CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5510 vulnerabilities reference this CWE, most recent first.
GHSA-WPG8-MF6H-GM92
Vulnerability from github – Published: 2023-09-12 18:58 – Updated: 2025-02-13 19:11Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc.
Users should upgrade to version 2.7.1 or later which has removed the vulnerability.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "apache-airflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.7.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-40611"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2023-09-12T18:58:34Z",
"nvd_published_at": "2023-09-12T12:15:08Z",
"severity": "MODERATE"
},
"details": "Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows\u00a0authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc.\n\nUsers should upgrade to version 2.7.1 or later which has removed the vulnerability.",
"id": "GHSA-wpg8-mf6h-gm92",
"modified": "2025-02-13T19:11:46Z",
"published": "2023-09-12T18:58:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40611"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/33413"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/commit/2a0106e4edf67c5905ebfcb82a6008662ae0f7ad"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/commit/b7a46c970d638028a4a7643ad000dcee951fb9ef"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/airflow"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-170.yaml"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/8y9xk1s3j4qr36yzqn8ogbn9fl7pxrn0"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/11/12/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Apache Airflow Incorrect Authorization vulnerability"
}
GHSA-WPG9-4G4V-F9RC
Vulnerability from github – Published: 2026-03-03 21:32 – Updated: 2026-04-24 20:58Summary
In openclaw@2026.3.1, the Discord voice transcript path called agentCommand(...) without senderIsOwner, and agentCommand defaults missing senderIsOwner to true.
This could allow a non-owner voice participant in the same channel to reach owner-only tool surfaces (gateway, cron) during voice transcript turns.
Security model note
OpenClaw’s documented trust model is a personal assistant model (one trusted operator), not an adversarial multi-user boundary.
- OpenClaw does not treat one shared gateway/chat surface as a hardened per-user auth boundary.
- Mixed-trust deployments (mutually untrusted users sharing one gateway/channel) are outside recommended deployment boundaries.
This report is treated as a valid hardening/authorization bug because owner-only tool policy should still be applied consistently across chat-driven turns, including Discord voice transcript ingress.
Details
Relevant path:
1. Voice transcript run omitted senderIsOwner in Discord voice manager.
2. Missing senderIsOwner defaulted to true in agentCommand.
3. Owner-only tool policy is keyed on senderIsOwner.
4. gateway and cron are owner-only tools.
Impact
- Affects deployments where Discord voice is enabled and the bot is present in channels with non-owner participants.
- No gateway-auth boundary bypass was required.
- Practical risk depends strongly on whether the deployment is single-trust (recommended) or mixed-trust (not recommended).
Severity rationale
Downgraded from high to medium to align with OpenClaw’s trust model and deployment assumptions: - Requires participation in the same voice environment as the trusted operator workflow. - Requires Discord voice path conditions (joined voice channel + transcript flow). - Does not introduce a new cross-gateway or unauthenticated boundary bypass.
Remediation
- Always pass explicit
senderIsOwnerfrom Discord voice transcript ingress. - Fail closed (
false) when owner status is unknown for non-local/chat ingress paths. - Keep regression tests that verify owner/non-owner voice speaker handling.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<= 2026.3.1 - Patched versions:
>= 2026.3.2(released)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.3.1"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32035"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-03T21:32:25Z",
"nvd_published_at": "2026-03-19T22:16:39Z",
"severity": "MODERATE"
},
"details": "### Summary\nIn `openclaw@2026.3.1`, the Discord voice transcript path called `agentCommand(...)` without `senderIsOwner`, and `agentCommand` defaults missing `senderIsOwner` to `true`.\n\nThis could allow a non-owner voice participant in the same channel to reach owner-only tool surfaces (`gateway`, `cron`) during voice transcript turns.\n\n### Security model note\nOpenClaw\u2019s documented trust model is a **personal assistant** model (one trusted operator), not an adversarial multi-user boundary.\n\n- OpenClaw does **not** treat one shared gateway/chat surface as a hardened per-user auth boundary.\n- Mixed-trust deployments (mutually untrusted users sharing one gateway/channel) are outside recommended deployment boundaries.\n\nThis report is treated as a valid hardening/authorization bug because owner-only tool policy should still be applied consistently across chat-driven turns, including Discord voice transcript ingress.\n\n### Details\nRelevant path:\n1. Voice transcript run omitted `senderIsOwner` in Discord voice manager.\n2. Missing `senderIsOwner` defaulted to `true` in `agentCommand`.\n3. Owner-only tool policy is keyed on `senderIsOwner`.\n4. `gateway` and `cron` are owner-only tools.\n\n### Impact\n- Affects deployments where Discord voice is enabled and the bot is present in channels with non-owner participants.\n- No gateway-auth boundary bypass was required.\n- Practical risk depends strongly on whether the deployment is single-trust (recommended) or mixed-trust (not recommended).\n\n### Severity rationale\nDowngraded from high to **medium** to align with OpenClaw\u2019s trust model and deployment assumptions:\n- Requires participation in the same voice environment as the trusted operator workflow.\n- Requires Discord voice path conditions (joined voice channel + transcript flow).\n- Does not introduce a new cross-gateway or unauthenticated boundary bypass.\n\n### Remediation\n- Always pass explicit `senderIsOwner` from Discord voice transcript ingress.\n- Fail closed (`false`) when owner status is unknown for non-local/chat ingress paths.\n- Keep regression tests that verify owner/non-owner voice speaker handling.\n\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c= 2026.3.1`\n- Patched versions: `\u003e= 2026.3.2` (released)",
"id": "GHSA-wpg9-4g4v-f9rc",
"modified": "2026-04-24T20:58:59Z",
"published": "2026-03-03T21:32:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-wpg9-4g4v-f9rc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32035"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-missing-owner-flag-validation-in-discord-voice-transcript-handler"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: Discord voice transcript owner-flag omission could expose owner-only tools in mixed-trust channels"
}
GHSA-WPP8-FJGF-PWC7
Vulnerability from github – Published: 2025-04-01 00:30 – Updated: 2025-04-29 20:16Incorrect Authorization vulnerability in Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/core"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "10.3.13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/core"
},
"ranges": [
{
"events": [
{
"introduced": "10.4.0"
},
{
"fixed": "10.4.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/core"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "11.0.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/core"
},
"ranges": [
{
"events": [
{
"introduced": "11.1.0"
},
{
"fixed": "11.1.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-31673"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-01T18:03:50Z",
"nvd_published_at": "2025-03-31T22:15:19Z",
"severity": "MODERATE"
},
"details": "Incorrect Authorization vulnerability in Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.",
"id": "GHSA-wpp8-fjgf-pwc7",
"modified": "2025-04-29T20:16:24Z",
"published": "2025-04-01T00:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31673"
},
{
"type": "PACKAGE",
"url": "https://github.com/drupal/core"
},
{
"type": "WEB",
"url": "https://www.drupal.org/sa-core-2025-002"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Drupal Core Vulnerable to Forceful Browsing"
}
GHSA-WPPH-CJGR-7C39
Vulnerability from github – Published: 2026-03-03 23:12 – Updated: 2026-03-30 13:18Summary
channels.*.groups.*.toolsBySender could match a privileged sender policy using a colliding mutable identity value (for example senderName or senderUsername) when deployments used untyped keys.
The fix introduces explicit typed sender keys (id:, e164:, username:, name:), keeps legacy untyped keys on a deprecated ID-only path, and adds regression coverage to prevent cross-identifier collisions.
Affected Packages / Versions
- Package: npm
openclaw - Affected versions:
<= 2026.2.21-2 - Latest published npm version at triage time (February 22, 2026):
2026.2.21-2 - Patched version (planned next release):
2026.2.22
Impact
This is a sender-authorization bypass in group tool policy matching for deployments that use toolsBySender with untyped keys. Under those conditions, an attacker could inherit stronger tool permissions intended for another sender if they can force an identifier collision.
Fix Commit(s)
5547a2275cb69413af3b62c795b93214fe913b57
Release Process Note
patched_versions is pre-set to the planned next release (2026.2.22). Once that npm release is published, this advisory should only need publishing.
OpenClaw thanks @jiseoung for reporting.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.22"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32039"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-03T23:12:21Z",
"nvd_published_at": "2026-03-19T22:16:40Z",
"severity": "MODERATE"
},
"details": "### Summary\n`channels.*.groups.*.toolsBySender` could match a privileged sender policy using a colliding mutable identity value (for example `senderName` or `senderUsername`) when deployments used untyped keys.\n\nThe fix introduces explicit typed sender keys (`id:`, `e164:`, `username:`, `name:`), keeps legacy untyped keys on a deprecated ID-only path, and adds regression coverage to prevent cross-identifier collisions.\n\n### Affected Packages / Versions\n- Package: npm `openclaw`\n- Affected versions: `\u003c= 2026.2.21-2`\n- Latest published npm version at triage time (February 22, 2026): `2026.2.21-2`\n- Patched version (planned next release): `2026.2.22`\n\n### Impact\nThis is a sender-authorization bypass in group tool policy matching for deployments that use `toolsBySender` with untyped keys. Under those conditions, an attacker could inherit stronger tool permissions intended for another sender if they can force an identifier collision.\n\n### Fix Commit(s)\n- `5547a2275cb69413af3b62c795b93214fe913b57`\n\n### Release Process Note\n`patched_versions` is pre-set to the planned next release (`2026.2.22`). Once that npm release is published, this advisory should only need publishing.\n\nOpenClaw thanks @jiseoung for reporting.",
"id": "GHSA-wpph-cjgr-7c39",
"modified": "2026-03-30T13:18:04Z",
"published": "2026-03-03T23:12:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-wpph-cjgr-7c39"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32039"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/5547a2275cb69413af3b62c795b93214fe913b57"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-sender-authorization-bypass-via-identity-collision-in-toolsbysender"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw\u0027s typed sender-key matching for toolsBySender prevents identity-collision policy bypass"
}
GHSA-WQ6J-H853-FWF7
Vulnerability from github – Published: 2025-01-30 12:31 – Updated: 2025-01-30 12:31An Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker to leverage the endpoint "/embedai/visits/show/" to obtain information about the visits made by other users. The information provided by this endpoint includes IP address, userAgent and location of the user that visited the web page.
{
"affected": [],
"aliases": [
"CVE-2025-0743"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-30T12:15:27Z",
"severity": "MODERATE"
},
"details": "An Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker to leverage the endpoint \"/embedai/visits/show/\u003cVISIT_ID\u003e\" to obtain information about the visits made by other users. The information provided by this endpoint includes IP address, userAgent and location of the user that visited the web page.",
"id": "GHSA-wq6j-h853-fwf7",
"modified": "2025-01-30T12:31:19Z",
"published": "2025-01-30T12:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0743"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-embedai"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WQGG-WCJM-MHC9
Vulnerability from github – Published: 2022-05-13 01:01 – Updated: 2022-05-13 01:01An exploitable improper authorization vulnerability exists in admin_nodeInfo API of cpp-ethereum's JSON-RPC (commit 4e1015743b95821849d001618a7ce82c7c073768). A JSON request can cause an access to the restricted functionality resulting in authorization bypass. An attacker can send JSON to trigger this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2017-12113"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-01-19T23:29:00Z",
"severity": "HIGH"
},
"details": "An exploitable improper authorization vulnerability exists in admin_nodeInfo API of cpp-ethereum\u0027s JSON-RPC (commit 4e1015743b95821849d001618a7ce82c7c073768). A JSON request can cause an access to the restricted functionality resulting in authorization bypass. An attacker can send JSON to trigger this vulnerability.",
"id": "GHSA-wqgg-wcjm-mhc9",
"modified": "2022-05-13T01:01:38Z",
"published": "2022-05-13T01:01:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12113"
},
{
"type": "WEB",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0465"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/102475"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WQQQ-56CG-6762
Vulnerability from github – Published: 2022-03-31 00:00 – Updated: 2022-04-06 00:01In WindowManager, there is a possible way to start non-exported and protected activities due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-205996115
{
"affected": [],
"aliases": [
"CVE-2021-39749"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-30T16:15:00Z",
"severity": "HIGH"
},
"details": "In WindowManager, there is a possible way to start non-exported and protected activities due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-205996115",
"id": "GHSA-wqqq-56cg-6762",
"modified": "2022-04-06T00:01:54Z",
"published": "2022-03-31T00:00:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39749"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/android-12l"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WQVX-8X2R-W74F
Vulnerability from github – Published: 2022-09-06 00:00 – Updated: 2022-09-09 00:00The Visual Portfolio, Photo Gallery & Post Grid WordPress plugin before 2.19.0 does not have proper authorisation checks in some of its REST endpoints, allowing users with a role as low as contributor to call them and inject arbitrary CSS in arbitrary saved layouts
{
"affected": [],
"aliases": [
"CVE-2022-2597"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-05T13:15:00Z",
"severity": "HIGH"
},
"details": "The Visual Portfolio, Photo Gallery \u0026 Post Grid WordPress plugin before 2.19.0 does not have proper authorisation checks in some of its REST endpoints, allowing users with a role as low as contributor to call them and inject arbitrary CSS in arbitrary saved layouts",
"id": "GHSA-wqvx-8x2r-w74f",
"modified": "2022-09-09T00:00:59Z",
"published": "2022-09-06T00:00:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2597"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/3ffcee7c-1e03-448c-8006-a9405658cdb7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WQXV-W64V-5WH6
Vulnerability from github – Published: 2026-07-06 21:11 – Updated: 2026-07-07 22:17Summary
AI Bridge proxy endpoints authenticate via Server.IsAuthorized in coderd/aibridgedserver, which validates key format, expiry, secret and deleted or system users but does not check whether the account is suspended. Because suspension does not revoke existing API keys, a suspended user's unexpired token keeps working.
Note: Practical impact is limited to already-issued API keys of suspended users until those keys are deleted.
Impact
A suspended user with a previously issued long-lived token could continue calling AI Bridge LLM proxy endpoints, consuming paid provider resources billed to the deployment and, if injected MCP tools are enabled, invoking those tools. Access persists until the token expires, which may be months after suspension.
Patches
The fix makes AI Bridge authorization reject non-active users like the standard API key middleware. AI Bridge was introduced in v2.30.0. The v2.29 ESR line is not affected.
The fix is available in the following releases:
| Release line | Patched version |
|---|---|
| 2.34 | v2.34.2 |
| 2.33 | v2.33.8 |
| 2.32 | v2.32.7 |
Workarounds
On suspension, delete the user's API keys via DELETE /api/v2/users/{user}/keys.
Resources
- Fix: #26173
Credits
Coder would like to thank Anthropic's Security Team (ANT-2026-22446) for independently disclosing this issue!
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/coder/coder/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.34.0"
},
{
"fixed": "2.34.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/coder/coder/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.33.0"
},
{
"fixed": "2.33.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/coder/coder/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.30.0"
},
{
"fixed": "2.32.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-55435"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-06T21:11:20Z",
"nvd_published_at": "2026-07-07T19:16:54Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nAI Bridge proxy endpoints authenticate via `Server.IsAuthorized` in `coderd/aibridgedserver`, which validates key format, expiry, secret and deleted or system users but does not check whether the account is suspended. Because suspension does not revoke existing API keys, a suspended user\u0027s unexpired token keeps working.\n\n\u003e **Note:** Practical impact is limited to already-issued API keys of suspended users until those keys are deleted.\n\n### Impact\n\nA suspended user with a previously issued long-lived token could continue calling AI Bridge LLM proxy endpoints, consuming paid provider resources billed to the deployment and, if injected MCP tools are enabled, invoking those tools. Access persists until the token expires, which may be months after suspension.\n\n### Patches\n\nThe fix makes AI Bridge authorization reject non-active users like the standard API key middleware. AI Bridge was introduced in v2.30.0. The v2.29 ESR line is not affected.\n\nThe fix is available in the following releases:\n\n| Release line | Patched version |\n|---|---|\n| 2.34 | [v2.34.2](https://github.com/coder/coder/releases/tag/v2.34.2) |\n| 2.33 | [v2.33.8](https://github.com/coder/coder/releases/tag/v2.33.8) |\n| 2.32 | [v2.32.7](https://github.com/coder/coder/releases/tag/v2.32.7) |\n\n### Workarounds\n\nOn suspension, delete the user\u0027s API keys via `DELETE /api/v2/users/{user}/keys`.\n\n### Resources\n\n- Fix: #26173\n\n### Credits\n\nCoder would like to thank Anthropic\u0027s Security Team (ANT-2026-22446) for independently disclosing this issue!",
"id": "GHSA-wqxv-w64v-5wh6",
"modified": "2026-07-07T22:17:57Z",
"published": "2026-07-06T21:11:20Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/coder/coder/security/advisories/GHSA-wqxv-w64v-5wh6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-55435"
},
{
"type": "WEB",
"url": "https://github.com/coder/coder/pull/26164"
},
{
"type": "WEB",
"url": "https://github.com/coder/coder/pull/26173"
},
{
"type": "WEB",
"url": "https://github.com/coder/coder/commit/0d2c9f904a8b75b888140fcc8fbf4633660cc787"
},
{
"type": "PACKAGE",
"url": "https://github.com/coder/coder"
},
{
"type": "WEB",
"url": "https://github.com/coder/coder/releases/tag/v2.32.7"
},
{
"type": "WEB",
"url": "https://github.com/coder/coder/releases/tag/v2.33.8"
},
{
"type": "WEB",
"url": "https://github.com/coder/coder/releases/tag/v2.34.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Suspended Coder users retain access to AI Bridge LLM proxy endpoints"
}
GHSA-WQXX-GQ9H-PV57
Vulnerability from github – Published: 2024-08-25 12:32 – Updated: 2024-09-11 18:31Logitech Options+ on MacOS prior 1.72 allows a local attacker to inject dynamic library within Options+ runtime and abuse permissions granted by the user to Options+ such as Camera.
{
"affected": [],
"aliases": [
"CVE-2024-8011"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-25T12:15:03Z",
"severity": "LOW"
},
"details": "Logitech Options+ on MacOS prior 1.72 allows a local attacker to inject dynamic library within Options+ runtime and abuse permissions granted by the user to Options+ such as Camera.",
"id": "GHSA-wqxx-gq9h-pv57",
"modified": "2024-09-11T18:31:02Z",
"published": "2024-08-25T12:32:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8011"
},
{
"type": "WEB",
"url": "https://www.hackerone.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.