CWE-863
Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CVE-2026-39957 (GCVE-0-2026-39957)
Vulnerability from cvelistv5 – Published: 2026-04-09 16:14 – Updated: 2026-04-09 19:08
VLAI
Title
Lychee has Broken Access Control in SharingController::listAll() leaks private album sharing metadata to unauthorized users
Summary
Lychee is a free, open-source photo-management tool. Prior to 7.5.4, a SQL operator-precedence bug in SharingController::listAll() causes the orWhereNotNull('user_group_id') clause to escape the ownership filter applied by the when() block. Any authenticated non-admin user with upload permission who owns at least one album can retrieve all user-group-based sharing permissions across the entire instance, including private albums owned by other users. This vulnerability is fixed in 7.5.4.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/LycheeOrg/Lychee/security/advi… | x_refsource_CONFIRM |
| https://github.com/LycheeOrg/Lychee/pull/4264 | x_refsource_MISC |
| https://github.com/LycheeOrg/Lychee/commit/76a3f0… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-39957",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-09T19:07:36.218379Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T19:08:20.555Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Lychee",
"vendor": "LycheeOrg",
"versions": [
{
"status": "affected",
"version": "\u003c 7.5.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Lychee is a free, open-source photo-management tool. Prior to 7.5.4, a SQL operator-precedence bug in SharingController::listAll() causes the orWhereNotNull(\u0027user_group_id\u0027) clause to escape the ownership filter applied by the when() block. Any authenticated non-admin user with upload permission who owns at least one album can retrieve all user-group-based sharing permissions across the entire instance, including private albums owned by other users. This vulnerability is fixed in 7.5.4."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T16:14:56.133Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-4v4c-g2jv-4g25",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-4v4c-g2jv-4g25"
},
{
"name": "https://github.com/LycheeOrg/Lychee/pull/4264",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/LycheeOrg/Lychee/pull/4264"
},
{
"name": "https://github.com/LycheeOrg/Lychee/commit/76a3f0513eca6458bf7f8c337c1ad65e59b22bcb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/LycheeOrg/Lychee/commit/76a3f0513eca6458bf7f8c337c1ad65e59b22bcb"
}
],
"source": {
"advisory": "GHSA-4v4c-g2jv-4g25",
"discovery": "UNKNOWN"
},
"title": "Lychee has Broken Access Control in SharingController::listAll() leaks private album sharing metadata to unauthorized users"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-39957",
"datePublished": "2026-04-09T16:14:56.133Z",
"dateReserved": "2026-04-07T22:40:33.822Z",
"dateUpdated": "2026-04-09T19:08:20.555Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-39966 (GCVE-0-2026-39966)
Vulnerability from cvelistv5 – Published: 2026-05-22 18:12 – Updated: 2026-05-22 19:08
VLAI
Title
TypeBot: Async filter() bypasses authorization, allowing IDOR in getLinkedTypebots and leaking cross-workspace bot definitions
Summary
TypeBot is a chatbot builder tool. In versions 3.15.2, the getLinkedTypebots API endpoint returns full bot definitions to any authenticated user who references a target bot ID in a Typebot Link block, regardless of workspace ownership, leading to IDOR. The authorization check uses Array.filter() with an async callback — since filter() is synchronous, the callback always returns a truthy Promise, so the access control predicate is never actually evaluated. Any authenticated Typebot user can read the full definition of any other workspace's private bots, including: all conversation blocks and logic flow, variable values embedded in the bot (credentials, API keys, PII), webhook URLs and integration configurations. This issue has been fixed in version 3.16.0.
Severity
6.5 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/baptisteArno/typebot.io/securi… | x_refsource_CONFIRM |
| https://github.com/baptisteArno/typebot.io/commit… | x_refsource_MISC |
| https://github.com/baptisteArno/typebot.io/releas… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| baptisteArno | typebot.io |
Affected:
< 3.16.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-39966",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-22T19:03:43.970750Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T19:08:27.808Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-3fr5-999r-84qj"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "typebot.io",
"vendor": "baptisteArno",
"versions": [
{
"status": "affected",
"version": "\u003c 3.16.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TypeBot is a chatbot builder tool. In versions 3.15.2, the getLinkedTypebots API endpoint returns full bot definitions to any authenticated user who references a target bot ID in a Typebot Link block, regardless of workspace ownership, leading to IDOR. The authorization check uses Array.filter() with an async callback \u2014 since filter() is synchronous, the callback always returns a truthy Promise, so the access control predicate is never actually evaluated. Any authenticated Typebot user can read the full definition of any other workspace\u0027s private bots, including: all conversation blocks and logic flow, variable values embedded in the bot (credentials, API keys, PII), webhook URLs and integration configurations. This issue has been fixed in version 3.16.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T18:12:32.461Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-3fr5-999r-84qj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-3fr5-999r-84qj"
},
{
"name": "https://github.com/baptisteArno/typebot.io/commit/b9530a089b43bfa6e79e3ff9cbfab921ce832f45",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/baptisteArno/typebot.io/commit/b9530a089b43bfa6e79e3ff9cbfab921ce832f45"
},
{
"name": "https://github.com/baptisteArno/typebot.io/releases/tag/v3.16.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/baptisteArno/typebot.io/releases/tag/v3.16.0"
}
],
"source": {
"advisory": "GHSA-3fr5-999r-84qj",
"discovery": "UNKNOWN"
},
"title": "TypeBot: Async filter() bypasses authorization, allowing IDOR in getLinkedTypebots and leaking cross-workspace bot definitions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-39966",
"datePublished": "2026-05-22T18:12:32.461Z",
"dateReserved": "2026-04-08T00:01:47.627Z",
"dateUpdated": "2026-05-22T19:08:27.808Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40071 (GCVE-0-2026-40071)
Vulnerability from cvelistv5 – Published: 2026-04-09 17:36 – Updated: 2026-04-10 14:09
VLAI
Title
pyLoad WebUI JSON permission mismatch lets ADD/DELETE users invoke MODIFY-only actions
Summary
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the /json/package_order, /json/link_order, and /json/abort_link WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated low-privileged users to execute MODIFY operations that should be denied by pyLoad's own permission model. This vulnerability is fixed in 0.5.0b3.dev97.
Severity
5.4 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/pyload/pyload/security/advisor… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40071",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-10T14:09:08.811272Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T14:09:11.900Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/pyload/pyload/security/advisories/GHSA-rfgh-63mg-8pwm"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pyload",
"vendor": "pyload",
"versions": [
{
"status": "affected",
"version": "\u003c 0.5.0b3.dev97"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the /json/package_order, /json/link_order, and /json/abort_link WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated low-privileged users to execute MODIFY operations that should be denied by pyLoad\u0027s own permission model. This vulnerability is fixed in 0.5.0b3.dev97."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T17:36:24.837Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pyload/pyload/security/advisories/GHSA-rfgh-63mg-8pwm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pyload/pyload/security/advisories/GHSA-rfgh-63mg-8pwm"
}
],
"source": {
"advisory": "GHSA-rfgh-63mg-8pwm",
"discovery": "UNKNOWN"
},
"title": "pyLoad WebUI JSON permission mismatch lets ADD/DELETE users invoke MODIFY-only actions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40071",
"datePublished": "2026-04-09T17:36:24.837Z",
"dateReserved": "2026-04-09T00:39:12.204Z",
"dateUpdated": "2026-04-10T14:09:11.900Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40099 (GCVE-0-2026-40099)
Vulnerability from cvelistv5 – Published: 2026-04-24 00:34 – Updated: 2026-04-25 01:41
VLAI
Title
Kirby's page creation API bypasses the changeStatus permission check via unfiltered isDraft parameter
Summary
Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions for each target model in the model blueprints (such as in `site/blueprints/pages/...`) using the `options` feature. The permissions and options together control the authorization of user actions. For pages, Kirby provides the `pages.create` and `pages.changeStatus` permissions (among others). Prior to versions 4.9.0 and 5.4.0, Kirby checked these permissions independently and only for the respective action. However the `changeStatus` permission didn't take effect on page creation. New pages are created as drafts by default and need to be published by changing the page status of an existing page draft. This is ensured when the page is created via the Kirby Panel. However the REST API allows to override the `isDraft` flag when creating a new page. This allowed authenticated attackers with the `pages.create` permission to immediately create published pages, bypassing the normal editorial workflow. The problem has been patched in Kirby 4.9.0 and Kirby 5.4.0. Kirby has added a check to the page creation rules that ensures that users without the `pages.changeStatus` permission cannot create published pages, only page drafts.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/getkirby/kirby/security/adviso… | x_refsource_CONFIRM |
| https://github.com/getkirby/kirby/releases/tag/4.9.0 | x_refsource_MISC |
| https://github.com/getkirby/kirby/releases/tag/5.4.0 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40099",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-25T01:41:45.982848Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-25T01:41:56.640Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "kirby",
"vendor": "getkirby",
"versions": [
{
"status": "affected",
"version": "\u003c 4.9.0"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kirby is an open-source content management system. Kirby\u0027s user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions for each target model in the model blueprints (such as in `site/blueprints/pages/...`) using the `options` feature. The permissions and options together control the authorization of user actions. For pages, Kirby provides the `pages.create` and `pages.changeStatus` permissions (among others). Prior to versions 4.9.0 and 5.4.0, Kirby checked these permissions independently and only for the respective action. However the `changeStatus` permission didn\u0027t take effect on page creation. New pages are created as drafts by default and need to be published by changing the page status of an existing page draft. This is ensured when the page is created via the Kirby Panel. However the REST API allows to override the `isDraft` flag when creating a new page. This allowed authenticated attackers with the `pages.create` permission to immediately create published pages, bypassing the normal editorial workflow. The problem has been patched in Kirby 4.9.0 and Kirby 5.4.0. Kirby has added a check to the page creation rules that ensures that users without the `pages.changeStatus` permission cannot create published pages, only page drafts."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T00:34:02.125Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/getkirby/kirby/security/advisories/GHSA-w942-j9r6-hr6r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/getkirby/kirby/security/advisories/GHSA-w942-j9r6-hr6r"
},
{
"name": "https://github.com/getkirby/kirby/releases/tag/4.9.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getkirby/kirby/releases/tag/4.9.0"
},
{
"name": "https://github.com/getkirby/kirby/releases/tag/5.4.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getkirby/kirby/releases/tag/5.4.0"
}
],
"source": {
"advisory": "GHSA-w942-j9r6-hr6r",
"discovery": "UNKNOWN"
},
"title": "Kirby\u0027s page creation API bypasses the changeStatus permission check via unfiltered isDraft parameter"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40099",
"datePublished": "2026-04-24T00:34:02.125Z",
"dateReserved": "2026-04-09T01:41:38.536Z",
"dateUpdated": "2026-04-25T01:41:56.640Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40155 (GCVE-0-2026-40155)
Vulnerability from cvelistv5 – Published: 2026-04-17 20:54 – Updated: 2026-04-20 14:57
VLAI
Title
Auth0 Next.js SDK has Improper Proxy Cache Lookup
Summary
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In versions 4.12.0 through 4.17.1, simultaneous requests that trigger a nonce retry may cause the proxy cache fetcher to perform improper lookups for the token request results. Users are affected if their project uses both the vulnerable versions and the proxy handler /me/* and /my-org/* with DPoP enabled. This issue has been fixed in version 4.18.0.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/auth0/nextjs-auth0/security/ad… | x_refsource_CONFIRM |
| https://github.com/auth0/nextjs-auth0/commit/98c3… | x_refsource_MISC |
| https://github.com/auth0/nextjs-auth0/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| auth0 | nextjs-auth0 |
Affected:
>= 4.12.0, < 4.18.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40155",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-20T14:51:32.552302Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T14:57:32.023Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nextjs-auth0",
"vendor": "auth0",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.12.0, \u003c 4.18.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In versions 4.12.0 through 4.17.1, simultaneous requests that trigger a nonce retry may cause the proxy cache fetcher to perform improper lookups for the token request results. Users are affected if their project uses both the vulnerable versions and the proxy handler /me/* and /my-org/* with DPoP enabled. This issue has been fixed in version 4.18.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T20:54:38.958Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-xq8m-7c5p-c2r6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-xq8m-7c5p-c2r6"
},
{
"name": "https://github.com/auth0/nextjs-auth0/commit/98c36dc306970c2230ea1a32efef431d29b99978",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/nextjs-auth0/commit/98c36dc306970c2230ea1a32efef431d29b99978"
},
{
"name": "https://github.com/auth0/nextjs-auth0/releases/tag/v4.18.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/nextjs-auth0/releases/tag/v4.18.0"
}
],
"source": {
"advisory": "GHSA-xq8m-7c5p-c2r6",
"discovery": "UNKNOWN"
},
"title": "Auth0 Next.js SDK has Improper Proxy Cache Lookup"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40155",
"datePublished": "2026-04-17T20:54:38.958Z",
"dateReserved": "2026-04-09T19:31:56.013Z",
"dateUpdated": "2026-04-20T14:57:32.023Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40166 (GCVE-0-2026-40166)
Vulnerability from cvelistv5 – Published: 2026-05-22 18:52 – Updated: 2026-05-26 18:47
VLAI
Title
authentik: Non-admin user can retrieve confidential OAuth client_secret via /api/v3/oauth2/access_tokens/
Summary
authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, authenticated non-admin users with at least one OAuth2 access token can retrieve the client_secret of confidential OAuth2 providers they have previously authenticated against, exposing sensitive information to users without the correct permissions. This logic is GET /api/v3/oauth2/access_tokens/. The API response includes a nested provider object containing client_id and client_secret for providers configured with client_type: confidential, which should not be accessible to low-privilege users. This issue has been fixed in versions 2025.12.5 and 2026.2.3.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/goauthentik/authentik/security… | x_refsource_CONFIRM |
| https://github.com/goauthentik/authentik/releases… | x_refsource_MISC |
| https://github.com/goauthentik/authentik/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| goauthentik | authentik |
Affected:
< 2025.12.5
Affected: >= 2026.2.0-rc1, < 2026.2.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40166",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T18:47:45.180359Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T18:47:57.418Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "authentik",
"vendor": "goauthentik",
"versions": [
{
"status": "affected",
"version": "\u003c 2025.12.5"
},
{
"status": "affected",
"version": "\u003e= 2026.2.0-rc1, \u003c 2026.2.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, authenticated non-admin users with at least one OAuth2 access token can retrieve the client_secret of confidential OAuth2 providers they have previously authenticated against, exposing sensitive information to users without the correct permissions. This logic is GET /api/v3/oauth2/access_tokens/. The API response includes a nested provider object containing client_id and client_secret for providers configured with client_type: confidential, which should not be accessible to low-privilege users. This issue has been fixed in versions 2025.12.5 and 2026.2.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T18:52:46.650Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-hhpc-rqgm-pxj4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-hhpc-rqgm-pxj4"
},
{
"name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.5"
},
{
"name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2026.2.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2026.2.3"
}
],
"source": {
"advisory": "GHSA-hhpc-rqgm-pxj4",
"discovery": "UNKNOWN"
},
"title": "authentik: Non-admin user can retrieve confidential OAuth client_secret via /api/v3/oauth2/access_tokens/"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40166",
"datePublished": "2026-05-22T18:52:46.650Z",
"dateReserved": "2026-04-09T19:31:56.014Z",
"dateUpdated": "2026-05-26T18:47:57.418Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40191 (GCVE-0-2026-40191)
Vulnerability from cvelistv5 – Published: 2026-04-10 20:19 – Updated: 2026-04-15 15:12
VLAI
Title
ClearanceKit has a policy bypass via dual-path Endpoint Security events checking only source path
Summary
ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to 5.0.4-beta-1f46165, ClearanceKit's Endpoint Security event handler only checked the source path of dual-path file operations against File Access Authorization (FAA) rules and App Jail policies. The destination path was ignored entirely. This allowed any local process to bypass file-access protection by using rename, link, copyfile, exchangedata, or clone operations to place or replace files inside protected directories. This vulnerability is fixed in 5.0.4-beta-1f46165.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/craigjbass/clearancekit/securi… | x_refsource_CONFIRM |
| https://github.com/craigjbass/clearancekit/releas… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| craigjbass | clearancekit |
Affected:
< 5.0.4-beta-1f46165
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40191",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-15T15:10:53.252092Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T15:12:11.855Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "clearancekit",
"vendor": "craigjbass",
"versions": [
{
"status": "affected",
"version": "\u003c 5.0.4-beta-1f46165"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to 5.0.4-beta-1f46165, ClearanceKit\u0027s Endpoint Security event handler only checked the source path of dual-path file operations against File Access Authorization (FAA) rules and App Jail policies. The destination path was ignored entirely. This allowed any local process to bypass file-access protection by using rename, link, copyfile, exchangedata, or clone operations to place or replace files inside protected directories. This vulnerability is fixed in 5.0.4-beta-1f46165."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T20:19:35.909Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craigjbass/clearancekit/security/advisories/GHSA-92f3-38m7-579h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craigjbass/clearancekit/security/advisories/GHSA-92f3-38m7-579h"
},
{
"name": "https://github.com/craigjbass/clearancekit/releases/tag/v5.0.4-1f46165",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craigjbass/clearancekit/releases/tag/v5.0.4-1f46165"
}
],
"source": {
"advisory": "GHSA-92f3-38m7-579h",
"discovery": "UNKNOWN"
},
"title": "ClearanceKit has a policy bypass via dual-path Endpoint Security events checking only source path"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40191",
"datePublished": "2026-04-10T20:19:35.909Z",
"dateReserved": "2026-04-09T20:59:17.620Z",
"dateUpdated": "2026-04-15T15:12:11.855Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40213 (GCVE-0-2026-40213)
Vulnerability from cvelistv5 – Published: 2026-05-07 00:00 – Updated: 2026-05-08 15:47
VLAI
Summary
OpenStack Cyborg before 16.0.1 uses rule:allow (check_str='@') as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token regardless of roles, project membership, or scope. An authenticated user with zero role assignments can complete various actions such as reprogramming FPGA bitstreams on arbitrary compute nodes via agent RPC.
Severity
7.4 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40213",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T13:55:42.638626Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T13:55:55.552Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Cyborg",
"vendor": "OpenStack",
"versions": [
{
"lessThan": "14.0.1",
"status": "affected",
"version": "5.0.0",
"versionType": "semver"
},
{
"lessThan": "15.0.1",
"status": "affected",
"version": "15.0.0",
"versionType": "semver"
},
{
"lessThan": "16.0.1",
"status": "affected",
"version": "16.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenStack Cyborg before 16.0.1 uses rule:allow (check_str=\u0027@\u0027) as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token regardless of roles, project membership, or scope. An authenticated user with zero role assignments can complete various actions such as reprogramming FPGA bitstreams on arbitrary compute nodes via agent RPC."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T15:47:07.733Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://bugs.launchpad.net/openstack-cyborg/+bug/2143263"
},
{
"url": "https://www.openwall.com/lists/oss-security/2026/05/07/6"
},
{
"url": "https://security.openstack.org/ossa/OSSA-2026-011.html"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2026-40213",
"datePublished": "2026-05-07T00:00:00.000Z",
"dateReserved": "2026-04-10T00:00:00.000Z",
"dateUpdated": "2026-05-08T15:47:07.733Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40224 (GCVE-0-2026-40224)
Vulnerability from cvelistv5 – Published: 2026-04-10 15:14 – Updated: 2026-04-10 18:13
VLAI
Summary
In systemd 259 before 260, there is local privilege escalation in systemd-machined because varlink can be used to reach the root namespace.
Severity
6.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40224",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-10T18:12:38.526078Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T18:13:05.818Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "systemd",
"vendor": "systemd",
"versions": [
{
"lessThan": "260",
"status": "affected",
"version": "259",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In systemd 259 before 260, there is local privilege escalation in systemd-machined because varlink can be used to reach the root namespace."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T15:33:17.159Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/systemd/systemd/security/advisories/GHSA-6pwp-j5vg-5j6m"
}
],
"x_generator": {
"engine": "CVE-Request-form 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2026-40224",
"datePublished": "2026-04-10T15:14:21.904Z",
"dateReserved": "2026-04-10T15:14:21.394Z",
"dateUpdated": "2026-04-10T18:13:05.818Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40291 (GCVE-0-2026-40291)
Vulnerability from cvelistv5 – Published: 2026-04-14 21:37 – Updated: 2026-04-15 14:24
VLAI
Title
Chamilo LMS has Privilege Escalation via API User Role Modification
Summary
Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an insecure direct object modification vulnerability in the PUT /api/users/{id} endpoint allows any authenticated user with ROLE_STUDENT to escalate their privileges to ROLE_ADMIN by modifying the roles field on their own user record. The API Platform security expression is_granted('EDIT', object) only verifies record ownership, and the roles field is included in the writable serialization group, enabling any user to set arbitrary roles such as ROLE_ADMIN. Successful exploitation grants full administrative control of the platform, including access to all courses, user data, grades, and administrative settings. This issue has been fixed in version 2.0.0-RC.3.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/chamilo/chamilo-lms/security/a… | x_refsource_CONFIRM |
| https://github.com/chamilo/chamilo-lms/releases/t… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| chamilo | chamilo-lms |
Affected:
< 2.0-RC.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40291",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-15T14:24:20.523815Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T14:24:29.902Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "chamilo-lms",
"vendor": "chamilo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0-RC.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an insecure direct object modification vulnerability in the PUT /api/users/{id} endpoint allows any authenticated user with ROLE_STUDENT to escalate their privileges to ROLE_ADMIN by modifying the roles field on their own user record. The API Platform security expression is_granted(\u0027EDIT\u0027, object) only verifies record ownership, and the roles field is included in the writable serialization group, enabling any user to set arbitrary roles such as ROLE_ADMIN. Successful exploitation grants full administrative control of the platform, including access to all courses, user data, grades, and administrative settings. This issue has been fixed in version 2.0.0-RC.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T21:37:55.490Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-7phx-w897-4c9x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-7phx-w897-4c9x"
},
{
"name": "https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3"
}
],
"source": {
"advisory": "GHSA-7phx-w897-4c9x",
"discovery": "UNKNOWN"
},
"title": "Chamilo LMS has Privilege Escalation via API User Role Modification"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40291",
"datePublished": "2026-04-14T21:37:55.490Z",
"dateReserved": "2026-04-10T20:22:44.035Z",
"dateUpdated": "2026-04-15T14:24:29.902Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Architecture and Design
Description:
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Phase: Architecture and Design
Description:
- Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation ID: MIT-4.4
Phase: Architecture and Design
Strategy: Libraries or Frameworks
Description:
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Phase: Architecture and Design
Description:
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Phases: System Configuration, Installation
Description:
- Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.