CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3251 vulnerabilities reference this CWE, most recent first.
GHSA-23M2-3G75-JVC8
Vulnerability from github – Published: 2026-04-16 15:31 – Updated: 2026-04-16 15:31The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference via the 'submission_id' parameter in versions up to, and including, 6.1.21. This is due to missing authorization and ownership validation on a user controlled key in the Stripe SCA confirmation AJAX endpoint. This makes it possible for unauthenticated attackers to modify payment status of targeted pending submissions (for example, setting the status to "failed").
{
"affected": [],
"aliases": [
"CVE-2026-4160"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-16T14:16:18Z",
"severity": "MODERATE"
},
"details": "The Fluent Forms \u2013 Customizable Contact Forms, Survey, Quiz, \u0026 Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference via the \u0027submission_id\u0027 parameter in versions up to, and including, 6.1.21. This is due to missing authorization and ownership validation on a user controlled key in the Stripe SCA confirmation AJAX endpoint. This makes it possible for unauthenticated attackers to modify payment status of targeted pending submissions (for example, setting the status to \"failed\").",
"id": "GHSA-23m2-3g75-jvc8",
"modified": "2026-04-16T15:31:32Z",
"published": "2026-04-16T15:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4160"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3496638/fluentform"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/154fc656-3a33-4783-a941-10bb848244b3?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-23M9-RR4P-XPWH
Vulnerability from github – Published: 2026-05-14 21:30 – Updated: 2026-05-14 21:30Crabbox prior to v0.12.0 contains a privilege escalation vulnerability that allows users with shared visibility-only access to obtain Code, WebVNC, and Egress agent tickets by sending POST requests to ticket endpoints. Attackers can exploit insufficient access control checks on the /v1/leases/:id/code/ticket, /v1/leases/:id/webvnc/ticket, and /v1/leases/:id/egress/ticket endpoints to obtain bridge-agent tickets and impersonate trusted lease-side bridges despite having only visibility permissions.
{
"affected": [],
"aliases": [
"CVE-2026-8629"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-14T20:17:21Z",
"severity": "HIGH"
},
"details": "Crabbox prior to v0.12.0 contains a privilege escalation vulnerability that allows users with shared visibility-only access to obtain Code, WebVNC, and Egress agent tickets by sending POST requests to ticket endpoints. Attackers can exploit insufficient access control checks on the /v1/leases/:id/code/ticket, /v1/leases/:id/webvnc/ticket, and /v1/leases/:id/egress/ticket endpoints to obtain bridge-agent tickets and impersonate trusted lease-side bridges despite having only visibility permissions.",
"id": "GHSA-23m9-rr4p-xpwh",
"modified": "2026-05-14T21:30:47Z",
"published": "2026-05-14T21:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8629"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/crabbox/pull/71"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/crabbox/commit/95cb30dc7dbaa1fef690a42ef6ac1cb6e307a191"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/crabbox/releases/tag/v0.12.0"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/crabbox-privilege-escalation-via-agent-ticket-endpoints"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-23PM-FV72-XCR5
Vulnerability from github – Published: 2025-04-17 18:31 – Updated: 2026-04-01 18:34Authorization Bypass Through User-Controlled Key vulnerability in Scott Taylor Avatar allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Avatar: from n/a through 0.1.4.
{
"affected": [],
"aliases": [
"CVE-2025-39434"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-17T16:15:53Z",
"severity": "MODERATE"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in Scott Taylor Avatar allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Avatar: from n/a through 0.1.4.",
"id": "GHSA-23pm-fv72-xcr5",
"modified": "2026-04-01T18:34:52Z",
"published": "2025-04-17T18:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39434"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/avatar/vulnerability/wordpress-avatar-plugin-0-1-4-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-23XF-GC3R-V6RR
Vulnerability from github – Published: 2023-07-11 00:33 – Updated: 2024-04-04 05:54A security defect was identified in Foundry Comments that enabled a user to discover the contents of an attachment submitted to another comment if they knew the internal UUID of the target attachment. This defect was resolved with the release of Foundry Comments 2.267.0.
{
"affected": [],
"aliases": [
"CVE-2023-30956"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-10T22:15:09Z",
"severity": "MODERATE"
},
"details": "A security defect was identified in Foundry Comments that enabled a user to discover the contents of an attachment submitted to another comment if they knew the internal UUID of the target attachment. This defect was resolved with the release of Foundry Comments 2.267.0.\n",
"id": "GHSA-23xf-gc3r-v6rr",
"modified": "2024-04-04T05:54:15Z",
"published": "2023-07-11T00:33:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30956"
},
{
"type": "WEB",
"url": "https://palantir.safebase.us/?tcuUid=40367943-738c-4e69-b852-4a503c77478a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2439-66F5-GJJR
Vulnerability from github – Published: 2024-08-19 00:31 – Updated: 2026-04-01 18:31Authorization Bypass Through User-Controlled Key vulnerability in Masteriyo Masteriyo - LMS.This issue affects Masteriyo - LMS: from n/a through 1.11.4.
{
"affected": [],
"aliases": [
"CVE-2024-43239"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-18T22:15:08Z",
"severity": "MODERATE"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in Masteriyo Masteriyo - LMS.This issue affects Masteriyo - LMS: from n/a through 1.11.4.",
"id": "GHSA-2439-66f5-gjjr",
"modified": "2026-04-01T18:31:53Z",
"published": "2024-08-19T00:31:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43239"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/learning-management-system/vulnerability/wordpress-masteriyo-lms-plugin-1-11-4-insecure-direct-object-reference-idor-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/learning-management-system/wordpress-masteriyo-lms-plugin-1-11-4-insecure-direct-object-reference-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-243R-XRW9-VFHW
Vulnerability from github – Published: 2023-12-20 15:30 – Updated: 2026-04-28 21:33Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce WooCommerce Square.This issue affects WooCommerce Square: from n/a through 3.8.1.
{
"affected": [],
"aliases": [
"CVE-2023-35876"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-20T15:15:08Z",
"severity": "HIGH"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce WooCommerce Square.This issue affects WooCommerce Square: from n/a through 3.8.1.",
"id": "GHSA-243r-xrw9-vfhw",
"modified": "2026-04-28T21:33:28Z",
"published": "2023-12-20T15:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35876"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/woocommerce-square/wordpress-woocommerce-square-plugin-3-8-1-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-246P-XMG8-WMCQ
Vulnerability from github – Published: 2024-03-25 19:37 – Updated: 2024-03-25 19:37Summary
A security vulnerability exists in oneuptime's local storage handling, where a regular user can escalate privileges by modifying the is_master_admin key to true. This allows unauthorized access to administrative functionalities.
Details
The vulnerability lies in the improper validation of client-side stored data within the web application. Specifically, the is_master_admin key, stored in the local storage of the browser, can be manipulated by an attacker. By changing this key from false to true, the application grants administrative privileges to the user, without proper server-side validation.
POC
(I am using Firefox Developer to demonstrate this vulnerability)
Log in as a normal user. Open developer tools (hit F12), click Storage, then Local Storage. Modify the is_master_admin key from false to true.
Impact
This vulnerability represents a high security risk as it allows any authenticated user to gain administrative privileges through client-side manipulation. Most of the admin previlages were disabled except the user list. Where an attacker could see all the list of users who signed up to OneUptome.
Patch
This has been patched in 7.0.1815
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@oneuptime/model"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.0.1815"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@oneuptime/common-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.0.1815"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-29194"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2024-03-25T19:37:27Z",
"nvd_published_at": "2024-03-24T19:15:07Z",
"severity": "HIGH"
},
"details": "## Summary\nA security vulnerability exists in oneuptime\u0027s local storage handling, where a regular user can escalate privileges by modifying the `is_master_admin` key to `true`. This allows unauthorized access to administrative functionalities.\n\n## Details\nThe vulnerability lies in the improper validation of client-side stored data within the web application. Specifically, the `is_master_admin` key, stored in the local storage of the browser, can be manipulated by an attacker. By changing this key from false to true, the application grants administrative privileges to the user, without proper server-side validation. \n\n## POC\n(I am using Firefox Developer to demonstrate this vulnerability)\nLog in as a normal user. Open developer tools (hit F12), click Storage, then Local Storage. Modify the `is_master_admin` key from `false` to `true`.\n\n## Impact\nThis vulnerability represents a high security risk as it allows any authenticated user to gain administrative privileges through client-side manipulation. Most of the admin previlages were disabled except the user list. Where an attacker could see all the list of users who signed up to OneUptome. \n\n\n## Patch\nThis has been patched in 7.0.1815",
"id": "GHSA-246p-xmg8-wmcq",
"modified": "2024-03-25T19:37:27Z",
"published": "2024-03-25T19:37:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-246p-xmg8-wmcq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29194"
},
{
"type": "WEB",
"url": "https://github.com/OneUptime/oneuptime/commit/14016d23d834038dd65d3a96cf71af04b556a32c"
},
{
"type": "PACKAGE",
"url": "https://github.com/OneUptime/oneuptime"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "OneUptime Vulnerable to a Privilege Escalation via Local Storage Key Manipulation"
}
GHSA-256M-J5QW-38F4
Vulnerability from github – Published: 2023-08-25 18:41 – Updated: 2023-08-25 18:41Impact
An IDOR vulnerability was found in the user update function. By specifying another user's username it is possible to update the other user's password.
Patches
Issue is patched in 0.17.1, and fixed in 0.18.6+.
If Users are using 0.17.1, they should run "docker pull gravitl/netmaker:v0.17.1" and "docker-compose up -d". This will switch them to the patched users
If users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later.
Workarounds
If using 0.17.1, can just pull the latest docker image of backend and restart server.
References
Credit to Project Discovery, and in particular https://github.com/rootxharsh , https://github.com/iamnoooob, and https://github.com/projectdiscovery
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/gravitl/netmaker"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.17.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/gravitl/netmaker"
},
"ranges": [
{
"events": [
{
"introduced": "0.18.0"
},
{
"fixed": "0.18.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-32078"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-25T18:41:16Z",
"nvd_published_at": "2023-08-24T22:15:10Z",
"severity": "HIGH"
},
"details": "### Impact\nAn IDOR vulnerability was found in the user update function. By specifying another user\u0027s username it is possible to update the other user\u0027s password.\n\n### Patches\nIssue is patched in 0.17.1, and fixed in 0.18.6+.\n\nIf Users are using 0.17.1, they should run \"docker pull gravitl/netmaker:v0.17.1\" and \"docker-compose up -d\". This will switch them to the patched users\n\nIf users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later.\n\n### Workarounds\nIf using 0.17.1, can just pull the latest docker image of backend and restart server.\n\n### References\nCredit to Project Discovery, and in particular https://github.com/rootxharsh , https://github.com/iamnoooob, and https://github.com/projectdiscovery",
"id": "GHSA-256m-j5qw-38f4",
"modified": "2023-08-25T18:41:16Z",
"published": "2023-08-25T18:41:16Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/gravitl/netmaker/security/advisories/GHSA-256m-j5qw-38f4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32078"
},
{
"type": "WEB",
"url": "https://github.com/gravitl/netmaker/pull/2158"
},
{
"type": "WEB",
"url": "https://github.com/gravitl/netmaker/commit/b3be57c65bf0bbfab43b66853c8e3637a43e2839"
},
{
"type": "PACKAGE",
"url": "https://github.com/gravitl/netmaker"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Netmaker IDOR Allows User to Update Other User\u0027s Password"
}
GHSA-257P-QFC7-7FF5
Vulnerability from github – Published: 2024-01-29 15:30 – Updated: 2025-06-20 21:31The Moderna Sistemas ModernaNet Hospital Management System 2024 is susceptible to an Insecure Direct Object Reference (IDOR) vulnerability. This vulnerability resides in the system's handling of user data access through a /Modernanet/LAUDO/LAU0000100/Laudo?id= URI. By manipulating this id parameter, an attacker can gain access to sensitive medical information.
{
"affected": [],
"aliases": [
"CVE-2024-23747"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-29T14:15:09Z",
"severity": "HIGH"
},
"details": "The Moderna Sistemas ModernaNet Hospital Management System 2024 is susceptible to an Insecure Direct Object Reference (IDOR) vulnerability. This vulnerability resides in the system\u0027s handling of user data access through a /Modernanet/LAUDO/LAU0000100/Laudo?id= URI. By manipulating this id parameter, an attacker can gain access to sensitive medical information.",
"id": "GHSA-257p-qfc7-7ff5",
"modified": "2025-06-20T21:31:55Z",
"published": "2024-01-29T15:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23747"
},
{
"type": "WEB",
"url": "https://github.com/louiselalanne/CVE-2024-23747"
},
{
"type": "WEB",
"url": "https://modernasistemas.com.br/sitems"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-258V-VRH7-JGJ2
Vulnerability from github – Published: 2023-07-13 03:30 – Updated: 2024-04-04 06:05An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.10 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1. It may be possible for users to view new commits to private projects in a fork created while the project was public.
{
"affected": [],
"aliases": [
"CVE-2023-2190"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-13T02:15:09Z",
"severity": "MODERATE"
},
"details": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.10 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1. It may be possible for users to view new commits to private projects in a fork created while the project was public.",
"id": "GHSA-258v-vrh7-jgj2",
"modified": "2024-04-04T06:05:50Z",
"published": "2023-07-13T03:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2190"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1944500"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/408137"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.