CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5504 vulnerabilities reference this CWE, most recent first.
GHSA-X25Q-66JQ-MFCR
Vulnerability from github – Published: 2022-08-31 00:00 – Updated: 2022-09-07 00:01Incorrect access control in the install directory (C:\Wamp64) of Wamp v3.2.6 and below allows authenticated attackers to execute arbitrary code via overwriting binaries located in the directory.
{
"affected": [],
"aliases": [
"CVE-2022-36565"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-30T21:15:00Z",
"severity": "HIGH"
},
"details": "Incorrect access control in the install directory (C:\\Wamp64) of Wamp v3.2.6 and below allows authenticated attackers to execute arbitrary code via overwriting binaries located in the directory.",
"id": "GHSA-x25q-66jq-mfcr",
"modified": "2022-09-07T00:01:54Z",
"published": "2022-08-31T00:00:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36565"
},
{
"type": "WEB",
"url": "https://github.com/ycdxsb/Vuln/blob/main/Wamp-Vuln/Wamp-Vuln.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X26F-VX5Q-2CXF
Vulnerability from github – Published: 2022-05-13 01:53 – Updated: 2022-05-13 01:53Huawei Mate RS smartphones with the versions before NEO-AL00D 8.1.0.167(C786) have a lock-screen bypass vulnerability. An attacker could unlock and use the phone through certain operations.
{
"affected": [],
"aliases": [
"CVE-2018-7929"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-09-18T13:29:00Z",
"severity": "MODERATE"
},
"details": "Huawei Mate RS smartphones with the versions before NEO-AL00D 8.1.0.167(C786) have a lock-screen bypass vulnerability. An attacker could unlock and use the phone through certain operations.",
"id": "GHSA-x26f-vx5q-2cxf",
"modified": "2022-05-13T01:53:26Z",
"published": "2022-05-13T01:53:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7929"
},
{
"type": "WEB",
"url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20180914-01-smartphone-en"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X2CV-WQ6V-3CC9
Vulnerability from github – Published: 2026-07-08 21:30 – Updated: 2026-07-08 21:30HashiCorp Nomad and Nomad Enterprise are vulnerable to a cross-namespace authorization bypass in the dynamic host volumes feature that may allow an operator holding the host volume delete permission in one namespace to delete a sticky volume claim belonging to a job in another namespace. This vulnerability, CVE-2026-14896, is fixed in Nomad Community Edition 2.0.4 and Nomad Enterprise 2.0.4, 1.11.8, and 1.10.14.
{
"affected": [],
"aliases": [
"CVE-2026-14896"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-08T21:16:47Z",
"severity": "MODERATE"
},
"details": "HashiCorp Nomad and Nomad Enterprise are vulnerable to a cross-namespace authorization bypass in the dynamic host volumes feature that may allow an operator holding the host volume delete permission in one namespace to delete a sticky volume claim belonging to a job in another namespace. This vulnerability, CVE-2026-14896, is fixed in Nomad Community Edition 2.0.4 and Nomad Enterprise 2.0.4, 1.11.8, and 1.10.14.",
"id": "GHSA-x2cv-wq6v-3cc9",
"modified": "2026-07-08T21:30:30Z",
"published": "2026-07-08T21:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14896"
},
{
"type": "WEB",
"url": "https://discuss.hashicorp.com/t/hcsec-2026-22-nomad-vulnerable-to-cross-namespace-host-volume-claim-deletion/77562"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-X2FF-J5C2-GGPR
Vulnerability from github – Published: 2026-03-04 18:55 – Updated: 2026-03-30 13:48Impact
In shared Slack workspace deployments that rely on sender restrictions (allowFrom, DM policy, or channel user allowlists), some interactive callbacks (block_action, view_submission, view_closed) could be accepted before full sender authorization checks.
In that scenario, an unauthorized workspace member could enqueue system-event text into an active session. This issue did not provide unauthenticated access, cross-gateway isolation bypass, or host-level privilege escalation by itself.
Affected Packages / Versions
- Package:
openclaw(npm) - Vulnerable versions:
<= 2026.2.24 - Patched version:
2026.2.25(planned next npm release)
Fix Commit(s)
ce8c67c314b93f570f53c2a9abc124e1e3a54715
Release Process Note
patched_versions is pre-set to the release (2026.2.25). Advisory published with npm release 2026.2.25.
Trust Model Scope Note
OpenClaw does not support adversarial multi-user isolation on a single shared gateway instance. The supported model is one trust boundary per gateway (separate gateways/hosts for mutually untrusted users). See: https://docs.openclaw.ai/gateway/security
OpenClaw thanks @tdjackey for reporting.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.2.24"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.25"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32005"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-04T18:55:19Z",
"nvd_published_at": "2026-03-19T22:16:32Z",
"severity": "HIGH"
},
"details": "## Impact\n\nIn shared Slack workspace deployments that rely on sender restrictions (`allowFrom`, DM policy, or channel user allowlists), some interactive callbacks (`block_action`, `view_submission`, `view_closed`) could be accepted before full sender authorization checks.\n\nIn that scenario, an unauthorized workspace member could enqueue system-event text into an active session. This issue did not provide unauthenticated access, cross-gateway isolation bypass, or host-level privilege escalation by itself.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Vulnerable versions: `\u003c= 2026.2.24`\n- Patched version: `2026.2.25` (planned next npm release)\n\n## Fix Commit(s)\n\n- `ce8c67c314b93f570f53c2a9abc124e1e3a54715`\n\n## Release Process Note\n\n`patched_versions` is pre-set to the release (`2026.2.25`). Advisory published with npm release `2026.2.25`.\n\n## Trust Model Scope Note\n\nOpenClaw does not support adversarial multi-user isolation on a single shared gateway instance. The supported model is one trust boundary per gateway (separate gateways/hosts for mutually untrusted users). See: https://docs.openclaw.ai/gateway/security\n\nOpenClaw thanks @tdjackey for reporting.",
"id": "GHSA-x2ff-j5c2-ggpr",
"modified": "2026-03-30T13:48:03Z",
"published": "2026-03-04T18:55:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-x2ff-j5c2-ggpr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32005"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/ce8c67c314b93f570f53c2a9abc124e1e3a54715"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-interactive-callbacks-via-sender-check-skip"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: Slack interactive callbacks could skip configured sender checks in some shared-workspace flows"
}
GHSA-X2GH-HGCJ-Q83Q
Vulnerability from github – Published: 2025-02-11 03:30 – Updated: 2025-02-11 03:30The ABAP Build Framework in SAP ABAP Platform allows an authenticated attacker to gain unauthorized access to a specific transaction. By executing the add-on build functionality within the ABAP Build Framework, an attacker could call the transaction and view its details. This has a limited impact on the confidentiality of the application with no effect on the integrity and availability of the application.
{
"affected": [],
"aliases": [
"CVE-2025-24872"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-11T01:15:11Z",
"severity": "MODERATE"
},
"details": "The ABAP Build Framework in SAP ABAP Platform allows an authenticated attacker to gain unauthorized access to a specific transaction. By executing the add-on build functionality within the ABAP Build Framework, an attacker could call the transaction and view its details. This has a limited impact on the confidentiality of the application with no effect on the integrity and availability of the application.",
"id": "GHSA-x2gh-hgcj-q83q",
"modified": "2025-02-11T03:30:56Z",
"published": "2025-02-11T03:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24872"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3553753"
},
{
"type": "WEB",
"url": "https://url.sap/sapsecuritypatchday"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X2M2-4JFP-MM86
Vulnerability from github – Published: 2022-05-13 01:50 – Updated: 2022-05-13 01:50The REST API component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contains a vulnerability that theoretically allows unauthenticated users to bypass authorization checks for portions of the HTTP interface to the JasperReports Server. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Server: 6.4.0; 6.4.1; 6.4.2; 6.4.3; 7.1.0, TIBCO JasperReports Server Community Edition: versions up to and including 7.1.0, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.3, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 7.1.0, and TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 7.1.0.
{
"affected": [],
"aliases": [
"CVE-2018-18815"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-03-07T22:29:00Z",
"severity": "CRITICAL"
},
"details": "The REST API component of TIBCO Software Inc.\u0027s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contains a vulnerability that theoretically allows unauthenticated users to bypass authorization checks for portions of the HTTP interface to the JasperReports Server. Affected releases are TIBCO Software Inc.\u0027s TIBCO JasperReports Server: 6.4.0; 6.4.1; 6.4.2; 6.4.3; 7.1.0, TIBCO JasperReports Server Community Edition: versions up to and including 7.1.0, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.3, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 7.1.0, and TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 7.1.0.",
"id": "GHSA-x2m2-4jfp-mm86",
"modified": "2022-05-13T01:50:46Z",
"published": "2022-05-13T01:50:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18815"
},
{
"type": "WEB",
"url": "https://www.tibco.com/support/advisories/2019/03/tibco-security-advisory-march-6-2019-tibco-jasperreports-library-2018-18809"
},
{
"type": "WEB",
"url": "https://www.tibco.com/support/advisories/2019/03/tibco-security-advisory-march-6-2019-tibco-jasperreports-server-2018-18815"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-19-305"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/107346"
},
{
"type": "WEB",
"url": "http://www.tibco.com/services/support/advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X2P8-RGFM-QW3V
Vulnerability from github – Published: 2022-02-25 00:01 – Updated: 2022-03-03 22:07An Incorrect Access Control vulnerability exists in CoreNLP 4.3.2 via the classifier in NERServlet.java (lines 158 and 159).
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.3.2"
},
"package": {
"ecosystem": "Maven",
"name": "edu.stanford.nlp:stanford-corenlp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-44550"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2022-02-25T22:02:34Z",
"nvd_published_at": "2022-02-24T15:15:00Z",
"severity": "CRITICAL"
},
"details": "An Incorrect Access Control vulnerability exists in CoreNLP 4.3.2 via the classifier in NERServlet.java (lines 158 and 159).",
"id": "GHSA-x2p8-rgfm-qw3v",
"modified": "2022-03-03T22:07:41Z",
"published": "2022-02-25T00:01:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44550"
},
{
"type": "WEB",
"url": "https://github.com/stanfordnlp/CoreNLP/issues/1222"
},
{
"type": "WEB",
"url": "https://github.com/stanfordnlp/CoreNLP/commit/5ee097dbede547023e88f60ed3f430ff09398b87"
},
{
"type": "PACKAGE",
"url": "https://github.com/stanfordnlp/CoreNLP"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Access Control vulnerability within CoreNLP"
}
GHSA-X2PQ-6FC2-WH58
Vulnerability from github – Published: 2026-03-21 03:31 – Updated: 2026-03-21 03:31OpenClaw versions prior to 2026.3.1 contain an authorization mismatch vulnerability that allows authenticated callers with operator.write scope to invoke owner-only tool surfaces including gateway and cron through agent runs in scoped-token deployments. Attackers with write-scope access can perform control-plane actions beyond their intended authorization level by exploiting inconsistent owner-only gating during agent execution.
{
"affected": [],
"aliases": [
"CVE-2026-32051"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-21T01:17:08Z",
"severity": "HIGH"
},
"details": "OpenClaw versions prior to 2026.3.1 contain an authorization mismatch vulnerability that allows authenticated callers with operator.write scope to invoke owner-only tool surfaces including gateway and cron through agent runs in scoped-token deployments. Attackers with write-scope access can perform control-plane actions beyond their intended authorization level by exploiting inconsistent owner-only gating during agent execution.",
"id": "GHSA-x2pq-6fc2-wh58",
"modified": "2026-03-21T03:31:13Z",
"published": "2026-03-21T03:31:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jr6x-2q95-fh2g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32051"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-agent-runs-via-owner-only-tool-access"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-X35M-3GP4-4FH5
Vulnerability from github – Published: 2026-05-07 03:21 – Updated: 2026-05-14 20:54Impact
What kind of vulnerability is it? Who is impacted?
A vulnerability in etcd allows read access via PrevKv, or lease attachment in Put requests within transaction operations, to bypass RBAC authorization checks. An authenticated user without sufficient read or lease-related permissions may be able to access unauthorized data or attach leases by invoking transaction operations with these features enabled.
Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected.
Patches
Has the problem been patched? What versions should users upgrade to?
This vulnerability is patched in the following versions: - etcd 3.6.11 - etcd 3.5.30 - etcd 3.4.44
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice.
- restrict network access to etcd server ports so only trusted components can connect
- require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution
Reporters
Samy Ghannad (@SamyGhannad on Github) reported that read access via PrevKv in a Put request within etcd transactions bypassed RBAC authorization checks. Benjamin Wang (@ahrtr ) further analyzed that lease attachment in a Put request within etcd transactions also bypassed RBAC authorization checks
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.6.10"
},
"package": {
"ecosystem": "Go",
"name": "go.etcd.io/etcd/v3"
},
"ranges": [
{
"events": [
{
"introduced": "3.6.0"
},
{
"fixed": "3.6.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.5.29"
},
"package": {
"ecosystem": "Go",
"name": "go.etcd.io/etcd/v3"
},
"ranges": [
{
"events": [
{
"introduced": "3.5.0"
},
{
"fixed": "3.5.30"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.4.43"
},
"package": {
"ecosystem": "Go",
"name": "go.etcd.io/etcd"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.4.44"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44283"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-07T03:21:53Z",
"nvd_published_at": "2026-05-14T18:16:49Z",
"severity": "LOW"
},
"details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nA vulnerability in etcd allows read access via PrevKv, or lease attachment in Put requests within transaction operations, to bypass RBAC authorization checks. An authenticated user without sufficient read or lease-related permissions may be able to access unauthorized data or attach leases by invoking transaction operations with these features enabled.\n\nKubernetes does not rely on etcd\u2019s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected.\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\nThis vulnerability is patched in the following versions:\n- etcd 3.6.11\n- etcd 3.5.30\n- etcd 3.4.44\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nIf upgrading is not immediately possible, reduce exposure by treating the affected\nRPCs as unauthenticated in practice.\n\n- restrict network access to etcd server ports so only trusted components can connect\n- require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate\ndistribution\n\n### Reporters\n\nSamy Ghannad (@SamyGhannad on Github) reported that read access via PrevKv in a Put request within etcd transactions bypassed RBAC authorization checks. Benjamin Wang (@ahrtr ) further analyzed that lease attachment in a Put request within etcd transactions also bypassed RBAC authorization checks",
"id": "GHSA-x35m-3gp4-4fh5",
"modified": "2026-05-14T20:54:29Z",
"published": "2026-05-07T03:21:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/etcd-io/etcd/security/advisories/GHSA-x35m-3gp4-4fh5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44283"
},
{
"type": "PACKAGE",
"url": "https://github.com/etcd-io/etcd"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "etcd RBAC bypass allows unauthorized data access via PrevKv/lease attachment in nested transaction Put requests"
}
GHSA-X3F7-3CX7-2CW7
Vulnerability from github – Published: 2026-05-18 09:31 – Updated: 2026-05-18 09:31Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to appropriately check for valid namespaces which allows plugin users to create subscriptions to groups that were not whitelisted via creating groups that share the same prefix as a whitelisted group. Mattermost Advisory ID: MMSA-2026-00601
{
"affected": [],
"aliases": [
"CVE-2026-6342"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-18T08:16:14Z",
"severity": "MODERATE"
},
"details": "Mattermost Plugins versions \u003c=11.5 11.1.5 10.13.11 11.3.4.0 fail to appropriately check for valid namespaces which allows plugin users to create subscriptions to groups that were not whitelisted via creating groups that share the same prefix as a whitelisted group. Mattermost Advisory ID: MMSA-2026-00601",
"id": "GHSA-x3f7-3cx7-2cw7",
"modified": "2026-05-18T09:31:48Z",
"published": "2026-05-18T09:31:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6342"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.