CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5548 vulnerabilities reference this CWE, most recent first.
GHSA-V7Q8-5286-XFVF
Vulnerability from github – Published: 2025-12-19 00:31 – Updated: 2025-12-19 00:31Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to bypass intended permission restrictions via a crafted HTTP request. This allows an attacker who lacks the live queries - read permission to successfully retrieve the list of live queries.
{
"affected": [],
"aliases": [
"CVE-2025-68422"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-18T23:15:49Z",
"severity": "MODERATE"
},
"details": "Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to bypass intended permission restrictions via a crafted HTTP request. This allows an attacker who lacks the live queries - read permission to successfully retrieve the list of live queries.",
"id": "GHSA-v7q8-5286-xfvf",
"modified": "2025-12-19T00:31:42Z",
"published": "2025-12-19T00:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68422"
},
{
"type": "WEB",
"url": "https://discuss.elastic.co/t/kibana-8-19-7-9-1-7-and-9-2-1-security-update-esa-2025-39/384187"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V7XW-HR75-RM43
Vulnerability from github – Published: 2023-03-08 21:30 – Updated: 2025-03-05 21:31There exists a privilege escalation vulnerability in SmartBear Zephyr Enterprise through 7.15.0 that could be exploited by authorized users to reset passwords for other accounts.
{
"affected": [],
"aliases": [
"CVE-2023-22891"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-08T21:15:00Z",
"severity": "HIGH"
},
"details": "There exists a privilege escalation vulnerability in SmartBear Zephyr Enterprise through 7.15.0 that could be exploited by authorized users to reset passwords for other accounts.",
"id": "GHSA-v7xw-hr75-rm43",
"modified": "2025-03-05T21:31:59Z",
"published": "2023-03-08T21:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22891"
},
{
"type": "WEB",
"url": "https://smartbear.com/security/cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V845-M469-P8W3
Vulnerability from github – Published: 2024-06-27 21:32 – Updated: 2025-10-15 15:30In lunary-ai/lunary version 1.2.4, an improper access control vulnerability allows members with team management permissions to manipulate project identifiers in requests, enabling them to invite users to projects in other organizations, change members to projects in other organizations with escalated privileges, and change members from other organizations to their own or other projects, also with escalated privileges. This vulnerability is due to the backend's failure to validate project identifiers against the current user's organization ID and projects belonging to it, as well as a misconfiguration in attribute naming (org_id should be orgId) that prevents proper user organization validation. As a result, attackers can cause inconsistencies on the platform for affected users and organizations, including unauthorized privilege escalation. The issue is present in the backend API endpoints for user invitation and modification, specifically in the handling of project IDs in requests.
{
"affected": [],
"aliases": [
"CVE-2024-5714"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-27T19:15:15Z",
"severity": "HIGH"
},
"details": "In lunary-ai/lunary version 1.2.4, an improper access control vulnerability allows members with team management permissions to manipulate project identifiers in requests, enabling them to invite users to projects in other organizations, change members to projects in other organizations with escalated privileges, and change members from other organizations to their own or other projects, also with escalated privileges. This vulnerability is due to the backend\u0027s failure to validate project identifiers against the current user\u0027s organization ID and projects belonging to it, as well as a misconfiguration in attribute naming (`org_id` should be `orgId`) that prevents proper user organization validation. As a result, attackers can cause inconsistencies on the platform for affected users and organizations, including unauthorized privilege escalation. The issue is present in the backend API endpoints for user invitation and modification, specifically in the handling of project IDs in requests.",
"id": "GHSA-v845-m469-p8w3",
"modified": "2025-10-15T15:30:19Z",
"published": "2024-06-27T21:32:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5714"
},
{
"type": "WEB",
"url": "https://github.com/lunary-ai/lunary/commit/43206bacac3b43ad9f2db6dafd165e61a21e6b97"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/8cff4afa-131b-4a7e-9f0d-8a3c69f3d024"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V847-HXXW-3PXG
Vulnerability from github – Published: 2026-06-18 13:53 – Updated: 2026-06-18 13:53PraisonAI recipe.run_stream() skips dangerous-tool policy enforcement
Summary
PraisonAI recipe execution blocks default-denied dangerous tools unless the
caller explicitly passes allow_dangerous_tools=True. The normal recipe.run()
path enforces this with _check_tool_policy(). The streaming path,
recipe.run_stream(), loads the same recipe, checks dependencies, and then
calls _execute_recipe() without running the dangerous-tool policy check.
As a result, a recipe that honestly declares execute_command in
TEMPLATE.yaml requires.tools is denied by recipe.run(), but reaches the
execution engine through recipe.run_stream() with
allow_dangerous_tools=False.
The local PoV uses a harmless printf canary, explicitly unsets
PRAISONAI_AUTO_APPROVE, and avoids network access.
Affected Product
- Repository:
MervinPraison/PraisonAI - Package:
praisonai - Components:
src/praisonai/praisonai/recipe/core.pysrc/praisonai/praisonai/recipe/serve.pysrc/praisonai/praisonai/cli/features/recipe.pysrc/praisonai-agents/praisonaiagents/workflows/yaml_parser.pysrc/praisonai-agents/praisonaiagents/workflows/workflows.py
Validated affected:
- current main
2f9677abb2ea68eab864ee8b6a828fd0141612e1(v4.6.57-4-g2f9677ab) v4.6.57v4.6.56v4.6.10v4.6.9v4.5.128v4.5.120v4.5.96v4.5.87
Suggested affected range: >= 4.5.87, <= 4.6.57.
PyPI lists PraisonAI 4.6.57 as the latest release on 2026-06-13.
Earlier tested tags through v4.5.85 failed in this source checkout before the
tested workflow path due an unrelated praisonaiagents.output.models import
error. They are not claimed fixed or unaffected.
Root Cause
recipe.run() enforces the dangerous-tool gate:
if not options.get("allow_dangerous_tools", False):
policy_error = _check_tool_policy(recipe_config)
if policy_error:
return RecipeResult(..., status=RecipeStatus.POLICY_DENIED, ...)
recipe.run_stream() has a sibling execution path. It loads the recipe and
checks dependencies, but then goes directly to execution:
recipe_config = _load_recipe(name, offline=options.get("offline", False))
...
output = _execute_recipe(recipe_config, merged_config, session_id, options)
There is no equivalent _check_tool_policy() call in run_stream() before
execution or before the dry-run shortcut.
The CLI exposes this path via praisonai recipe run <recipe> --stream, and the
recipe HTTP server exposes it as POST /v1/recipes/stream.
Why This Is Not Intended Behavior
The normal recipe path clearly treats declared dangerous tools as denied by
default. A control recipe with TEMPLATE.yaml requires.tools:
[execute_command] returns:
Tool 'execute_command' is denied by default. Use allow_dangerous_tools=True to override.
That operator-facing override should not depend on whether the caller requests streaming output. PraisonAI's own docs describe approval as requiring a human or configured channel before risky tools run, describe security environment variables as opt-in access for dangerous operations with secure defaults, and describe policy controls as blocking dangerous operations.
This is distinct from the prior report PRAI-CAND-011:
PRAI-CAND-011covers workflow tool declarations that are omitted fromTEMPLATE.yaml requires.tools.- This report covers a sibling entrypoint that skips the policy check even when
TEMPLATE.yamlcorrectly declares the dangerous tool.
It is also distinct from the published Recipe-server authentication fail-open advisory. That advisory covers missing authentication secrets. This report assumes the attacker has whatever access is already needed to invoke recipe streaming and focuses on the missing dangerous-tool policy guard.
Local PoV
Run:
python3 poc/pov_prai_cand_012_stream_policy_bypass.py
Expected output includes:
{
"ok": true,
"policy_error": "Tool 'execute_command' is denied by default. Use allow_dangerous_tools=True to override.",
"control_recipe_status": "policy_denied",
"execution_reached": [
{
"recipe": "declared-dangerous-stream",
"declared_required_tools": ["execute_command"],
"allow_dangerous_tools": false
}
],
"workflow_approve_tools": ["execute_command"],
"runner_tool_names": ["execute_command"],
"command_stdout": "PRAI-CAND-012-CANARY",
"operator_env_auto_approve": null
}
The PoV creates a temporary recipe that declares execute_command in
TEMPLATE.yaml requires.tools.
Control:
recipe.run(..., options={"force": True})returnspolicy_denied.
Bypass:
recipe.run_stream(..., options={"force": True})emits theexecutingevent and reaches_execute_recipe()whileallow_dangerous_toolsremains false.- The same recipe workflow resolves
execute_commandand preservesapprove: [execute_command]. - With the workflow approval context installed, the resolved tool runs the
harmless local command
printf PRAI-CAND-012-CANARY.
The PoV monkey-patches _execute_recipe() only to prove that
run_stream() crosses the policy boundary without invoking an LLM. The command
canary is executed directly through the same resolved workflow tool and
approval context to keep the proof deterministic and local-only.
Impact
If an operator runs an untrusted recipe through streaming mode, or exposes the
recipe streaming API to users who can choose recipe names or URIs, the recipe
can reach execution with default-denied tools even though the caller did not
set allow_dangerous_tools=True.
If the workflow reaches the approved execute_command tool call, commands run
with the privileges of the PraisonAI process. The exact trigger depends on the
workflow and model/tool-call path, but the dangerous-tool policy boundary is
already bypassed before execution.
The HTTP recipe sidecar is documented as a localhost REST API with SSE
streaming and optional API-key/JWT authentication. This report does not claim
default unauthenticated network RCE. In authenticated or exposed sidecar
deployments where lower-trust users can invoke /v1/recipes/stream, the same
policy gap can become a remote recipe-execution issue.
Suggested Fix
Centralize recipe preflight enforcement so every execution mode uses the same guard:
- Run
_check_tool_policy(recipe_config)inrun_stream()unlessoptions["allow_dangerous_tools"]is true. - Perform that check before both dry-run and real execution, matching
recipe.run(). - Prefer a shared helper for dependency checks, dangerous-tool policy checks, and dry-run handling so future entrypoints cannot drift.
- Add regression tests:
- declared dangerous tool is denied by
recipe.run(); - the same declared dangerous tool is denied by
recipe.run_stream(); allow_dangerous_tools=Truepreserves the intended opt-in behavior;/v1/recipes/streammaps a policy denial to a non-success SSE event or equivalent HTTP failure.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.6.58"
},
"package": {
"ecosystem": "PyPI",
"name": "praisonai"
},
"ranges": [
{
"events": [
{
"introduced": "4.5.87"
},
{
"fixed": "4.6.59"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-693",
"CWE-78",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-18T13:53:05Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "# PraisonAI `recipe.run_stream()` skips dangerous-tool policy enforcement\n\n## Summary\n\nPraisonAI recipe execution blocks default-denied dangerous tools unless the\ncaller explicitly passes `allow_dangerous_tools=True`. The normal `recipe.run()`\npath enforces this with `_check_tool_policy()`. The streaming path,\n`recipe.run_stream()`, loads the same recipe, checks dependencies, and then\ncalls `_execute_recipe()` without running the dangerous-tool policy check.\n\nAs a result, a recipe that honestly declares `execute_command` in\n`TEMPLATE.yaml requires.tools` is denied by `recipe.run()`, but reaches the\nexecution engine through `recipe.run_stream()` with\n`allow_dangerous_tools=False`.\n\nThe local PoV uses a harmless `printf` canary, explicitly unsets\n`PRAISONAI_AUTO_APPROVE`, and avoids network access.\n\n## Affected Product\n\n- Repository: `MervinPraison/PraisonAI`\n- Package: `praisonai`\n- Components:\n - `src/praisonai/praisonai/recipe/core.py`\n - `src/praisonai/praisonai/recipe/serve.py`\n - `src/praisonai/praisonai/cli/features/recipe.py`\n - `src/praisonai-agents/praisonaiagents/workflows/yaml_parser.py`\n - `src/praisonai-agents/praisonaiagents/workflows/workflows.py`\n\nValidated affected:\n\n- current main `2f9677abb2ea68eab864ee8b6a828fd0141612e1`\n (`v4.6.57-4-g2f9677ab`)\n- `v4.6.57`\n- `v4.6.56`\n- `v4.6.10`\n- `v4.6.9`\n- `v4.5.128`\n- `v4.5.120`\n- `v4.5.96`\n- `v4.5.87`\n\nSuggested affected range: `\u003e= 4.5.87, \u003c= 4.6.57`.\n\nPyPI lists `PraisonAI 4.6.57` as the latest release on 2026-06-13.\n\nEarlier tested tags through `v4.5.85` failed in this source checkout before the\ntested workflow path due an unrelated `praisonaiagents.output.models` import\nerror. They are not claimed fixed or unaffected.\n\n## Root Cause\n\n`recipe.run()` enforces the dangerous-tool gate:\n\n```python\nif not options.get(\"allow_dangerous_tools\", False):\n policy_error = _check_tool_policy(recipe_config)\n if policy_error:\n return RecipeResult(..., status=RecipeStatus.POLICY_DENIED, ...)\n```\n\n`recipe.run_stream()` has a sibling execution path. It loads the recipe and\nchecks dependencies, but then goes directly to execution:\n\n```python\nrecipe_config = _load_recipe(name, offline=options.get(\"offline\", False))\n...\noutput = _execute_recipe(recipe_config, merged_config, session_id, options)\n```\n\nThere is no equivalent `_check_tool_policy()` call in `run_stream()` before\nexecution or before the dry-run shortcut.\n\nThe CLI exposes this path via `praisonai recipe run \u003crecipe\u003e --stream`, and the\nrecipe HTTP server exposes it as `POST /v1/recipes/stream`.\n\n## Why This Is Not Intended Behavior\n\nThe normal recipe path clearly treats declared dangerous tools as denied by\ndefault. A control recipe with `TEMPLATE.yaml requires.tools:\n[execute_command]` returns:\n\n```text\nTool \u0027execute_command\u0027 is denied by default. Use allow_dangerous_tools=True to override.\n```\n\nThat operator-facing override should not depend on whether the caller requests\nstreaming output. PraisonAI\u0027s own docs describe approval as requiring a human\nor configured channel before risky tools run, describe security environment\nvariables as opt-in access for dangerous operations with secure defaults, and\ndescribe policy controls as blocking dangerous operations.\n\nThis is distinct from the prior report `PRAI-CAND-011`:\n\n- `PRAI-CAND-011` covers workflow tool declarations that are omitted from\n `TEMPLATE.yaml requires.tools`.\n- This report covers a sibling entrypoint that skips the policy check even when\n `TEMPLATE.yaml` correctly declares the dangerous tool.\n\nIt is also distinct from the published Recipe-server authentication fail-open\nadvisory. That advisory covers missing authentication secrets. This report\nassumes the attacker has whatever access is already needed to invoke recipe\nstreaming and focuses on the missing dangerous-tool policy guard.\n\n## Local PoV\n\nRun:\n\n```bash\npython3 poc/pov_prai_cand_012_stream_policy_bypass.py\n```\n\nExpected output includes:\n\n```json\n{\n \"ok\": true,\n \"policy_error\": \"Tool \u0027execute_command\u0027 is denied by default. Use allow_dangerous_tools=True to override.\",\n \"control_recipe_status\": \"policy_denied\",\n \"execution_reached\": [\n {\n \"recipe\": \"declared-dangerous-stream\",\n \"declared_required_tools\": [\"execute_command\"],\n \"allow_dangerous_tools\": false\n }\n ],\n \"workflow_approve_tools\": [\"execute_command\"],\n \"runner_tool_names\": [\"execute_command\"],\n \"command_stdout\": \"PRAI-CAND-012-CANARY\",\n \"operator_env_auto_approve\": null\n}\n```\n\nThe PoV creates a temporary recipe that declares `execute_command` in\n`TEMPLATE.yaml requires.tools`.\n\nControl:\n\n- `recipe.run(..., options={\"force\": True})` returns `policy_denied`.\n\nBypass:\n\n- `recipe.run_stream(..., options={\"force\": True})` emits the `executing`\n event and reaches `_execute_recipe()` while `allow_dangerous_tools` remains\n false.\n- The same recipe workflow resolves `execute_command` and preserves\n `approve: [execute_command]`.\n- With the workflow approval context installed, the resolved tool runs the\n harmless local command `printf PRAI-CAND-012-CANARY`.\n\nThe PoV monkey-patches `_execute_recipe()` only to prove that\n`run_stream()` crosses the policy boundary without invoking an LLM. The command\ncanary is executed directly through the same resolved workflow tool and\napproval context to keep the proof deterministic and local-only.\n\n## Impact\n\nIf an operator runs an untrusted recipe through streaming mode, or exposes the\nrecipe streaming API to users who can choose recipe names or URIs, the recipe\ncan reach execution with default-denied tools even though the caller did not\nset `allow_dangerous_tools=True`.\n\nIf the workflow reaches the approved `execute_command` tool call, commands run\nwith the privileges of the PraisonAI process. The exact trigger depends on the\nworkflow and model/tool-call path, but the dangerous-tool policy boundary is\nalready bypassed before execution.\n\nThe HTTP recipe sidecar is documented as a localhost REST API with SSE\nstreaming and optional API-key/JWT authentication. This report does not claim\ndefault unauthenticated network RCE. In authenticated or exposed sidecar\ndeployments where lower-trust users can invoke `/v1/recipes/stream`, the same\npolicy gap can become a remote recipe-execution issue.\n\n## Suggested Fix\n\nCentralize recipe preflight enforcement so every execution mode uses the same\nguard:\n\n1. Run `_check_tool_policy(recipe_config)` in `run_stream()` unless\n `options[\"allow_dangerous_tools\"]` is true.\n2. Perform that check before both dry-run and real execution, matching\n `recipe.run()`.\n3. Prefer a shared helper for dependency checks, dangerous-tool policy checks,\n and dry-run handling so future entrypoints cannot drift.\n4. Add regression tests:\n - declared dangerous tool is denied by `recipe.run()`;\n - the same declared dangerous tool is denied by `recipe.run_stream()`;\n - `allow_dangerous_tools=True` preserves the intended opt-in behavior;\n - `/v1/recipes/stream` maps a policy denial to a non-success SSE event or\n equivalent HTTP failure.",
"id": "GHSA-v847-hxxw-3pxg",
"modified": "2026-06-18T13:53:05Z",
"published": "2026-06-18T13:53:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-v847-hxxw-3pxg"
},
{
"type": "PACKAGE",
"url": "https://github.com/MervinPraison/PraisonAI"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "PraisonAI recipe.run_stream skips dangerous-tool policy enforcement"
}
GHSA-V84C-53C6-XMMP
Vulnerability from github – Published: 2024-11-26 21:32 – Updated: 2024-11-26 21:32An issue was discovered in GitLab CE/EE affecting all versions from 16.9.8 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. Certain API endpoints could potentially allow unauthorized access to sensitive data due to overly broad application of token scopes.
{
"affected": [],
"aliases": [
"CVE-2024-11669"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-26T19:15:22Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in GitLab CE/EE affecting all versions from 16.9.8 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. Certain API endpoints could potentially allow unauthorized access to sensitive data due to overly broad application of token scopes.",
"id": "GHSA-v84c-53c6-xmmp",
"modified": "2024-11-26T21:32:24Z",
"published": "2024-11-26T21:32:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11669"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/501528"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V856-JMJ2-XMV3
Vulnerability from github – Published: 2023-09-08 21:30 – Updated: 2024-04-04 07:34IBM Aspera Faspex 5.0.5 could allow a malicious actor to bypass IP whitelist restrictions using a specially crafted HTTP request. IBM X-Force ID: 254268.
{
"affected": [],
"aliases": [
"CVE-2023-30995"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-08T21:15:45Z",
"severity": "HIGH"
},
"details": "IBM Aspera Faspex 5.0.5 could allow a malicious actor to bypass IP whitelist restrictions using a specially crafted HTTP request. IBM X-Force ID: 254268.",
"id": "GHSA-v856-jmj2-xmv3",
"modified": "2024-04-04T07:34:20Z",
"published": "2023-09-08T21:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30995"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/254268"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7029681"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7048851"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V85R-M9WC-PPRX
Vulnerability from github – Published: 2024-10-15 21:30 – Updated: 2024-10-15 21:30Vulnerability in the Oracle Site Hub product of Oracle E-Business Suite (component: Site Hierarchy Flows). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Site Hub. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Site Hub accessible data as well as unauthorized access to critical data or complete access to all Oracle Site Hub accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
{
"affected": [],
"aliases": [
"CVE-2024-21265"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-15T20:15:17Z",
"severity": "HIGH"
},
"details": "Vulnerability in the Oracle Site Hub product of Oracle E-Business Suite (component: Site Hierarchy Flows). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Site Hub. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Site Hub accessible data as well as unauthorized access to critical data or complete access to all Oracle Site Hub accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).",
"id": "GHSA-v85r-m9wc-pprx",
"modified": "2024-10-15T21:30:38Z",
"published": "2024-10-15T21:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21265"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2024.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V86M-GG8V-4873
Vulnerability from github – Published: 2026-04-10 03:31 – Updated: 2026-04-10 03:31The WP-Optimize plugin for WordPress is vulnerable to unauthorized access of functionality due to missing capability checks in the receive_heartbeat() function in includes/class-wp-optimize-heartbeat.php in all versions up to, and including, 4.5.0. This is due to the Heartbeat handler directly invoking Updraft_Smush_Manager_Commands methods without verifying user capabilities, nonce tokens, or the allowed commands whitelist that the normal AJAX handler (updraft_smush_ajax) enforces. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke admin-only Smush operations including reading log files (get_smush_logs), deleting all backup images (clean_all_backup_images), triggering bulk image processing (process_bulk_smush), and modifying Smush options (update_smush_options).
{
"affected": [],
"aliases": [
"CVE-2026-2712"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-10T02:16:02Z",
"severity": "MODERATE"
},
"details": "The WP-Optimize plugin for WordPress is vulnerable to unauthorized access of functionality due to missing capability checks in the `receive_heartbeat()` function in `includes/class-wp-optimize-heartbeat.php` in all versions up to, and including, 4.5.0. This is due to the Heartbeat handler directly invoking `Updraft_Smush_Manager_Commands` methods without verifying user capabilities, nonce tokens, or the allowed commands whitelist that the normal AJAX handler (`updraft_smush_ajax`) enforces. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke admin-only Smush operations including reading log files (`get_smush_logs`), deleting all backup images (`clean_all_backup_images`), triggering bulk image processing (`process_bulk_smush`), and modifying Smush options (`update_smush_options`).",
"id": "GHSA-v86m-gg8v-4873",
"modified": "2026-04-10T03:31:10Z",
"published": "2026-04-10T03:31:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2712"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/wp-optimize/tags/4.4.1/includes/class-wp-optimize-heartbeat.php#L65"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/wp-optimize/tags/4.4.1/includes/class-wp-optimize-heartbeat.php#L82"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/wp-optimize/trunk/includes/class-wp-optimize-heartbeat.php#L65"
},
{
"type": "WEB",
"url": "https://research.cleantalk.org/cve-2026-2712"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6a0a376e-ea3a-40ca-9341-f28f92e15e02?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-V8CG-4474-49V8
Vulnerability from github – Published: 2026-03-12 14:21 – Updated: 2026-03-30 13:39Summary
Slack member_* and message subtype system events (message_changed, message_deleted, thread_broadcast) were not consistently enforcing sender authorization before enqueueing system events.
Affected Packages / Versions
- Package:
openclaw(npm) - Latest published version:
2026.2.25 - Affected range:
<= 2026.2.25 - Planned patched version:
2026.2.26(pre-set for publish-readiness)
Technical Details
Slack system-event handlers in src/slack/monitor/events/members.ts and src/slack/monitor/events/messages.ts enqueued events after channel checks without shared sender authorization. Deployments relying on Slack DM allowlists (dmPolicy / allowFrom) or per-channel users allowlists could receive unauthorized system-event ingress from non-allowlisted senders.
The fix routes those handlers through authorizeAndResolveSlackSystemEventContext(...) and fails closed when message subtype sender identity cannot be resolved.
Fix Commit(s)
3d30ba18a2aba1e1b302e77ff33145c3b06c01c8
Release Process Note
patched_versions is pre-set to >= 2026.2.26 so once npm 2026.2.26 is published, this advisory can be published without further field edits.
Thanks @tdjackey for reporting.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.2.25"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.26"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32895"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-12T14:21:59Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nSlack `member_*` and `message` subtype system events (`message_changed`, `message_deleted`, `thread_broadcast`) were not consistently enforcing sender authorization before enqueueing system events.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published version: `2026.2.25`\n- Affected range: `\u003c= 2026.2.25`\n- Planned patched version: `2026.2.26` (pre-set for publish-readiness)\n\n### Technical Details\nSlack system-event handlers in `src/slack/monitor/events/members.ts` and `src/slack/monitor/events/messages.ts` enqueued events after channel checks without shared sender authorization. Deployments relying on Slack DM allowlists (`dmPolicy` / `allowFrom`) or per-channel `users` allowlists could receive unauthorized system-event ingress from non-allowlisted senders.\n\nThe fix routes those handlers through `authorizeAndResolveSlackSystemEventContext(...)` and fails closed when message subtype sender identity cannot be resolved.\n\n### Fix Commit(s)\n- `3d30ba18a2aba1e1b302e77ff33145c3b06c01c8`\n\n### Release Process Note\n`patched_versions` is pre-set to `\u003e= 2026.2.26` so once npm `2026.2.26` is published, this advisory can be published without further field edits.\n\nThanks @tdjackey for reporting.",
"id": "GHSA-v8cg-4474-49v8",
"modified": "2026-03-30T13:39:01Z",
"published": "2026-03-12T14:21:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v8cg-4474-49v8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32895"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/3d30ba18a2aba1e1b302e77ff33145c3b06c01c8"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-sender-authorization-bypass-in-slack-system-event-handlers"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: Slack system events bypass sender authorization in member and message subtype handlers"
}
GHSA-V8CV-CH4W-445W
Vulnerability from github – Published: 2022-06-14 00:00 – Updated: 2024-09-17 00:31In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-refresh-request" POST request doesn’t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection.
{
"affected": [],
"aliases": [
"CVE-2022-30311"
],
"database_specific": {
"cwe_ids": [
"CWE-78",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-13T14:15:00Z",
"severity": "CRITICAL"
},
"details": "In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint \"cecc-x-refresh-request\" POST request doesn\u00e2\u20ac\u2122t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection.",
"id": "GHSA-v8cv-ch4w-445w",
"modified": "2024-09-17T00:31:00Z",
"published": "2022-06-14T00:00:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30311"
},
{
"type": "WEB",
"url": "https://cert.vde.com/en/advisories/VDE-2022-020"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.