CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5548 vulnerabilities reference this CWE, most recent first.
GHSA-VG6X-6PG9-6QWG
Vulnerability from github – Published: 2026-07-16 20:08 – Updated: 2026-07-16 20:08Impact
The fix for CVE-2026-44221 (GHSA-fxc7-fm93-6q77) added an UPDATE_SCHEMA authorization check to a single schema-mutating method (LocalDocumentType.createProperty). The remaining public schema mutators were left unchecked, so an authenticated identity (including a read-only API token) that lacks the UPDATE_SCHEMA permission could still mutate the database schema on its own database:
DROP PROPERTY <type>.<property>ALTER TYPE <name> SUPERTYPE +<other>/-<other>(change the inheritance hierarchy)ALTER TYPE <name> NAME <newName>(rename a type)- type alias and bucket changes
ALTER PROPERTY <type>.<property> ...(MANDATORY, READONLY, NOTNULL, MIN, MAX, REGEXP, DEFAULT, OF, CUSTOM) — theLocalPropertysetters had no check at all
This does not directly disclose or write record data, but it corrupts the meaning of every stored record and breaches the documented permission model, which advertises UPDATE_SCHEMA as the gating right for schema mutation.
Affected component
Engine schema layer: engine/src/main/java/com/arcadedb/schema/LocalDocumentType.java and engine/src/main/java/com/arcadedb/schema/LocalProperty.java, reachable via the SQL DROP PROPERTY, ALTER TYPE, and ALTER PROPERTY statements over the database command/query HTTP endpoints.
Patches
Every public schema-mutating method on LocalDocumentType and LocalProperty now enforces checkPermissionsOnDatabase(UPDATE_SCHEMA) via a shared helper. The check is a no-op in embedded mode and in system contexts with no bound user (schema load at startup, HA replication apply), so internal paths and administrators are unaffected.
Workarounds
Grant write access only to trusted users and API tokens; treat all schema DDL as administrator-only at the application layer until upgraded.
Resources
Incomplete-fix sibling of CVE-2026-44221 / GHSA-fxc7-fm93-6q77.
Credit
Reported by Kai Aizen (SnailSploit).
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.arcadedb:arcadedb-engine"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "26.6.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-54076"
],
"database_specific": {
"cwe_ids": [
"CWE-862",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-16T20:08:24Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\n\nThe fix for CVE-2026-44221 (GHSA-fxc7-fm93-6q77) added an `UPDATE_SCHEMA` authorization check to a single schema-mutating method (`LocalDocumentType.createProperty`). The remaining public schema mutators were left unchecked, so an authenticated identity (including a **read-only API token**) that lacks the `UPDATE_SCHEMA` permission could still mutate the database schema on its own database:\n\n- `DROP PROPERTY \u003ctype\u003e.\u003cproperty\u003e`\n- `ALTER TYPE \u003cname\u003e SUPERTYPE +\u003cother\u003e` / `-\u003cother\u003e` (change the inheritance hierarchy)\n- `ALTER TYPE \u003cname\u003e NAME \u003cnewName\u003e` (rename a type)\n- type alias and bucket changes\n- `ALTER PROPERTY \u003ctype\u003e.\u003cproperty\u003e ...` (MANDATORY, READONLY, NOTNULL, MIN, MAX, REGEXP, DEFAULT, OF, CUSTOM) \u2014 the `LocalProperty` setters had no check at all\n\nThis does not directly disclose or write record data, but it corrupts the meaning of every stored record and breaches the documented permission model, which advertises `UPDATE_SCHEMA` as the gating right for schema mutation.\n\n### Affected component\n\nEngine schema layer: `engine/src/main/java/com/arcadedb/schema/LocalDocumentType.java` and `engine/src/main/java/com/arcadedb/schema/LocalProperty.java`, reachable via the SQL `DROP PROPERTY`, `ALTER TYPE`, and `ALTER PROPERTY` statements over the database command/query HTTP endpoints.\n\n### Patches\n\nEvery public schema-mutating method on `LocalDocumentType` and `LocalProperty` now enforces `checkPermissionsOnDatabase(UPDATE_SCHEMA)` via a shared helper. The check is a no-op in embedded mode and in system contexts with no bound user (schema load at startup, HA replication apply), so internal paths and administrators are unaffected.\n\n### Workarounds\n\nGrant write access only to trusted users and API tokens; treat all schema DDL as administrator-only at the application layer until upgraded.\n\n### Resources\n\nIncomplete-fix sibling of CVE-2026-44221 / GHSA-fxc7-fm93-6q77.\n\n### Credit\n\nReported by Kai Aizen (SnailSploit).",
"id": "GHSA-vg6x-6pg9-6qwg",
"modified": "2026-07-16T20:08:24Z",
"published": "2026-07-16T20:08:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ArcadeData/arcadedb/security/advisories/GHSA-vg6x-6pg9-6qwg"
},
{
"type": "PACKAGE",
"url": "https://github.com/ArcadeData/arcadedb"
},
{
"type": "WEB",
"url": "https://github.com/ArcadeData/arcadedb/releases/tag/26.6.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "ArcadeDB: Read-only users can mutate database schema (incomplete fix of CVE-2026-44221)"
}
GHSA-VG73-HFWM-24QF
Vulnerability from github – Published: 2022-05-12 00:01 – Updated: 2022-06-02 00:00Insufficient checks in System Management Unit (SMU) FeatureConfig may result in reenabling features potentially resulting in denial of resources and/or denial of service.
{
"affected": [],
"aliases": [
"CVE-2021-26376"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-11T17:15:00Z",
"severity": "MODERATE"
},
"details": "Insufficient checks in System Management Unit (SMU) FeatureConfig may result in reenabling features potentially resulting in denial of resources and/or denial of service.",
"id": "GHSA-vg73-hfwm-24qf",
"modified": "2022-06-02T00:00:30Z",
"published": "2022-05-12T00:01:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26376"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1027"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1028"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VG7P-2967-P5P3
Vulnerability from github – Published: 2022-05-24 17:41 – Updated: 2022-05-24 17:41An issue was discovered on FiberHome HG6245D devices through RP2613. It is possible to bypass authentication by sending the decoded value of the GgpoZWxwCmxpc3QKd2hvCg== string to the telnet server.
{
"affected": [],
"aliases": [
"CVE-2021-27177"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-10T19:15:00Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered on FiberHome HG6245D devices through RP2613. It is possible to bypass authentication by sending the decoded value of the GgpoZWxwCmxpc3QKd2hvCg== string to the telnet server.",
"id": "GHSA-vg7p-2967-p5p3",
"modified": "2022-05-24T17:41:52Z",
"published": "2022-05-24T17:41:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27177"
},
{
"type": "WEB",
"url": "https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html#telnet-cli-auth-bypass"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-VG85-GMCC-WRQW
Vulnerability from github – Published: 2024-09-27 00:31 – Updated: 2024-09-27 00:31Information disclosure in Gitlab EE/CE affecting all versions from 15.6 prior to 17.2.8, 17.3 prior to 17.3.4, and 17.4 prior to 17.4.1 in specific conditions it was possible to disclose to an unauthorised user the path of a private project."
{
"affected": [],
"aliases": [
"CVE-2024-8974"
],
"database_specific": {
"cwe_ids": [
"CWE-684",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-26T23:15:03Z",
"severity": "LOW"
},
"details": "Information disclosure in Gitlab EE/CE affecting all versions from 15.6 prior to 17.2.8, 17.3 prior to 17.3.4, and 17.4 prior to 17.4.1 in specific conditions it was possible to disclose to an unauthorised user the path of a private project.\"",
"id": "GHSA-vg85-gmcc-wrqw",
"modified": "2024-09-27T00:31:05Z",
"published": "2024-09-27T00:31:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8974"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/482843"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VG8Q-6F88-6VRH
Vulnerability from github – Published: 2022-05-13 01:40 – Updated: 2022-05-13 01:40GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an authorization bypass issue in the Projects::MergeRequests::CreationsController component resulting in an attacker to see every project name and their respective namespace on a GitLab instance.
{
"affected": [],
"aliases": [
"CVE-2017-0920"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-03-22T15:29:00Z",
"severity": "MODERATE"
},
"details": "GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an authorization bypass issue in the Projects::MergeRequests::CreationsController component resulting in an attacker to see every project name and their respective namespace on a GitLab instance.",
"id": "GHSA-vg8q-6f88-6vrh",
"modified": "2022-05-13T01:40:53Z",
"published": "2022-05-13T01:40:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0920"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/301336"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4206"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VG95-5P98-2464
Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2022-07-13 00:01An issue has been discovered in GitLab affecting all versions starting from 13.4. Improper access control allows unauthorized users to access details on analytic pages.
{
"affected": [],
"aliases": [
"CVE-2021-22180"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-26T20:15:00Z",
"severity": "MODERATE"
},
"details": "An issue has been discovered in GitLab affecting all versions starting from 13.4. Improper access control allows unauthorized users to access details on analytic pages.",
"id": "GHSA-vg95-5p98-2464",
"modified": "2022-07-13T00:01:08Z",
"published": "2022-05-24T17:45:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22180"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1064645"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22180.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/295662"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VGC6-7RQ7-5J57
Vulnerability from github – Published: 2021-12-29 00:00 – Updated: 2021-12-29 00:00PI Vision could disclose information to a user with insufficient privileges for an AF attribute that is the child of another attribute and is configured as a Limits property.
{
"affected": [],
"aliases": [
"CVE-2021-3090"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-28T19:15:00Z",
"severity": null
},
"details": "PI Vision could disclose information to a user with insufficient privileges for an AF attribute that is the child of another attribute and is configured as a Limits property.",
"id": "GHSA-vgc6-7rq7-5j57",
"modified": "2021-12-29T00:00:44Z",
"published": "2021-12-29T00:00:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3090"
},
{
"type": "WEB",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-313-05"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-VGFW-CGXJ-F63C
Vulnerability from github – Published: 2024-11-25 18:33 – Updated: 2024-11-25 18:33The application Sensei Mac Cleaner contains a local privilege escalation vulnerability, allowing an attacker to perform multiple operations as the root user. These operations include arbitrary file deletion and writing, loading and unloading daemons, manipulating file permissions, and loading extensions, among other actions.
The vulnerable module org.cindori.SenseiHelper can be contacted via XPC. While the module performs client validation, it relies on the client's PID obtained through the public processIdentifier property of the NSXPCConnection class. This approach makes the module susceptible to a PID Reuse Attack, enabling an attacker to impersonate a legitimate client and send crafted XPC messages to invoke arbitrary methods exposed by the HelperProtocol interface.
{
"affected": [],
"aliases": [
"CVE-2024-7915"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-25T18:15:14Z",
"severity": "HIGH"
},
"details": "The application Sensei Mac Cleaner contains a local privilege escalation vulnerability, allowing an attacker to perform multiple operations as the root\u00a0user. These operations include arbitrary file deletion and writing, loading and unloading daemons, manipulating file permissions, and loading extensions, among other actions.\n\n\nThe vulnerable module\u00a0org.cindori.SenseiHelper\u00a0can be contacted via XPC. While the module performs client validation, it relies on the client\u0027s PID\u00a0obtained through the public processIdentifier\u00a0property of the NSXPCConnection\u00a0class. This approach makes the module susceptible to a PID Reuse Attack, enabling an attacker to impersonate a legitimate client and send crafted XPC messages to invoke arbitrary methods exposed by the HelperProtocol\u00a0interface.",
"id": "GHSA-vgfw-cgxj-f63c",
"modified": "2024-11-25T18:33:26Z",
"published": "2024-11-25T18:33:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7915"
},
{
"type": "WEB",
"url": "https://pentraze.com/vulnerability-reports"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VGH6-QCG3-P3MF
Vulnerability from github – Published: 2023-07-07 15:30 – Updated: 2024-04-04 05:50Zoho ManageEngine ServiceDesk Plus before 14202, ServiceDesk Plus MSP before 14300, and SupportCenter Plus before 14300 have a privilege escalation vulnerability in the Release module that allows unprivileged users to access the Reminders of a release ticket and make modifications.
{
"affected": [],
"aliases": [
"CVE-2023-34197"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-07T13:15:09Z",
"severity": "MODERATE"
},
"details": "Zoho ManageEngine ServiceDesk Plus before 14202, ServiceDesk Plus MSP before 14300, and SupportCenter Plus before 14300 have a privilege escalation vulnerability in the Release module that allows unprivileged users to access the Reminders of a release ticket and make modifications.",
"id": "GHSA-vgh6-qcg3-p3mf",
"modified": "2024-04-04T05:50:25Z",
"published": "2023-07-07T15:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34197"
},
{
"type": "WEB",
"url": "https://www.manageengine.com/products/service-desk/CVE-2023-34197.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VGMW-9CWW-QQ99
Vulnerability from github – Published: 2022-01-31 00:00 – Updated: 2024-11-18 16:26calibreweb prior to version 0.6.16 contains an Incorrect Authorization vulnerability.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "calibreweb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.6.16"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-0273"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2022-02-07T21:14:46Z",
"nvd_published_at": "2022-01-30T14:15:00Z",
"severity": "HIGH"
},
"details": "calibreweb prior to version 0.6.16 contains an Incorrect Authorization vulnerability.",
"id": "GHSA-vgmw-9cww-qq99",
"modified": "2024-11-18T16:26:18Z",
"published": "2022-01-31T00:00:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0273"
},
{
"type": "WEB",
"url": "https://github.com/janeczku/calibre-web/commit/0c0313f375bed7b035c8c0482bbb09599e16bfcf"
},
{
"type": "PACKAGE",
"url": "https://github.com/janeczku/calibre-web"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/calibreweb/PYSEC-2022-22.yaml"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/8f27686f-d698-4ab6-8ef0-899125792f13"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Incorrect Authorization in calibreweb"
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.