Common Weakness Enumeration

CWE-863

Allowed-with-Review

Incorrect Authorization

Abstraction: Class · Status: Incomplete

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

5497 vulnerabilities reference this CWE, most recent first.

GHSA-H457-956R-2PR8

Vulnerability from github – Published: 2026-05-13 18:30 – Updated: 2026-06-30 21:31
VLAI
Details

Incorrect authorization in the "submitted together" feature in Gerrit versions 2.12 and later allows an authenticated attacker with force push permissions on a secondary branch to bypass code review and forcefully submit code to restricted branches via a crafted submission matching the "topic" tag of an unapproved change.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-2725"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-13T06:16:14Z",
    "severity": "MODERATE"
  },
  "details": "Incorrect authorization in the \"submitted together\" feature in Gerrit versions 2.12 and later allows an authenticated attacker with force push permissions on a secondary branch to bypass code review and forcefully submit code to restricted branches via a crafted submission matching the \"topic\" tag of an unapproved change.",
  "id": "GHSA-h457-956r-2pr8",
  "modified": "2026-06-30T21:31:35Z",
  "published": "2026-05-13T18:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2725"
    },
    {
      "type": "WEB",
      "url": "https://issues.gerritcodereview.com/issues/486131256"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-H46X-J644-CW5R

Vulnerability from github – Published: 2025-03-17 12:30 – Updated: 2025-03-17 12:30
VLAI
Details

Broken access control vulnerability in the IcProgress Innovación y Cualificación plugin. This vulnerability allows an attacker to obtain sensitive information about other users such as public IP addresses, messages with other users and more.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-2201"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-17T10:15:16Z",
    "severity": "MODERATE"
  },
  "details": "Broken access control vulnerability in the IcProgress Innovaci\u00f3n y Cualificaci\u00f3n plugin. This vulnerability allows an attacker to obtain sensitive information about other users such as public IP addresses, messages with other users and more.",
  "id": "GHSA-h46x-j644-cw5r",
  "modified": "2025-03-17T12:30:29Z",
  "published": "2025-03-17T12:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2201"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-moodle-innovacion-y-cualificacion-plugins"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-H47P-J8F8-W9WX

Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2022-07-13 00:01
VLAI
Details

An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. The Security Model has different layers of Access Control. One of these layers is the applicationContext security, which is defined in the applicationContext-spring-security.xml file. The default configuration allows an unauthenticated user with no previous knowledge of the platform settings to extract pieces of information without possessing valid credentials.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-31602"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-08T04:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. The Security Model has different layers of Access Control. One of these layers is the applicationContext security, which is defined in the applicationContext-spring-security.xml file. The default configuration allows an unauthenticated user with no previous knowledge of the platform settings to extract pieces of information without possessing valid credentials.",
  "id": "GHSA-h47p-j8f8-w9wx",
  "modified": "2022-07-13T00:01:24Z",
  "published": "2022-05-24T19:20:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31602"
    },
    {
      "type": "WEB",
      "url": "https://www.hitachi.com/hirt/security/index.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/164784/Pentaho-Business-Analytics-Pentaho-Business-Server-9.1-Authentication-Bypass.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H4C3-32JJ-RWXG

Vulnerability from github – Published: 2022-08-19 00:00 – Updated: 2022-08-22 00:00
VLAI
Details

Improper access control for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi products may allow a privileged user to potentially enable information disclosure via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-21140"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-18T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Improper access control for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi products may allow a privileged user to potentially enable information disclosure via local access.",
  "id": "GHSA-h4c3-32jj-rwxg",
  "modified": "2022-08-22T00:00:58Z",
  "published": "2022-08-19T00:00:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21140"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00621.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H4C6-R2QH-5WVM

Vulnerability from github – Published: 2024-12-03 00:31 – Updated: 2024-12-03 21:31
VLAI
Details

An issue was discovered in Victure RX1800 WiFi 6 Router (software EN_V1.0.0_r12_110933, hardware 1.0) devices. A remote attacker (in proximity to a Wi-Fi network) can derive the default Wi-Fi PSK value via the last 4 octets of the BSSID.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-53941"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-02T22:15:10Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Victure RX1800 WiFi 6 Router (software EN_V1.0.0_r12_110933, hardware 1.0) devices. A remote attacker (in proximity to a Wi-Fi network) can derive the default Wi-Fi PSK value via the last 4 octets of the BSSID.",
  "id": "GHSA-h4c6-r2qh-5wvm",
  "modified": "2024-12-03T21:31:22Z",
  "published": "2024-12-03T00:31:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53941"
    },
    {
      "type": "WEB",
      "url": "https://github.com/actuator/cve/blob/main/Victure/CVE-2024-53941.txt"
    },
    {
      "type": "WEB",
      "url": "https://github.com/actuator/cve/blob/main/Victure/Victure_RX1800_Security_Report.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H4FW-6R7F-W494

Vulnerability from github – Published: 2026-05-07 21:05 – Updated: 2026-05-07 21:05
VLAI
Summary
Webauthn has a User Verification Downgrade via Default-Open ClientOverridePolicy
Details

Summary

In version 5.3.0 of the Symfony bundle, Webauthn\Bundle\Policy\ClientOverridePolicy defaulted to allowing all client overrides, including userVerification. A client could send {"userVerification": "discouraged"} in the assertion or attestation options request to override a server-configured userVerification: required, causing the emitted WebAuthn options to instruct the authenticator to skip user verification. The CheckUserVerification ceremony step then read the same downgraded options and skipped its check.

Affected versions

  • Vulnerable: 5.3.0
  • Patched: 5.3.1

5.3.0 was released on 2026-05-01 and 5.3.1 was published roughly 18 hours later, on 2026-05-02. Practical exposure window was minimal.

Note on earlier 5.x versions

Versions 5.0.0 to 5.2.x did not ship ClientOverridePolicy (introduced in 5.3.0), so the exact code path described above does not apply. However, on those versions the ProfileBasedRequestOptionsBuilder and ProfileBasedCreationOptionsBuilder already passed the client-supplied userVerification value directly to the options factory, where the profile value is only applied via ??=. The functional outcome (a client can downgrade userVerification) is the same. The recommended mitigation (see below) applies regardless of the version, and users on 5.0.x – 5.2.x are encouraged to upgrade to 5.3.1 or later.

Severity

This is a defense-in-depth issue rather than a primitive that grants authentication on its own:

  • The attacker must already possess the victim's authenticator (a stolen security key, an unlocked device). Without that, the downgrade is inconsequential.
  • The framework exposes the actual UV outcome on the returned authenticator data (AuthenticatorData::isUserVerified()). Applications that gate sensitive operations on this flag — as documented — remain protected even on the vulnerable version.

Mitigation

Applications gating sensitive operations on user verification MUST re-check the UV flag on the returned authenticator data after a successful ceremony, regardless of what was requested in the options:

if (! $authenticatorData->isUserVerified()) {
    throw new AccessDeniedHttpException('User verification is required.');
}

This is the authoritative signal that user verification actually occurred. The hardened default in 5.3.1 closes the implicit profile-bypass; the application-level check remains the recommended defense in depth and is now documented explicitly in the User Verification guide.

Fix

ClientOverridePolicy::canOverride() now defaults to false instead of true. The Symfony bundle DI configuration ships user_verification overrides as disabled by default, with a default allowed_values list that excludes discouraged even when an operator opts in.

Credit

Reported by @offset.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "web-auth/webauthn-framework"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.3.0"
            },
            {
              "fixed": "5.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-07T21:05:33Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "## Summary\n\nIn version 5.3.0 of the Symfony bundle, `Webauthn\\Bundle\\Policy\\ClientOverridePolicy` defaulted to allowing all client overrides, including `userVerification`. A client could send `{\"userVerification\": \"discouraged\"}` in the assertion or attestation options request to override a server-configured `userVerification: required`, causing the emitted WebAuthn options to instruct the authenticator to skip user verification. The `CheckUserVerification` ceremony step then read the same downgraded options and skipped its check.\n\n## Affected versions\n\n- **Vulnerable**: 5.3.0\n- **Patched**: 5.3.1\n\n5.3.0 was released on 2026-05-01 and 5.3.1 was published roughly 18 hours later, on 2026-05-02. Practical exposure window was minimal.\n\n## Note on earlier 5.x versions\n\nVersions 5.0.0 to 5.2.x did not ship `ClientOverridePolicy` (introduced in 5.3.0), so the exact code path described above does not apply. However, on those versions the `ProfileBasedRequestOptionsBuilder` and `ProfileBasedCreationOptionsBuilder` already passed the client-supplied `userVerification` value directly to the options factory, where the profile value is only applied via `??=`. The functional outcome (a client can downgrade `userVerification`) is the same. The recommended mitigation (see below) applies regardless of the version, and users on 5.0.x \u2013 5.2.x are encouraged to upgrade to 5.3.1 or later.\n\n## Severity\n\nThis is a **defense-in-depth** issue rather than a primitive that grants authentication on its own:\n\n- The attacker must already possess the victim\u0027s authenticator (a stolen security key, an unlocked device). Without that, the downgrade is inconsequential.\n- The framework exposes the actual UV outcome on the returned authenticator data (`AuthenticatorData::isUserVerified()`). Applications that gate sensitive operations on this flag \u2014 as documented \u2014 remain protected even on the vulnerable version.\n\n## Mitigation\n\nApplications gating sensitive operations on user verification MUST re-check the `UV` flag on the returned authenticator data after a\nsuccessful ceremony, regardless of what was requested in the options:\n\n```php\nif (! $authenticatorData-\u003eisUserVerified()) {\n    throw new AccessDeniedHttpException(\u0027User verification is required.\u0027);\n}\n```\n\nThis is the authoritative signal that user verification actually occurred. The hardened default in 5.3.1 closes the implicit profile-bypass; the application-level check remains the recommended defense in depth and is now documented explicitly in the\n[User Verification](https://webauthn-doc.spomky-labs.com/webauthn-in-a-nutshell/user-verification#checking-the-uv-flag) guide.\n\n## Fix\n\n`ClientOverridePolicy::canOverride()` now defaults to `false` instead of `true`. The Symfony bundle DI configuration ships `user_verification` overrides as **disabled by default**, with a default `allowed_values` list that excludes `discouraged` even when an operator opts in.\n\n## Credit\n\nReported by @offset.",
  "id": "GHSA-h4fw-6r7f-w494",
  "modified": "2026-05-07T21:05:33Z",
  "published": "2026-05-07T21:05:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/web-auth/webauthn-framework/security/advisories/GHSA-h4fw-6r7f-w494"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/web-auth/webauthn-framework"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Webauthn has a User Verification Downgrade via Default-Open ClientOverridePolicy"
}

GHSA-H4HQ-RGVH-WH27

Vulnerability from github – Published: 2026-03-04 20:13 – Updated: 2026-03-04 20:13
VLAI
Summary
Vaultwarden's Collection Management Operations Allowed Without `manage` Verification for Manager Role
Details

Summary

Testing confirmed that even when a Manager has manage=false for a given collection, they can still perform the following management operations as long as they have access to the collection:

  • PUT /api/organizations/<org_id>/collections/<col_id> succeeds (HTTP 200)
  • PUT /api/organizations/<org_id>/collections/<col_id>/users succeeds (HTTP 200)
  • DELETE /api/organizations/<org_id>/collections/<col_id> succeeds (HTTP 200)

Description

  • The Manager guard checks only whether the user can access the collection, not whether they have manage privileges. This check is directly applied to management endpoints. src/auth.rs:816 ```rust

if !Collection::can_access_collection(&headers.membership, &col_id, &conn).await { err_handler!("The current user isn't a manager for this collection") } ```

  • The can_access_collection function does not evaluate the manage flag. src/db/models/collection.rs:140

```rust

pub async fn can_access_collection(member: &Membership, col_id: &CollectionId, conn: &DbConn) -> bool { member.has_status(MembershipStatus::Confirmed) && (member.has_full_access() || CollectionUser::has_access_to_collection_by_user(col_id, &member.user_uuid, conn).await || ... ```

  • A separate management-permission check exists and includes manage validation, but it is not used during authorization for the affected endpoints. src/db/models/collection.rs:516

```rust

pub async fn is_manageable_by_user(&self, user_uuid: &UserId, conn: &DbConn) -> bool { let Some(member) = Membership::find_confirmed_by_user_and_org(user_uuid, &self.org_uuid, conn).await else { return false; }; if member.has_full_access() { return true; } ... ```

  • The actual update and deletion endpoints only accept ManagerHeaders and do not perform additional manage checks. src/api/core/organizations.rs:608
  async fn put_organization_collection_update(..., headers: ManagerHeaders, ...)

src/api/core/organizations.rs:890

  async fn put_collection_users(..., headers: ManagerHeaders, ...)

src/api/core/organizations.rs:747

rust async fn delete_organization_collection(..., headers: ManagerHeaders, ...)

Preconditions

  • The attacker is a Manager within the target organization.
  • The attacker has access to the target collection (assigned=true).
  • The attacker’s permission for that collection is manage=false.
  • A valid API access token has been obtained.

Steps to Reproduce

  1. Confirm that the attacker’s current permissions for the target collection include manage=false. image

  2. As a control test, verify that update operations fail for collections the attacker cannot access. image

  3. Confirm that update operations succeed for the target collection where manage=false. image

  4. Use PUT /collections/{col_id}/users to set manage=true, confirming that the attacker can escalate their own privileges. image

  5. Verify that deletion of the collection succeeds despite the Manager lacking management rights. image

Required Minimum Privileges

  • Organization Manager role (Owner/Admin privileges are not required)
  • Works even with access_all=false
  • Only access rights to the target collection are required (manage privilege is not required)

Attack Scenario

A restricted Manager (intended for read/use-only access) directly invokes the API to update collection settings, elevate their own privileges to manage=true, and even delete the collection.

This allows the user to bypass operational access restrictions and effectively gain administrator-equivalent control over the collection.

Potential Impact

  • Confidentiality: Expansion of access scope through unauthorized privilege escalation and configuration changes.
  • Integrity: Unauthorized modification of collection settings and assignments; potential disabling of access controls.
  • Availability: Deletion of collections may disrupt business operations.
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.35.3"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "vaultwarden"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.35.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27803"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-285",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-04T20:13:44Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nTesting confirmed that even when a Manager has `manage=false` for a given collection, they can still perform the following management operations as long as they have access to the collection:\n\n* `PUT /api/organizations/\u003corg_id\u003e/collections/\u003ccol_id\u003e` succeeds (HTTP 200)\n* `PUT /api/organizations/\u003corg_id\u003e/collections/\u003ccol_id\u003e/users` succeeds (HTTP 200)\n* `DELETE /api/organizations/\u003corg_id\u003e/collections/\u003ccol_id\u003e` succeeds (HTTP 200)\n\n\n\n## Description\n\n* The Manager guard checks only whether the user **can access the collection**, not whether they have `manage` privileges. This check is directly applied to management endpoints.\nsrc/auth.rs:816\n  ```rust\n\n  if !Collection::can_access_collection(\u0026headers.membership, \u0026col_id, \u0026conn).await {\n      err_handler!(\"The current user isn\u0027t a manager for this collection\")\n  }\n  ```\n\n* The `can_access_collection` function does **not** evaluate the `manage` flag.\n  src/db/models/collection.rs:140\n\n  ```rust\n\n  pub async fn can_access_collection(member: \u0026Membership, col_id: \u0026CollectionId, conn: \u0026DbConn) -\u003e bool {\n      member.has_status(MembershipStatus::Confirmed)\n          \u0026\u0026 (member.has_full_access()\n              || CollectionUser::has_access_to_collection_by_user(col_id, \u0026member.user_uuid, conn).await\n              || ...\n  ```\n\n* A separate management-permission check exists and includes `manage` validation, but it is **not used** during authorization for the affected endpoints.\n  src/db/models/collection.rs:516\n\n  ```rust\n\n  pub async fn is_manageable_by_user(\u0026self, user_uuid: \u0026UserId, conn: \u0026DbConn) -\u003e bool {\n      let Some(member) = Membership::find_confirmed_by_user_and_org(user_uuid, \u0026self.org_uuid, conn).await else {\n          return false;\n      };\n      if member.has_full_access() {\n          return true;\n      }\n      ...\n  ```\n\n* The actual update and deletion endpoints only accept `ManagerHeaders` and do not perform additional `manage` checks.\n  src/api/core/organizations.rs:608\n\n```rust\n  async fn put_organization_collection_update(..., headers: ManagerHeaders, ...)\n```\n\n  src/api/core/organizations.rs:890\n\n```rust\n  async fn put_collection_users(..., headers: ManagerHeaders, ...)\n```\n  \n\nsrc/api/core/organizations.rs:747\n\n```rust\n  async fn delete_organization_collection(..., headers: ManagerHeaders, ...)\n  ```\n\n\n\n## Preconditions\n\n* The attacker is a **Manager** within the target organization.\n* The attacker has access to the target collection (`assigned=true`).\n* The attacker\u2019s permission for that collection is `manage=false`.\n* A valid API access token has been obtained.\n\n\n\n## Steps to Reproduce\n\n1. Confirm that the attacker\u2019s current permissions for the target collection include `manage=false`.\n\u003cimg width=\"2015\" height=\"636\" alt=\"image\" src=\"https://github.com/user-attachments/assets/58ddc733-e37c-4766-a980-b1ea1918ceb4\" /\u003e\n\n2. As a control test, verify that update operations fail for collections the attacker cannot access.\n\u003cimg width=\"2021\" height=\"852\" alt=\"image\" src=\"https://github.com/user-attachments/assets/d8699442-2dfc-4d73-8940-ec10f4a175f0\" /\u003e\n\n3. Confirm that update operations succeed for the target collection where `manage=false`.\n\u003cimg width=\"2013\" height=\"690\" alt=\"image\" src=\"https://github.com/user-attachments/assets/33d9845d-d18e-456c-a58c-e780911347a9\" /\u003e\n\n4. Use `PUT /collections/{col_id}/users` to set `manage=true`, confirming that the attacker can escalate their own privileges.\n\u003cimg width=\"2018\" height=\"488\" alt=\"image\" src=\"https://github.com/user-attachments/assets/da8c5246-cf2a-46c2-9a25-e99d907f852d\" /\u003e\n\n5. Verify that deletion of the collection succeeds despite the Manager lacking management rights.\n\u003cimg width=\"2018\" height=\"487\" alt=\"image\" src=\"https://github.com/user-attachments/assets/a97c8fb2-4f97-4c2a-a90b-9d95dbde84fd\" /\u003e\n\n\n\n## Required Minimum Privileges\n\n* Organization Manager role (Owner/Admin privileges are not required)\n* Works even with `access_all=false`\n* Only access rights to the target collection are required (`manage` privilege is not required)\n\n\n\n## Attack Scenario\n\nA restricted Manager (intended for read/use-only access) directly invokes the API to update collection settings, elevate their own privileges to `manage=true`, and even delete the collection.\n\nThis allows the user to bypass operational access restrictions and effectively gain administrator-equivalent control over the collection.\n\n\n\n## Potential Impact\n\n* **Confidentiality:** Expansion of access scope through unauthorized privilege escalation and configuration changes.\n* **Integrity:** Unauthorized modification of collection settings and assignments; potential disabling of access controls.\n* **Availability:** Deletion of collections may disrupt business operations.",
  "id": "GHSA-h4hq-rgvh-wh27",
  "modified": "2026-03-04T20:13:44Z",
  "published": "2026-03-04T20:13:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-h4hq-rgvh-wh27"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dani-garcia/vaultwarden"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Vaultwarden\u0027s Collection Management Operations Allowed Without `manage` Verification for Manager Role"
}

GHSA-H4JX-HJR3-FHGC

Vulnerability from github – Published: 2026-03-29 15:49 – Updated: 2026-04-18 00:44
VLAI
Summary
OpenClaw: Gateway Plugin Subagent Fallback `deleteSession` Uses Synthetic `operator.admin`
Details

Summary

Gateway Plugin Subagent Fallback deleteSession Uses Synthetic operator.admin

Affected Packages / Versions

  • Package: openclaw
  • Affected versions: <= 2026.3.24
  • First patched version: 2026.3.25
  • Latest published npm version at verification time: 2026.3.24

Details

Gateway plugin subagent fallback deleteSession previously dispatched sessions.delete with a synthetic operator.admin runtime scope when no request-scoped client existed. Commit b5d785f1a59a56c3471f2cef328f7c9a6c15f3e7 binds deletion to the caller scope instead of minting admin scope.

Verified vulnerable on tag v2026.3.24 and fixed on main by commit b5d785f1a59a56c3471f2cef328f7c9a6c15f3e7.

Fix Commit(s)

  • b5d785f1a59a56c3471f2cef328f7c9a6c15f3e7
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.3.24"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.28"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35645"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266",
      "CWE-648",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-29T15:49:34Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nGateway Plugin Subagent Fallback `deleteSession` Uses Synthetic `operator.admin`\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Affected versions: `\u003c= 2026.3.24`\n- First patched version: `2026.3.25`\n- Latest published npm version at verification time: `2026.3.24`\n\n## Details\n\nGateway plugin subagent fallback `deleteSession` previously dispatched `sessions.delete` with a synthetic `operator.admin` runtime scope when no request-scoped client existed. Commit `b5d785f1a59a56c3471f2cef328f7c9a6c15f3e7` binds deletion to the caller scope instead of minting admin scope.\n\nVerified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `b5d785f1a59a56c3471f2cef328f7c9a6c15f3e7`.\n\n## Fix Commit(s)\n\n- `b5d785f1a59a56c3471f2cef328f7c9a6c15f3e7`",
  "id": "GHSA-h4jx-hjr3-fhgc",
  "modified": "2026-04-18T00:44:19Z",
  "published": "2026-03-29T15:49:34Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h4jx-hjr3-fhgc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35645"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/b5d785f1a59a56c3471f2cef328f7c9a6c15f3e7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-synthetic-operator-admin-in-deletesession"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: Gateway Plugin Subagent Fallback `deleteSession` Uses Synthetic `operator.admin`"
}

GHSA-H4QV-P2J9-74CQ

Vulnerability from github – Published: 2026-06-16 06:30 – Updated: 2026-06-16 06:30
VLAI
Details

The RTMKit plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.7 This is due to the get_submission_content AJAX endpoint lacking a capability check to verify that a user has permission to access the requested form submission data. This makes it possible for authenticated attackers, with Contributor-level access and above, to view arbitrary form submissions from other users by iterating the entries_id parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-5149"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-16T06:16:58Z",
    "severity": "MODERATE"
  },
  "details": "The RTMKit plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.7 This is due to the get_submission_content AJAX endpoint lacking a capability check to verify that a user has permission to access the requested form submission data. This makes it possible for authenticated attackers, with Contributor-level access and above, to view arbitrary form submissions from other users by iterating the entries_id parameter.",
  "id": "GHSA-h4qv-p2j9-74cq",
  "modified": "2026-06-16T06:30:24Z",
  "published": "2026-06-16T06:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5149"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/rometheme-for-elementor/trunk/Inc/Modules/Submission/SubmissionModule.php#L22"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/rometheme-for-elementor/trunk/Inc/Modules/Submission/SubmissionModule.php#L29"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3568335/rometheme-for-elementor/trunk/Inc/Modules/Submission/SubmissionModule.php"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Frometheme-for-elementor/tags/2.0.7\u0026new_path=%2Frometheme-for-elementor/tags/2.0.8"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1fe363b2-8c70-45cd-9fdc-8979f894efd8?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H4RF-98JG-F337

Vulnerability from github – Published: 2022-11-18 00:30 – Updated: 2022-11-22 18:30
VLAI
Details

Zoho ManageEngine SupportCenter Plus through 11024 allows low-privileged users to view the organization users list.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-42903"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-17T22:15:00Z",
    "severity": "LOW"
  },
  "details": "Zoho ManageEngine SupportCenter Plus through 11024 allows low-privileged users to view the organization users list.",
  "id": "GHSA-h4rf-98jg-f337",
  "modified": "2022-11-22T18:30:14Z",
  "published": "2022-11-18T00:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42903"
    },
    {
      "type": "WEB",
      "url": "https://www.manageengine.com/products/support-center/cve-2022-42903.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

No CAPEC attack patterns related to this CWE.