CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5494 vulnerabilities reference this CWE, most recent first.
CVE-2026-55189 (GCVE-0-2026-55189)
Vulnerability from cvelistv5 – Published: 2026-06-26 19:59 – Updated: 2026-06-29 15:20| URL | Tags |
|---|---|
| https://github.com/rustfs/rustfs/security/advisor… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55189",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T15:03:31.819221Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T15:20:13.295Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/rustfs/rustfs/security/advisories/GHSA-3g29-xff2-92vp"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rustfs",
"vendor": "rustfs",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.0-alpha.1, \u003c= 1.0.0-beta.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "RustFS is a distributed object storage system built in Rust. From 1.0.0-alpha.1 until 1.0.0-beta.9, when the FTP frontend is enabled, the FTP read and probe handlers dispatch directly to the storage backend without ever calling the IAM authorization function that the FTP write/list handlers (and the entire HTTP S3 path) use. As a result, any user who can authenticate to the FTP listener \u2014 including a user whose IAM policy contains an explicit Deny on s3:GetObject \u2014 can read (RETR) and stat (SIZE/MDTM) any object in any bucket, and probe any bucket (CWD), completely regardless of their IAM policy. This vulnerability is fixed in 1.0.0-beta.9."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T19:59:13.870Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rustfs/rustfs/security/advisories/GHSA-3g29-xff2-92vp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rustfs/rustfs/security/advisories/GHSA-3g29-xff2-92vp"
}
],
"source": {
"advisory": "GHSA-3g29-xff2-92vp",
"discovery": "UNKNOWN"
},
"title": "RustFS: FTP frontend skips IAM authorization on object reads"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55189",
"datePublished": "2026-06-26T19:59:13.870Z",
"dateReserved": "2026-06-16T15:20:43.086Z",
"dateUpdated": "2026-06-29T15:20:13.295Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55188 (GCVE-0-2026-55188)
Vulnerability from cvelistv5 – Published: 2026-06-26 20:03 – Updated: 2026-06-27 03:11| URL | Tags |
|---|---|
| https://github.com/rustfs/rustfs/security/advisor… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55188",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-27T03:08:06.306843Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-27T03:11:05.352Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/rustfs/rustfs/security/advisories/GHSA-796f-j7xp-hwf4"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rustfs",
"vendor": "rustfs",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.0-alpha.1, \u003c= 1.0.0-beta.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "RustFS is a distributed object storage system built in Rust. From 1.0.0-alpha.1 until 1.0.0-beta.9, RustFS contains an authorization bypass in the bucket replication admin API. The ListRemoteTargetHandler handler for listing remote replication targets only checks whether request credentials exist, but does not verify that the caller has replication or administrator permissions. As a result, an authenticated user with no effective bucket or admin permissions can list remote replication target configuration for a bucket. Because the returned BucketTarget objects include remote target credentials, this can disclose replication access keys and secret keys. This vulnerability is fixed in 1.0.0-beta.9."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522: Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T20:03:52.699Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rustfs/rustfs/security/advisories/GHSA-796f-j7xp-hwf4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rustfs/rustfs/security/advisories/GHSA-796f-j7xp-hwf4"
}
],
"source": {
"advisory": "GHSA-796f-j7xp-hwf4",
"discovery": "UNKNOWN"
},
"title": "RustFS: ListRemoteTargetHandler authorization bypass leaks replication target credentials"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55188",
"datePublished": "2026-06-26T20:03:52.699Z",
"dateReserved": "2026-06-16T15:20:43.086Z",
"dateUpdated": "2026-06-27T03:11:05.352Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54998 (GCVE-0-2026-54998)
Vulnerability from cvelistv5 – Published: 2026-07-02 22:18 – Updated: 2026-07-14 19:36 Exclusively Hosted Service- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://msrc.microsoft.com/update-guide/vulnerabi… | vendor-advisorypatch |
| Vendor | Product | Version | |
|---|---|---|---|
| Microsoft | Microsoft Exchange Online |
Affected:
-
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54998",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-06T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T03:55:35.312Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Microsoft Exchange Online",
"vendor": "Microsoft",
"versions": [
{
"status": "affected",
"version": "-"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:exchange_online:*:*:*:*:*:*:*:*",
"versionStartIncluding": "-",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2026-07-02T14:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Incorrect authorization in Microsoft Exchange Online allows an authorized attacker to elevate privileges over a network."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T19:36:26.027Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Microsoft Exchange Online Elevation of Privilege Vulnerability",
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-54998"
}
],
"tags": [
"exclusively-hosted-service"
],
"title": "Microsoft Exchange Online Elevation of Privilege Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2026-54998",
"datePublished": "2026-07-02T22:18:58.222Z",
"dateReserved": "2026-06-16T14:10:05.869Z",
"dateUpdated": "2026-07-14T19:36:26.027Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54803 (GCVE-0-2026-54803)
Vulnerability from cvelistv5 – Published: 2026-06-17 09:51 – Updated: 2026-06-17 14:48- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://patchstack.com/database/wordpress/plugin/… | vdb-entry |
| Vendor | Product | Version | |
|---|---|---|---|
| Cozy Vision Technologies Pvt. Ltd. | SMS Alert Order Notifications |
Affected:
n/a , ≤ 3.9.4
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54803",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T14:48:25.957306Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T14:48:45.148Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "sms-alert",
"product": "SMS Alert Order Notifications",
"vendor": "Cozy Vision Technologies Pvt. Ltd.",
"versions": [
{
"changes": [
{
"at": "3.9.5",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.9.4",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Peng Zhou | Patchstack Bug Bounty Program"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Subscriber Privilege Escalation in SMS Alert Order Notifications \u003c= 3.9.4 versions."
}
],
"value": "Subscriber Privilege Escalation in SMS Alert Order Notifications \u003c= 3.9.4 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T09:51:42.664Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/sms-alert/vulnerability/wordpress-sms-alert-order-notifications-plugin-3-9-4-privilege-escalation-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress SMS Alert Order Notifications Plugin to the latest available version (at least 3.9.5)."
}
],
"value": "Update the WordPress SMS Alert Order Notifications Plugin to the latest available version (at least 3.9.5)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress SMS Alert Order Notifications plugin \u003c= 3.9.4 - Privilege Escalation vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-54803",
"datePublished": "2026-06-17T09:51:42.664Z",
"dateReserved": "2026-06-16T09:21:34.477Z",
"dateUpdated": "2026-06-17T14:48:45.148Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54765 (GCVE-0-2026-54765)
Vulnerability from cvelistv5 – Published: 2026-07-06 20:27 – Updated: 2026-07-07 14:19| URL | Tags |
|---|---|
| https://github.com/traefik/traefik/security/advis… | x_refsource_CONFIRM |
| https://github.com/traefik/traefik/pull/13367 | x_refsource_MISC |
| https://github.com/traefik/traefik/commit/8aada7a… | x_refsource_MISC |
| https://github.com/traefik/traefik/releases/tag/v3.7.6 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54765",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-07T14:18:17.134061Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T14:19:07.941Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "traefik",
"vendor": "traefik",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.7.0, \u003c 3.7.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Traefik is an open source HTTP reverse proxy and load balancer. From v3.7.0 prior to v3.7.6, Traefik\u0027s Kubernetes Gateway API provider may resolve two accepted HTTPRoutes that target the same backend Service:port but configure different backendRef filters to the same child service and apply only one route\u0027s filter set to all requests reaching that backend. In Gateway deployments where backendRef filters set security-sensitive headers, such as tenant identity, authorization context, or values the backend trusts, an attacker who can create an accepted HTTPRoute sharing the same backend Service:port may cause their route\u0027s filter context to be applied to another route\u0027s requests, potentially crossing namespace boundaries when a ReferenceGrant permits cross-namespace targeting. This issue is fixed in version v3.7.6."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T20:27:32.803Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/traefik/traefik/security/advisories/GHSA-6p8f-p8j2-rqmv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-6p8f-p8j2-rqmv"
},
{
"name": "https://github.com/traefik/traefik/pull/13367",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/pull/13367"
},
{
"name": "https://github.com/traefik/traefik/commit/8aada7a7d52e4588a75386d8b86d270f6fe8d549",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/commit/8aada7a7d52e4588a75386d8b86d270f6fe8d549"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v3.7.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v3.7.6"
}
],
"source": {
"advisory": "GHSA-6p8f-p8j2-rqmv",
"discovery": "UNKNOWN"
},
"title": "Traefik: Gateway HTTPRoute backendRef filters can leak backend context across routes sharing a Service:port"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54765",
"datePublished": "2026-07-06T20:27:32.803Z",
"dateReserved": "2026-06-15T23:12:41.966Z",
"dateUpdated": "2026-07-07T14:19:07.941Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54761 (GCVE-0-2026-54761)
Vulnerability from cvelistv5 – Published: 2026-06-23 19:15 – Updated: 2026-06-25 12:45| URL | Tags |
|---|---|
| https://github.com/traefik/traefik/security/advis… | x_refsource_CONFIRM |
| https://github.com/traefik/traefik/releases/tag/v3.6.21 | x_refsource_MISC |
| https://github.com/traefik/traefik/releases/tag/v3.7.5 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54761",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T12:45:14.367141Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T12:45:24.775Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "traefik",
"vendor": "traefik",
"versions": [
{
"status": "affected",
"version": "\u003c 3.6.21"
},
{
"status": "affected",
"version": "\u003e= 3.7.0-ea.1, \u003c 3.7.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.21 and 3.7.5, there is a high severity vulnerability in Traefik\u0027s Kubernetes Gateway provider affecting the crossProviderNamespaces allowlist. For HTTPRoute rules that declare multiple (WRR) backendRefs, Traefik evaluates the allowlist against the target backendRef.namespace instead of the route\u0027s own namespace. As a result, an HTTPRoute created in a namespace that is not allow-listed can reference a cross-provider TraefikService such as api@internal, dashboard@internal or rest@internal by pointing backendRef.namespace at an allow-listed namespace covered by a Gateway API ReferenceGrant, exposing internal Traefik services on the data plane. Exploitation requires the ability to create an accepted HTTPRoute and a matching ReferenceGrant from an allow-listed namespace; it does not require any change to Traefik static configuration, RBAC, or the deployment itself. This vulnerability is fixed in 3.6.21 and 3.7.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T19:15:38.410Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/traefik/traefik/security/advisories/GHSA-3g6v-2r68-prfc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-3g6v-2r68-prfc"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v3.6.21",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v3.6.21"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v3.7.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v3.7.5"
}
],
"source": {
"advisory": "GHSA-3g6v-2r68-prfc",
"discovery": "UNKNOWN"
},
"title": "Traefik: Kubernetes Gateway crossProviderNamespaces bypass allows HTTPRoute outside the allowlist to expose internal Traefik services"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54761",
"datePublished": "2026-06-23T19:15:38.410Z",
"dateReserved": "2026-06-15T23:12:41.966Z",
"dateUpdated": "2026-06-25T12:45:24.775Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54698 (GCVE-0-2026-54698)
Vulnerability from cvelistv5 – Published: 2026-07-07 21:29 – Updated: 2026-07-08 13:02- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/hasura/graphql-engine/security… | x_refsource_CONFIRM |
| Vendor | Product | Version | |
|---|---|---|---|
| hasura | graphql-engine |
Affected:
>= 2.46.0, < 2.49.2
Affected: >= 2.45.0, < 2.45.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54698",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-08T13:01:48.684963Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T13:02:17.049Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "graphql-engine",
"vendor": "hasura",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.46.0, \u003c 2.49.2"
},
{
"status": "affected",
"version": "\u003e= 2.45.0, \u003c 2.45.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hasura is an open-source product that provides users GraphQL or REST APIs. Prior to 2.49.2 and 2.45.5, a user can use a where clause on a table computed field (returning SETOF some_table) to infer row values that ought to be filtered for their role based on some_table\u0027s row-level permissions. While such rows cannot be returned directly, like predicates on strings for instance allow values to be brute forced efficiently with the where clause as an oracle. This issue is fixed in versions 2.49.2 and 2.45.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T21:29:23.595Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/hasura/graphql-engine/security/advisories/GHSA-r27x-gc74-qmxh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/hasura/graphql-engine/security/advisories/GHSA-r27x-gc74-qmxh"
}
],
"source": {
"advisory": "GHSA-r27x-gc74-qmxh",
"discovery": "UNKNOWN"
},
"title": "Hasura: Row-level authorization bypass on table computed fields"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54698",
"datePublished": "2026-07-07T21:29:23.595Z",
"dateReserved": "2026-06-15T22:58:06.562Z",
"dateUpdated": "2026-07-08T13:02:17.049Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54652 (GCVE-0-2026-54652)
Vulnerability from cvelistv5 – Published: 2026-07-08 14:52 – Updated: 2026-07-08 15:20| URL | Tags |
|---|---|
| https://github.com/blakeblackshear/frigate/securi… | x_refsource_CONFIRM |
| https://github.com/blakeblackshear/frigate/commit… | x_refsource_MISC |
| https://github.com/blakeblackshear/frigate/commit… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| blakeblackshear | frigate |
Affected:
<= 0.17.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54652",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-08T15:20:07.339673Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T15:20:23.777Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-c4qf-xxq4-vf55"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "frigate",
"vendor": "blakeblackshear",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.17.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frigate is an open source network video recorder. In version 0.17.1, the GET /api/logs/{service} endpoint allows any authenticated user including the viewer role to download Frigate and nginx logs, exposing auto-generated admin passwords and camera credentials logged in request query strings and enabling viewer-to-admin privilege escalation. A fixed release has not been identified."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-598",
"description": "CWE-598: Use of GET Request Method With Sensitive Query Strings",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T14:52:42.752Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-c4qf-xxq4-vf55",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-c4qf-xxq4-vf55"
},
{
"name": "https://github.com/blakeblackshear/frigate/commit/68e8afd35c76f05f68de47ee9588d2c91796de4b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/blakeblackshear/frigate/commit/68e8afd35c76f05f68de47ee9588d2c91796de4b"
},
{
"name": "https://github.com/blakeblackshear/frigate/commit/bd1fc1cc72cd4fa371464a087cbf3d7f3142edc6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/blakeblackshear/frigate/commit/bd1fc1cc72cd4fa371464a087cbf3d7f3142edc6"
}
],
"source": {
"advisory": "GHSA-c4qf-xxq4-vf55",
"discovery": "UNKNOWN"
},
"title": "Frigate viewer can read logs exposing admin and camera credentials"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54652",
"datePublished": "2026-07-08T14:52:42.752Z",
"dateReserved": "2026-06-15T20:16:46.199Z",
"dateUpdated": "2026-07-08T15:20:23.777Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54573 (GCVE-0-2026-54573)
Vulnerability from cvelistv5 – Published: 2026-06-25 15:59 – Updated: 2026-06-26 18:42- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/outline/outline/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54573",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T17:50:47.158963Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T18:42:57.082Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "outline",
"vendor": "outline",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Outline is a service that allows for collaborative documentation. Prior to 1.8.0, the AuthenticationHelper.canAccess function uses ctx.originalUrl to verify if an API key or OAuth token has the required scopes for a request. It extracts the resource by splitting the URL by / and taking the last segment. However, it fails to strip the URL fragment (#). Because Koa\u0027s router uses ctx.path (which strips the fragment) for routing, an attacker can append a fragment containing a permitted path (e.g., #foo/api/documents.info) to a restricted endpoint (e.g., /api/documents.create). The router will route the request to the restricted endpoint, but canAccess will evaluate the permitted path in the fragment, bypassing the API key scope restrictions and allowing privilege escalation. This vulnerability is fixed in 1.8.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T15:59:35.297Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/outline/outline/security/advisories/GHSA-5x79-rj4g-qrh8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/outline/outline/security/advisories/GHSA-5x79-rj4g-qrh8"
}
],
"source": {
"advisory": "GHSA-5x79-rj4g-qrh8",
"discovery": "UNKNOWN"
},
"title": "Authorization Bypass in API Key/OAuth Scopes via Path Parsing Discrepancy"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54573",
"datePublished": "2026-06-25T15:59:35.297Z",
"dateReserved": "2026-06-15T19:15:27.343Z",
"dateUpdated": "2026-06-26T18:42:57.082Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54563 (GCVE-0-2026-54563)
Vulnerability from cvelistv5 – Published: 2026-07-15 14:38 – Updated: 2026-07-15 14:38- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/cloudreve/cloudreve/security/a… | x_refsource_CONFIRM |
{
"containers": {
"cna": {
"affected": [
{
"product": "cloudreve",
"vendor": "cloudreve",
"versions": [
{
"status": "affected",
"version": "\u003c 4.16.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cloudreve is a self-hosted file management and sharing system. Prior to 4.16.1, a Cloudreve WebDAV account rooted at a configured folder can send paths such as /dav/%2e%2e/outside.txt because stripPrefix in pkg/webdav/webdav.go joins the decoded request suffix to the account root with fs.URI.JoinRaw without checking containment, allowing the scoped credential to read and list files outside the configured folder and writable credentials to create, overwrite, move, or delete them. This issue is reported as fixed in version 4.16.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T14:38:54.129Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/cloudreve/cloudreve/security/advisories/GHSA-w5fv-7x5q-g8qp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/cloudreve/cloudreve/security/advisories/GHSA-w5fv-7x5q-g8qp"
}
],
"source": {
"advisory": "GHSA-w5fv-7x5q-g8qp",
"discovery": "UNKNOWN"
},
"title": "Cloudreve: Path Traversal / Broken Access Control in Cloudreve WebDAV (`/dav`) \u2014 scoped DAV credential escapes its configured account root"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54563",
"datePublished": "2026-07-15T14:38:54.129Z",
"dateReserved": "2026-06-15T19:04:14.457Z",
"dateUpdated": "2026-07-15T14:38:54.129Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.