Common Weakness Enumeration

CWE-863

Allowed-with-Review

Incorrect Authorization

Abstraction: Class · Status: Incomplete

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

5504 vulnerabilities reference this CWE, most recent first.

GHSA-WV76-CP7M-4V99

Vulnerability from github – Published: 2022-09-29 00:00 – Updated: 2022-09-29 00:00
VLAI
Details

Smart eVision has insufficient authorization for task acquisition function. An unauthorized remote attacker can exploit this vulnerability to acquire the Session IDs of other general users only.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-39031"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-28T04:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Smart eVision has insufficient authorization for task acquisition function. An unauthorized remote attacker can exploit this vulnerability to acquire the Session IDs of other general users only.",
  "id": "GHSA-wv76-cp7m-4v99",
  "modified": "2022-09-29T00:00:17Z",
  "published": "2022-09-29T00:00:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39031"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/tw/cp-132-6568-331c1-1.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WV7F-C794-82V6

Vulnerability from github – Published: 2026-06-17 18:35 – Updated: 2026-06-18 14:34
VLAI
Summary
Apache DolphinScheduler: Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access.
Details

Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access.

This issue affects Apache DolphinScheduler versions prior to 3.4.2.

Users are recommended to upgrade to version 3.4.2, which fixes this issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.dolphinscheduler:dolphinscheduler-api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42357"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T14:34:32Z",
    "nvd_published_at": "2026-06-17T13:20:39Z",
    "severity": "MODERATE"
  },
  "details": "Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access.\n\nThis issue affects Apache DolphinScheduler versions prior to 3.4.2.\n\n\nUsers are recommended to upgrade to version 3.4.2, which fixes this issue.",
  "id": "GHSA-wv7f-c794-82v6",
  "modified": "2026-06-18T14:34:32Z",
  "published": "2026-06-17T18:35:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42357"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/dolphinscheduler"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/74l2rrz32w2chn7vz64313gk7ox5wjtr"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/06/17/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache DolphinScheduler: Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access. "
}

GHSA-WVCV-9XPM-7MQC

Vulnerability from github – Published: 2026-05-18 09:31 – Updated: 2026-06-01 15:13
VLAI
Summary
Mattermost doesn't enforce slash command trigger-word uniqueness during command updates
Details

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to enforce slash command trigger-word uniqueness during command updates which allows an authenticated team member with Manage Own Slash Commands permission to hijack and impersonate existing system or custom slash commands via editing their own slash command trigger to an already-registered trigger through the command update API. Mattermost Advisory ID: MMSA-2026-00597

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost/server/v8"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.5.0"
            },
            {
              "fixed": "11.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost/server/v8"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.11.0"
            },
            {
              "fixed": "10.11.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost/server/v8"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.4.0"
            },
            {
              "fixed": "11.4.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost/server/v8"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.0.0-20260306123948-f5fe8ded6b63"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.3.2-0.20260306123948-f5fe8ded6b63"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28732"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-01T15:13:28Z",
    "nvd_published_at": "2026-05-18T09:16:22Z",
    "severity": "MODERATE"
  },
  "details": "Mattermost versions 11.5.x \u003c= 11.5.1, 10.11.x \u003c= 10.11.13, 11.4.x \u003c= 11.4.3 Fail to enforce slash command trigger-word uniqueness during command updates which allows an authenticated team member with Manage Own Slash Commands permission to hijack and impersonate existing system or custom slash commands via editing their own slash command trigger to an already-registered trigger through the command update API. Mattermost Advisory ID: MMSA-2026-00597",
  "id": "GHSA-wvcv-9xpm-7mqc",
  "modified": "2026-06-01T15:13:28Z",
  "published": "2026-05-18T09:31:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28732"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mattermost/mattermost/commit/f5fe8ded6b633db7804ae25b42ea12ce635d6ea6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mattermost/mattermost"
    },
    {
      "type": "WEB",
      "url": "https://mattermost.com/security-updates"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Mattermost doesn\u0027t enforce slash command trigger-word uniqueness during command updates"
}

GHSA-WVHQ-WP8G-C7VQ

Vulnerability from github – Published: 2026-03-06 18:48 – Updated: 2026-03-09 13:15
VLAI
Summary
Flowise has Authorization Bypass via Spoofed x-request-from Header
Details

Summary

Flowise trusts any HTTP client that sets the header x-request-from: internal, allowing an authenticated tenant session to bypass all /api/v1/** authorization checks. With only a browser cookie, a low-privilege tenant can invoke internal administration endpoints (API key management, credential stores, custom function execution, etc.), effectively escalating privileges.

Details

The global middleware that guards /api/v1 routes lives in external/Flowise/packages/server/src/index.ts:214. After filtering out the whitelist, the logic short-circuits on the spoofable header:

if (isWhitelisted) {
    next();
} else if (req.headers['x-request-from'] === 'internal') {
    verifyToken(req, res, next);
} else {
    const { isValid } = await validateAPIKey(req);
    if (!isValid) return res.status(401).json({ error: 'Unauthorized Access' });
    … // owner context stitched from API key
}

Because the middle branch blindly calls verifyToken, any tenant that already has a UI session cookie is treated as an internal client simply by adding that header. No additional permission checks are performed before next() executes, so every downstream router under /api/v1 becomes reachable.

PoC

  1. Log into Flowise 3.0.8 and capture cookies (e.g., curl -c /tmp/flowise_cookies.txt … /api/v1/auth/login).
  2. Invoke an internal-only endpoint with the spoofed header:
    curl -sS -b /tmp/flowise_cookies.txt \
      -H 'Content-Type: application/json' \
      -H 'x-request-from: internal' \
      -X POST http://127.0.0.1:3100/api/v1/apikey \
      -d '{"keyName":"Bypass Demo"}'
The server returns HTTP 200 and the newly created key object.
  1. Remove the header and retry:
    curl -sS -b /tmp/flowise_cookies.txt \
      -H 'Content-Type: application/json' \
      -X POST http://127.0.0.1:3100/api/v1/apikey \
      -d '{"keyName":"Bypass Demo"}'
This yields {"error":"Unauthorized Access"}, confirming the header alone controls access.

The same spoof grants access to other privileged routes like /api/v1/credentials, /api/v1/tools, /api/v1/node-custom-function, etc.

Impact

This is an authorization bypass / privilege escalation. Any authenticated tenant (even without API keys or elevated roles) can execute internal administration APIs solely from the browser, enabling actions such as minting new API keys, harvesting stored secrets, and, when combined with other flaws (e.g., Custom Function RCE), full system compromise. All self-hosted Flowise 3.0.8 deployments that rely on the default middleware are affected.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.12"
      },
      "package": {
        "ecosystem": "npm",
        "name": "flowise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-30820"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-06T18:48:22Z",
    "nvd_published_at": "2026-03-07T05:16:26Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nFlowise trusts any HTTP client that sets the header `x-request-from: internal`, allowing an authenticated tenant session to bypass all `/api/v1/**` authorization checks. With only a browser cookie, a low-privilege tenant can invoke internal administration endpoints (API key management, credential stores, custom function execution, etc.), effectively escalating privileges.\n\n### Details\n\nThe global middleware that guards `/api/v1` routes lives in `external/Flowise/packages/server/src/index.ts:214`. After filtering out the whitelist, the logic short-circuits on the spoofable header:\n\n```javascript\nif (isWhitelisted) {\n    next();\n} else if (req.headers[\u0027x-request-from\u0027] === \u0027internal\u0027) {\n    verifyToken(req, res, next);\n} else {\n    const { isValid } = await validateAPIKey(req);\n    if (!isValid) return res.status(401).json({ error: \u0027Unauthorized Access\u0027 });\n    \u2026 // owner context stitched from API key\n}\n```\n\nBecause the middle branch blindly calls verifyToken, any tenant that already has a UI session cookie is treated as an internal client simply by adding that header. No additional permission checks are performed before `next()` executes, so every downstream router under `/api/v1` becomes reachable.\n\n### PoC\n\n1. Log into Flowise 3.0.8 and capture cookies (e.g., `curl -c /tmp/flowise_cookies.txt \u2026 /api/v1/auth/login`).\n2. Invoke an internal-only endpoint with the spoofed header:\n\n```bash\n    curl -sS -b /tmp/flowise_cookies.txt \\\n      -H \u0027Content-Type: application/json\u0027 \\\n      -H \u0027x-request-from: internal\u0027 \\\n      -X POST http://127.0.0.1:3100/api/v1/apikey \\\n      -d \u0027{\"keyName\":\"Bypass Demo\"}\u0027\n```\n    The server returns HTTP 200 and the newly created key object.\n3. Remove the header and retry:\n\n```bash\n    curl -sS -b /tmp/flowise_cookies.txt \\\n      -H \u0027Content-Type: application/json\u0027 \\\n      -X POST http://127.0.0.1:3100/api/v1/apikey \\\n      -d \u0027{\"keyName\":\"Bypass Demo\"}\u0027\n```\n    This yields {\"error\":\"Unauthorized Access\"}, confirming the header alone controls access.\n\nThe same spoof grants access to other privileged routes like `/api/v1/credentials`, `/api/v1/tools`, `/api/v1/node-custom-function`, etc.\n\n### Impact\n\nThis is an authorization bypass / privilege escalation. Any authenticated tenant (even without API keys or elevated roles) can execute internal administration APIs solely from the browser, enabling actions such as minting new API keys, harvesting stored secrets, and, when combined with other flaws (e.g., Custom Function RCE), full system compromise. All self-hosted Flowise 3.0.8 deployments that rely on the default middleware are affected.",
  "id": "GHSA-wvhq-wp8g-c7vq",
  "modified": "2026-03-09T13:15:20Z",
  "published": "2026-03-06T18:48:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-wvhq-wp8g-c7vq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30820"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FlowiseAI/Flowise"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.13"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Flowise has Authorization Bypass via Spoofed x-request-from Header"
}

GHSA-WVP2-9PPW-337J

Vulnerability from github – Published: 2023-07-25 18:24 – Updated: 2023-07-25 18:24
VLAI
Summary
Paths contain matrix variables bypass decorators
Details

Impact

Spring supports Matrix variables. When Spring integration is used, Armeria calls Spring controllers via TomcatService or JettyService with the path that may contain matrix variables. In this situation, the Armeria decorators might not invoked because of the matrix variables. Let's see the following example:

// Spring controller
@GetMapping("/important/resources")
public String important() {...}

// Armeria decorator
ServerBuilder sb = ...
sb.decoratorUnder("/important/", authService);

If an attacker sends a request with /important;a=b/resources, the request would bypass the authrorizer

Patches

  • https://github.com/line/armeria-ghsa-wvp2-9ppw-337j/commit/9b0ec3e099cc05fbff11d7f1012a1dddb0000d0c

Workarounds

Users can add decorators using regex. e.g. "regex:^/important.*"

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.24.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "com.linecorp.armeria:armeria"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.24.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-38493"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-25T18:24:39Z",
    "nvd_published_at": "2023-07-25T21:15:10Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nSpring supports [Matrix variables](https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-controller/ann-methods/matrix-variables.html).\nWhen Spring integration is used, Armeria calls Spring controllers via `TomcatService` or `JettyService` with the path\nthat may contain matrix variables.\nIn this situation, the Armeria decorators might not invoked because of the matrix variables.\nLet\u0027s see the following example:\n```\n// Spring controller\n@GetMapping(\"/important/resources\")\npublic String important() {...}\n\n// Armeria decorator\nServerBuilder sb = ...\nsb.decoratorUnder(\"/important/\", authService);\n```\nIf an attacker sends a request with `/important;a=b/resources`, the request would bypass the authrorizer\n\n### Patches\n- https://github.com/line/armeria-ghsa-wvp2-9ppw-337j/commit/9b0ec3e099cc05fbff11d7f1012a1dddb0000d0c\n\n### Workarounds\nUsers can add decorators using regex. `e.g. \"regex:^/important.*\"`\n",
  "id": "GHSA-wvp2-9ppw-337j",
  "modified": "2023-07-25T18:24:39Z",
  "published": "2023-07-25T18:24:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/line/armeria/security/advisories/GHSA-wvp2-9ppw-337j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38493"
    },
    {
      "type": "WEB",
      "url": "https://github.com/line/armeria/commit/039db50bbfc88014ea8737fd1e1ddd6fd3fc4f07"
    },
    {
      "type": "WEB",
      "url": "https://github.com/line/armeria/commit/49e04ef231ad65750739529c7fa4ce946ff7588b"
    },
    {
      "type": "WEB",
      "url": "https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-controller/ann-methods/matrix-variables.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/line/armeria"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Paths contain matrix variables bypass decorators"
}

GHSA-WVV5-79H5-39G9

Vulnerability from github – Published: 2022-05-24 19:01 – Updated: 2022-05-24 19:01
VLAI
Details

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.8. GitLab was not properly validating authorisation tokens which resulted in GraphQL mutation being executed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-22209"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-06T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.8. GitLab was not properly validating authorisation tokens which resulted in GraphQL mutation being executed.",
  "id": "GHSA-wvv5-79h5-39g9",
  "modified": "2022-05-24T19:01:30Z",
  "published": "2022-05-24T19:01:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22209"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22209.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/327155"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-WVXG-VJ6J-J677

Vulnerability from github – Published: 2023-07-03 15:30 – Updated: 2024-04-04 05:20
VLAI
Details

Arcserve UDP through 9.0.6034 allows authentication bypass. The method getVersionInfo at WebServiceImpl/services/FlashServiceImpl leaks the AuthUUID token. This token can be used at /WebServiceImpl/services/VirtualStandbyServiceImpl to obtain a valid session. This session can be used to execute any task as administrator.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-26258"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-03T15:15:10Z",
    "severity": "CRITICAL"
  },
  "details": "Arcserve UDP through 9.0.6034 allows authentication bypass. The method getVersionInfo at WebServiceImpl/services/FlashServiceImpl leaks the AuthUUID token. This token can be used at /WebServiceImpl/services/VirtualStandbyServiceImpl to obtain a valid session. This session can be used to execute any task as administrator.",
  "id": "GHSA-wvxg-vj6j-j677",
  "modified": "2024-04-04T05:20:34Z",
  "published": "2023-07-03T15:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26258"
    },
    {
      "type": "WEB",
      "url": "https://support.arcserve.com/s/article/KB000015720?language=en_US"
    },
    {
      "type": "WEB",
      "url": "https://www.arcserve.com/products/arcserve-udp"
    },
    {
      "type": "WEB",
      "url": "https://www.mdsec.co.uk/2023/06/cve-2023-26258-remote-code-execution-in-arcserve-udp-backup"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WW5J-8G6W-H99H

Vulnerability from github – Published: 2026-01-26 18:31 – Updated: 2026-01-29 15:30
VLAI
Details

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) contain an authorization flaw in the user management API that allows a low-privileged authenticated user to change the administrator account password. By sending a crafted request directly to the backend endpoint, an attacker can bypass role-based restrictions enforced by the web interface and obtain full administrative privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-24428"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-26T18:16:40Z",
    "severity": "HIGH"
  },
  "details": "Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) contain an authorization flaw in the user management API that allows a low-privileged authenticated user to change the administrator account password. By sending a crafted request directly to the backend endpoint, an attacker can bypass role-based restrictions enforced by the web interface and obtain full administrative privileges.",
  "id": "GHSA-ww5j-8g6w-h99h",
  "modified": "2026-01-29T15:30:26Z",
  "published": "2026-01-26T18:31:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24428"
    },
    {
      "type": "WEB",
      "url": "https://www.tendacn.com/product/W30E"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/tenda-w30e-v2-incorrect-authorization-allows-administrator-password-change"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-WW63-9P7H-RC9V

Vulnerability from github – Published: 2022-05-13 01:19 – Updated: 2022-05-13 01:19
VLAI
Details

In WordPress before 4.9.9 and 5.x before 5.0.1, authors could modify metadata to bypass intended restrictions on deleting files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-20147"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-12-14T20:29:00Z",
    "severity": "MODERATE"
  },
  "details": "In WordPress before 4.9.9 and 5.x before 5.0.1, authors could modify metadata to bypass intended restrictions on deleting files.",
  "id": "GHSA-ww63-9p7h-rc9v",
  "modified": "2022-05-13T01:19:52Z",
  "published": "2022-05-13T01:19:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20147"
    },
    {
      "type": "WEB",
      "url": "https://codex.wordpress.org/Version_4.9.9"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/02/msg00019.html"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/support/wordpress-version/version-5-0-1"
    },
    {
      "type": "WEB",
      "url": "https://wpvulndb.com/vulnerabilities/9169"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2019/dsa-4401"
    },
    {
      "type": "WEB",
      "url": "https://www.zdnet.com/article/wordpress-plugs-bug-that-led-to-google-indexing-some-user-passwords"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/106220"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WW63-PV5X-VFC8

Vulnerability from github – Published: 2026-06-16 21:05 – Updated: 2026-06-16 21:05
VLAI
Summary
Daytona: Public sandbox previews remain accessible for up to one hour after being made private
Details

Summary

Sandbox previews that were switched from public to private could remain reachable without authentication for a short period after the change, due to a cached visibility state that was not invalidated when the sandbox's visibility changed.

Impact

When a sandbox owner changed a preview from public to private, the preview proxy could continue serving unauthenticated requests to that sandbox's ordinary preview ports for a bounded period before the change took effect. Only sandboxes that had been made public and were later set back to private were affected, and only until the proxy's cached visibility state was refreshed. Terminal, toolbox, and recording-dashboard ports were never affected, as those always require authentication. The issue did not involve cross-tenant access, privilege escalation, or remote code execution.

Patches

Fixed in v0.184.0. Sandbox visibility changes now invalidate the proxy's cached preview state immediately, so revoking a public preview takes effect on the next request.

Workarounds

Upgrade to v0.184.0 or later. There is no configuration workaround for earlier versions.

Credit

Reported through Daytona's Vulnerability Disclosure Program by mrknightnidu(nidalkhan). Linkedin: https://www.linkedin.com/in/mrknight-nidu-031340328/

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.183.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/daytonaio/daytona"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.101.0"
            },
            {
              "fixed": "0.184.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-54321"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-16T21:05:13Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nSandbox previews that were switched from public to private could remain reachable without authentication for a short period after the change, due to a cached visibility state that was not invalidated when the sandbox\u0027s visibility changed.\n\n### Impact\nWhen a sandbox owner changed a preview from public to private, the preview proxy could continue serving unauthenticated requests to that sandbox\u0027s ordinary preview ports for a bounded period before the change took effect. Only sandboxes that had been made public and were later set back to private were affected, and only until the proxy\u0027s cached visibility state was refreshed. Terminal, toolbox, and recording-dashboard ports were never affected, as those always require authentication. The issue did not involve cross-tenant access, privilege escalation, or remote code execution.\n\n### Patches\nFixed in v0.184.0. Sandbox visibility changes now invalidate the proxy\u0027s cached preview state immediately, so revoking a public preview takes effect on the next request.\n\n### Workarounds\nUpgrade to v0.184.0 or later. There is no configuration workaround for earlier versions.\n\n### Credit\nReported through Daytona\u0027s Vulnerability Disclosure Program by **mrknightnidu(nidalkhan)**.\n**Linkedin**: https://www.linkedin.com/in/mrknight-nidu-031340328/",
  "id": "GHSA-ww63-pv5x-vfc8",
  "modified": "2026-06-16T21:05:14Z",
  "published": "2026-06-16T21:05:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/daytonaio/daytona/security/advisories/GHSA-ww63-pv5x-vfc8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/daytonaio/daytona"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Daytona: Public sandbox previews remain accessible for up to one hour after being made private"
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

No CAPEC attack patterns related to this CWE.