Common Weakness Enumeration

CWE-863

Allowed-with-Review

Incorrect Authorization

Abstraction: Class · Status: Incomplete

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

5504 vulnerabilities reference this CWE, most recent first.

GHSA-J44J-CRFP-MCPR

Vulnerability from github – Published: 2024-09-04 06:30 – Updated: 2024-09-04 06:30
VLAI
Details

Improper authorization in My Files prior to SMR Sep-2024 Release 1 allows local attackers to access restricted data in My Files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-34651"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-04T06:15:14Z",
    "severity": "MODERATE"
  },
  "details": "Improper authorization in My Files prior to SMR Sep-2024 Release 1 allows local attackers to access restricted data in My Files.",
  "id": "GHSA-j44j-crfp-mcpr",
  "modified": "2024-09-04T06:30:41Z",
  "published": "2024-09-04T06:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34651"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2024\u0026month=09"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J48Q-3J3C-39FR

Vulnerability from github – Published: 2026-07-14 00:31 – Updated: 2026-07-14 00:31
VLAI
Details

OpenClaw versions 2026.6.6 before 2026.6.9 contain an authorization bypass vulnerability in Discord guild actions that allows lower-trust callers to perform actions requiring stronger authorization checks. Attackers can exploit misconfigured input paths to skip cross-provider requester authorization and execute restricted operations.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-62192"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-13T22:16:50Z",
    "severity": "HIGH"
  },
  "details": "OpenClaw versions 2026.6.6 before 2026.6.9 contain an authorization bypass vulnerability in Discord guild actions that allows lower-trust callers to perform actions requiring stronger authorization checks. Attackers can exploit misconfigured input paths to skip cross-provider requester authorization and execute restricted operations.",
  "id": "GHSA-j48q-3j3c-39fr",
  "modified": "2026-07-14T00:31:03Z",
  "published": "2026-07-14T00:31:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3pmr-x9g8-m55r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-62192"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-authorization-bypass"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-J4C9-W69R-CW33

Vulnerability from github – Published: 2026-03-29 15:50 – Updated: 2026-04-10 19:43
VLAI
Summary
OpenClaw: Telegram DM-Scoped Inline Button Callbacks Bypass DM Pairing and Mutate Session State
Details

Summary

Telegram DM-Scoped Inline Button Callbacks Bypass DM Pairing and Mutate Session State

Affected Packages / Versions

  • Package: openclaw
  • Affected versions: <= 2026.3.24
  • First patched version: 2026.3.25
  • Latest published npm version at verification time: 2026.3.24

Details

Telegram callback queries from direct messages previously used weaker callback-only authorization and could mutate session state without satisfying normal DM pairing. Commit 269282ac69ab6030d5f30d04822668f607f13065 enforces DM authorization for callbacks.

Verified vulnerable on tag v2026.3.24 and fixed on main by commit 269282ac69ab6030d5f30d04822668f607f13065.

Fix Commit(s)

  • 269282ac69ab6030d5f30d04822668f607f13065
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.3.24"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.28"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35661"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-288",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-29T15:50:23Z",
    "nvd_published_at": "2026-04-10T17:17:07Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nTelegram DM-Scoped Inline Button Callbacks Bypass DM Pairing and Mutate Session State\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Affected versions: `\u003c= 2026.3.24`\n- First patched version: `2026.3.25`\n- Latest published npm version at verification time: `2026.3.24`\n\n## Details\n\nTelegram callback queries from direct messages previously used weaker callback-only authorization and could mutate session state without satisfying normal DM pairing. Commit `269282ac69ab6030d5f30d04822668f607f13065` enforces DM authorization for callbacks.\n\nVerified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `269282ac69ab6030d5f30d04822668f607f13065`.\n\n## Fix Commit(s)\n\n- `269282ac69ab6030d5f30d04822668f607f13065`",
  "id": "GHSA-j4c9-w69r-cw33",
  "modified": "2026-04-10T19:43:56Z",
  "published": "2026-03-29T15:50:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-j4c9-w69r-cw33"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35661"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/269282ac69ab6030d5f30d04822668f607f13065"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-telegram-dm-scoped-inline-button-callback-authorization-bypass"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: Telegram DM-Scoped Inline Button Callbacks Bypass DM Pairing and Mutate Session State"
}

GHSA-J4MQ-R3JM-4C8P

Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-07-13 00:01
VLAI
Details

IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.1.1.0 could allow an authenticated user to download unauthorized files through the dashboard user interface. IBM X-Force ID: 202213.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-29760"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-06T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.1.1.0 could allow an authenticated user to download unauthorized files through the dashboard user interface. IBM X-Force ID: 202213.",
  "id": "GHSA-j4mq-r3jm-4c8p",
  "modified": "2022-07-13T00:01:17Z",
  "published": "2022-05-24T19:16:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29760"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/202213"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6495969"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J4MW-H6W4-XH6G

Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2022-07-13 00:00
VLAI
Details

In the Settings app, there is a possible way to disable an always-on VPN due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-179975048

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-0505"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-21T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "In the Settings app, there is a possible way to disable an always-on VPN due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-179975048",
  "id": "GHSA-j4mw-h6w4-xh6g",
  "modified": "2022-07-13T00:00:59Z",
  "published": "2022-05-24T19:05:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0505"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2021-06-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J4Q7-RGMR-C632

Vulnerability from github – Published: 2023-07-06 19:24 – Updated: 2024-04-04 05:35
VLAI
Details

Hitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.4 and 8.3.0.27 does not correctly perform an authorization check in the dashboard editor plugin API.   

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-43770"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-11T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "\nHitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.4 and 8.3.0.27 does not correctly perform an authorization check in the dashboard editor plugin API. \u00a0\u00a0\n\n",
  "id": "GHSA-j4q7-rgmr-c632",
  "modified": "2024-04-04T05:35:59Z",
  "published": "2023-07-06T19:24:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43770"
    },
    {
      "type": "WEB",
      "url": "https://support.pentaho.com/hc/en-us/articles/14739303079053"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J4X5-Q399-5W69

Vulnerability from github – Published: 2022-03-15 00:00 – Updated: 2022-03-23 00:00
VLAI
Details

IBM Data Virtualization on Cloud Pak for Data 1.3.0, 1.4.1, 1.5.0, 1.7.1 and 1.7.3 could allow an authorized user to bypass data masking rules and obtain sensitve information. IBM X-Force ID: 212620.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-38971"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-14T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM Data Virtualization on Cloud Pak for Data 1.3.0, 1.4.1, 1.5.0, 1.7.1 and 1.7.3 could allow an authorized user to bypass data masking rules and obtain sensitve information. IBM X-Force ID: 212620.",
  "id": "GHSA-j4x5-q399-5w69",
  "modified": "2022-03-23T00:00:48Z",
  "published": "2022-03-15T00:00:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38971"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/212620"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6551076"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J4XF-96QF-RX69

Vulnerability from github – Published: 2026-03-03 21:41 – Updated: 2026-03-30 13:16
VLAI
Summary
OpenClaw has a Feishu allowFrom authorization bypass via display-name collision
Details

Summary

Feishu allowlist authorization could be bypassed by display-name collision.

Details

channels.feishu.allowFrom is documented as an ID-based allowlist (open_id list), but Feishu policy matching accepted mutable sender display names in the same namespace. An attacker could set a display name equal to an allowlisted ID string and pass authorization checks.

The fix enforces ID-only matching for Feishu allowlist checks, normalizes Feishu ID prefixes during comparison, and ignores mutable display names for authorization.

Impact

Deployments using Feishu allowlist-based authorization could incorrectly authorize non-allowlisted senders when a colliding display name was used.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Latest published version at triage time: 2026.2.21-2
  • Affected range: <= 2026.2.21-2
  • Planned patched version: >= 2026.2.22

Fix Commit(s)

  • 4ed87a667263ed2d422b9d5d5a5d326e099f92c7

Release Process Note

patched_versions is pre-set to the planned next release (>= 2026.2.22) so the advisory is ready to publish once that npm release is available.

OpenClaw thanks @jiseoung for reporting.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32021"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-03T21:41:38Z",
    "nvd_published_at": "2026-03-19T22:16:36Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nFeishu allowlist authorization could be bypassed by display-name collision.\n\n### Details\n\n`channels.feishu.allowFrom` is documented as an ID-based allowlist (open_id list), but Feishu policy matching accepted mutable sender display names in the same namespace. An attacker could set a display name equal to an allowlisted ID string and pass authorization checks.\n\nThe fix enforces ID-only matching for Feishu allowlist checks, normalizes Feishu ID prefixes during comparison, and ignores mutable display names for authorization.\n\n### Impact\n\nDeployments using Feishu allowlist-based authorization could incorrectly authorize non-allowlisted senders when a colliding display name was used.\n\n### Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Latest published version at triage time: `2026.2.21-2`\n- Affected range: `\u003c= 2026.2.21-2`\n- Planned patched version: `\u003e= 2026.2.22`\n\n### Fix Commit(s)\n\n- `4ed87a667263ed2d422b9d5d5a5d326e099f92c7`\n\n### Release Process Note\n\n`patched_versions` is pre-set to the planned next release (`\u003e= 2026.2.22`) so the advisory is ready to publish once that npm release is available.\n\nOpenClaw thanks @jiseoung for reporting.",
  "id": "GHSA-j4xf-96qf-rx69",
  "modified": "2026-03-30T13:16:06Z",
  "published": "2026-03-03T21:41:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-j4xf-96qf-rx69"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32021"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/4ed87a667263ed2d422b9d5d5a5d326e099f92c7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-display-name-collision-in-feishu-allowfrom"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw has a Feishu allowFrom authorization bypass via display-name collision"
}

GHSA-J57F-643J-P8RF

Vulnerability from github – Published: 2022-02-11 00:00 – Updated: 2022-07-13 00:01
VLAI
Details

Improper access control in the Intel(R) RealSense(TM) DCM before version 20210625 may allow an authenticated user to potentially enable information disclosure via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-33119"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-09T23:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Improper access control in the Intel(R) RealSense(TM) DCM before version 20210625 may allow an authenticated user to potentially enable information disclosure via local access.",
  "id": "GHSA-j57f-643j-p8rf",
  "modified": "2022-07-13T00:01:25Z",
  "published": "2022-02-11T00:00:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33119"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00588.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J59M-QF5R-W9HR

Vulnerability from github – Published: 2023-09-04 12:30 – Updated: 2024-04-04 07:26
VLAI
Details

The User Activity Log WordPress plugin before 1.6.6 lacks proper authorisation when exporting its activity logs, allowing any authenticated users, such as subscriber to perform such action and retrieve PII such as email addresses.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-4269"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-04T12:15:10Z",
    "severity": "MODERATE"
  },
  "details": "The User Activity Log WordPress plugin before 1.6.6 lacks proper authorisation when exporting its activity logs, allowing any authenticated users, such as subscriber to perform such action and retrieve PII such as email addresses.",
  "id": "GHSA-j59m-qf5r-w9hr",
  "modified": "2024-04-04T07:26:08Z",
  "published": "2023-09-04T12:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4269"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/db3e4336-117c-47f2-9b43-2ca115525297"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

No CAPEC attack patterns related to this CWE.