z",
"severity": "HIGH"
},
"details": "Fujitsu iRMC S6 on M5 before 1.37S mishandles Redfish/WebUI access if the length of a username is exactly 16 characters.",
"id": "GHSA-fwh6-gc6c-w62q",
"modified": "2025-11-12T18:31:26Z",
"published": "2025-11-12T18:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65002"
},
{
"type": "WEB",
"url": "https://security.ts.fujitsu.com/ProductSecurity/content/FsasTech-PSIRT-FTI-ISS-2025-082610-Security-Notice.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FWJQ-XWFJ-GV75
Vulnerability from github – Published: 2026-04-07 18:11 – Updated: 2026-04-07 18:11Summary
session_status still bypasses configured tools.sessions.visibility for unsandboxed invocations
Current Maintainer Triage
- Status: narrow
- Normalized severity: medium
- Assessment: Real on shipped v2026.3.22: non-sandboxed session_status skipped the shared visibility guard, but this is a same-agent session-policy bypass with unreleased fix, not a broader host-boundary break.
Affected Packages / Versions
- Package:
openclaw(npm) - Latest published npm version:
2026.3.31 - Vulnerable version range:
<=2026.3.28 - Patched versions:
>= 2026.3.31 - First stable tag containing the fix:
v2026.3.31
Fix Commit(s)
4d369a3400dc9b737fbe8daa63f09d909ce7beb8— 2026-03-30T16:48:12+02:00
Release Process Note
- The fix is already present in released version
2026.3.31. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work.
Thanks @tdjackey for reporting.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.3.28"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.31"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-07T18:11:09Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n`session_status` still bypasses configured `tools.sessions.visibility` for unsandboxed invocations\n\n## Current Maintainer Triage\n- Status: narrow\n- Normalized severity: medium\n- Assessment: Real on shipped v2026.3.22: non-sandboxed session_status skipped the shared visibility guard, but this is a same-agent session-policy bypass with unreleased fix, not a broader host-boundary break.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `\u003c=2026.3.28`\n- Patched versions: `\u003e= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `4d369a3400dc9b737fbe8daa63f09d909ce7beb8` \u2014 2026-03-30T16:48:12+02:00\n\n## Release Process Note\n- The fix is already present in released version `2026.3.31`.\n- This draft looks ready for final maintainer disposition or publication, not additional code-fix work.\n\nThanks @tdjackey for reporting.",
"id": "GHSA-fwjq-xwfj-gv75",
"modified": "2026-04-07T18:11:09Z",
"published": "2026-04-07T18:11:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-fwjq-xwfj-gv75"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/4d369a3400dc9b737fbe8daa63f09d909ce7beb8"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: `session_status` still bypasses configured `tools.sessions.visibility` for unsandboxed invocations "
}
GHSA-FWWQ-FJFJ-33CG
Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2022-05-24 17:31Verifone MX900 series Pinpad Payment Terminals with OS 30251000 have a race condition for RBAC bypass.
{
"affected": [],
"aliases": [
"CVE-2019-14711"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-23T05:15:00Z",
"severity": "HIGH"
},
"details": "Verifone MX900 series Pinpad Payment Terminals with OS 30251000 have a race condition for RBAC bypass.",
"id": "GHSA-fwwq-fjfj-33cg",
"modified": "2022-05-24T17:31:54Z",
"published": "2022-05-24T17:31:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14711"
},
{
"type": "WEB",
"url": "https://www.ptsecurity.com/ww-en/analytics/threatscape/pt-2020-20"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-FX79-9VH5-XX87
Vulnerability from github – Published: 2024-12-26 12:30 – Updated: 2024-12-26 12:30Some Honor products are affected by incorrect privilege assignment vulnerability, successful exploitation could cause device service exceptions.
{
"affected": [],
"aliases": [
"CVE-2024-47157"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-26T12:15:07Z",
"severity": "LOW"
},
"details": "Some Honor products are affected by incorrect privilege assignment vulnerability, successful exploitation could cause device service exceptions.",
"id": "GHSA-fx79-9vh5-xx87",
"modified": "2024-12-26T12:30:45Z",
"published": "2024-12-26T12:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47157"
},
{
"type": "WEB",
"url": "https://www.honor.com/global/security/cve-2024-47157"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-FX8Q-7873-HXRQ
Vulnerability from github – Published: 2026-02-08 09:30 – Updated: 2026-02-08 09:30A security flaw has been discovered in WuKongOpenSource WukongCRM up to 11.3.3. This affects an unknown part of the file gateway/src/main/java/com/kakarote/gateway/service/impl/PermissionServiceImpl.java of the component URL Handler. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2026-2141"
],
"database_specific": {
"cwe_ids": [
"CWE-266",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-08T08:15:52Z",
"severity": "MODERATE"
},
"details": "A security flaw has been discovered in WuKongOpenSource WukongCRM up to 11.3.3. This affects an unknown part of the file gateway/src/main/java/com/kakarote/gateway/service/impl/PermissionServiceImpl.java of the component URL Handler. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-fx8q-7873-hxrq",
"modified": "2026-02-08T09:30:15Z",
"published": "2026-02-08T09:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2141"
},
{
"type": "WEB",
"url": "https://github.com/SourByte05/SourByte-Lab/issues/8"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.344776"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.344776"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.747264"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-FXC7-FM93-6Q77
Vulnerability from github – Published: 2026-05-05 22:22 – Updated: 2026-05-13 16:28Impact
Authenticated users and API tokens scoped to a specific database could read, write, and mutate schema on any other database on the same server. Two distinct defects contributed: (1) ServerSecurityUser.getDatabaseUser() returned a DB user with an uninitialized fileAccessMap, which requestAccessOnFile treated as allow-all; (2) ArcadeDBServer.createDatabase() omitted factory.setSecurity(...) so any database created via POST /api/v1/server {"command":"create database X"} had its entire record-level authorization system silently disabled. In combination, record-level and database-level authorization could be bypassed by any authenticated principal.
Patches
Upgrade to version 26.4.2
Resources
https://github.com/ArcadeData/arcadedb/commit/04110c06315da55604ac107f71fe7182f3a3deb8
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.arcadedb:arcadedb-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "26.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44221"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-05T22:22:22Z",
"nvd_published_at": "2026-05-12T20:16:43Z",
"severity": "CRITICAL"
},
"details": "### Impact\nAuthenticated users and API tokens scoped to a specific database could read, write, and mutate schema on any other database on the same server. Two distinct defects contributed: (1) ServerSecurityUser.getDatabaseUser() returned a DB user with an uninitialized fileAccessMap, which requestAccessOnFile treated as allow-all; (2) ArcadeDBServer.createDatabase() omitted factory.setSecurity(...) so any database created via POST /api/v1/server {\"command\":\"create database X\"} had its entire record-level authorization system silently disabled. In combination, record-level and database-level authorization could be bypassed by any authenticated principal.\n\n### Patches\nUpgrade to version 26.4.2\n\n### Resources\n\nhttps://github.com/ArcadeData/arcadedb/commit/04110c06315da55604ac107f71fe7182f3a3deb8",
"id": "GHSA-fxc7-fm93-6q77",
"modified": "2026-05-13T16:28:38Z",
"published": "2026-05-05T22:22:22Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ArcadeData/arcadedb/security/advisories/GHSA-fxc7-fm93-6q77"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44221"
},
{
"type": "WEB",
"url": "https://github.com/ArcadeData/arcadedb/commit/04110c06315da55604ac107f71fe7182f3a3deb8"
},
{
"type": "PACKAGE",
"url": "https://github.com/ArcadeData/arcadedb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "ArcadeDB vulnerable to cross-database authorization bypass and unsecured newly-created databases"
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.