CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3245 vulnerabilities reference this CWE, most recent first.
GHSA-28H7-PR55-9W57
Vulnerability from github – Published: 2026-01-22 15:31 – Updated: 2026-06-05 09:33Authorization Bypass Through User-Controlled Key vulnerability in Solvera Software Services Trade Inc. Teknoera allows Exploitation of Trusted Identifiers.This issue affects Teknoera: through 01102025.
{
"affected": [],
"aliases": [
"CVE-2025-10855"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-22T13:16:03Z",
"severity": "HIGH"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in Solvera Software Services Trade Inc. Teknoera allows Exploitation of Trusted Identifiers.This issue affects Teknoera: through 01102025.",
"id": "GHSA-28h7-pr55-9w57",
"modified": "2026-06-05T09:33:45Z",
"published": "2026-01-22T15:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10855"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0003"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-26-0003"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-28JM-43F2-H9JM
Vulnerability from github – Published: 2025-09-30 12:30 – Updated: 2025-10-08 18:30Insecure Direct Object Reference (IDOR) vulnerability in BOLD Workplanner in versions prior to 2.5.25 (4935b438f9b), consisting of a lack of adequate validation of user input, allowing an authenticated user to access to the dates of the current contract details using unauthorised internal identifiers.
{
"affected": [],
"aliases": [
"CVE-2025-41096"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-30T11:37:40Z",
"severity": "HIGH"
},
"details": "Insecure Direct Object Reference (IDOR) vulnerability in BOLD Workplanner in versions prior to 2.5.25 (4935b438f9b), consisting of a lack of adequate validation of user input, allowing an authenticated user to\u00a0access to the dates of the current contract details using unauthorised internal identifiers.",
"id": "GHSA-28jm-43f2-h9jm",
"modified": "2025-10-08T18:30:15Z",
"published": "2025-09-30T12:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41096"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/insecure-direct-object-reference-gps-bold-workplanner"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-28VM-3VP8-H5JP
Vulnerability from github – Published: 2025-11-30 03:30 – Updated: 2025-11-30 03:30The StreamTube Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 4.78. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. Note: This can only be exploited if the 'registration password fields' enabled in theme options.
{
"affected": [],
"aliases": [
"CVE-2025-13615"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-30T02:15:58Z",
"severity": "CRITICAL"
},
"details": "The StreamTube Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 4.78. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. Note: This can only be exploited if the \u0027registration password fields\u0027 enabled in theme options.",
"id": "GHSA-28vm-3vp8-h5jp",
"modified": "2025-11-30T03:30:26Z",
"published": "2025-11-30T03:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13615"
},
{
"type": "WEB",
"url": "https://themeforest.net/item/streamtube-responsive-video-wordpress-theme/33821786"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b812a0d7-99a1-4f61-b78a-78cea6a2ada1?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-296F-CX2X-G274
Vulnerability from github – Published: 2025-02-26 21:30 – Updated: 2025-03-05 00:30SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references (IDOR) via the userService API model.
{
"affected": [],
"aliases": [
"CVE-2024-50693"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T21:15:17Z",
"severity": "CRITICAL"
},
"details": "SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references (IDOR) via the userService API model.",
"id": "GHSA-296f-cx2x-g274",
"modified": "2025-03-05T00:30:33Z",
"published": "2025-02-26T21:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50693"
},
{
"type": "WEB",
"url": "https://en.sungrowpower.com/security-notice-detail-2/6120"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-297F-R9W7-W492
Vulnerability from github – Published: 2022-10-20 19:00 – Updated: 2024-04-23 17:24Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an improper input validation vulnerability. An authenticated attacker can trigger an insecure direct object reference in the V1/customers/me endpoint to achieve information exposure and privilege escalation.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.7-p4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.3-p3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.4"
},
{
"fixed": "2.4.5"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.4.4"
]
}
],
"aliases": [
"CVE-2022-42344"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-639",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-23T17:24:33Z",
"nvd_published_at": "2022-10-20T17:15:00Z",
"severity": "HIGH"
},
"details": "Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an improper input validation vulnerability. An authenticated attacker can trigger an insecure direct object reference in the `V1/customers/me` endpoint to achieve information exposure and privilege escalation.",
"id": "GHSA-297f-r9w7-w492",
"modified": "2024-04-23T17:24:33Z",
"published": "2022-10-20T19:00:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42344"
},
{
"type": "PACKAGE",
"url": "https://github.com/magento/magento2"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/magento/apsb22-38.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Magento Improper input validation vulnerability"
}
GHSA-29G9-48V7-9R7C
Vulnerability from github – Published: 2024-11-01 15:31 – Updated: 2024-11-01 15:31Authorization Bypass Through User-Controlled Key vulnerability in Paid Memberships Pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Paid Memberships Pro: from n/a through 3.0.4.
{
"affected": [],
"aliases": [
"CVE-2024-37277"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-01T15:15:23Z",
"severity": "HIGH"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in Paid Memberships Pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Paid Memberships Pro: from n/a through 3.0.4.",
"id": "GHSA-29g9-48v7-9r7c",
"modified": "2024-11-01T15:31:57Z",
"published": "2024-11-01T15:31:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37277"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/paid-memberships-pro/wordpress-paid-memberships-pro-plugin-3-0-4-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-29JV-JJ9X-V452
Vulnerability from github – Published: 2026-03-02 12:30 – Updated: 2026-03-09 15:30The CGM CLININET application uses direct, sequential object identifiers "MessageID" without proper authorization checks. By modifying the parameter in the GET request, an attacker can access messages and attachments belonging to other users.
{
"affected": [],
"aliases": [
"CVE-2025-58402"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-02T12:16:01Z",
"severity": "HIGH"
},
"details": "The CGM CLININET application uses direct, sequential object identifiers \"MessageID\" without proper authorization checks. By modifying the parameter in the GET request, an attacker can access messages and attachments belonging to other users.",
"id": "GHSA-29jv-jj9x-v452",
"modified": "2026-03-09T15:30:32Z",
"published": "2026-03-02T12:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58402"
},
{
"type": "WEB",
"url": "https://cert.pl/en/posts/2026/03/CVE-2025-10350"
},
{
"type": "WEB",
"url": "https://www.cgm.com/pol_pl/products/szpital/cgm-clininet.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-29QM-PMXX-2P86
Vulnerability from github – Published: 2026-04-22 00:31 – Updated: 2026-04-29 12:33An improper authorization vulnerability in scoped user-to-server (ghu_) token authorization in GitHub Enterprise Server allows an authenticated attacker to access private repositories outside the intended installation scope, which can include write operations, via an authorization fallback that treated a revoked/deleted installation as a global installation context, which could be chained with token revocation timing and SSH push attribution to obtain and reuse a victim-scoped token. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, and 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program.
{
"affected": [],
"aliases": [
"CVE-2026-5845"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-21T23:16:22Z",
"severity": "HIGH"
},
"details": "An improper authorization vulnerability in scoped user-to-server (ghu_) token authorization in GitHub Enterprise Server allows an authenticated attacker to access private repositories outside the intended installation scope, which can include write operations, via an authorization fallback that treated a revoked/deleted installation as a global installation context, which could be chained with token revocation timing and SSH push attribution to obtain and reuse a victim-scoped token. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, and 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program.",
"id": "GHSA-29qm-pmxx-2p86",
"modified": "2026-04-29T12:33:07Z",
"published": "2026-04-22T00:31:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5845"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.26"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.21"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.17"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.14"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.8"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.5"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-29R8-GVX4-R9W3
Vulnerability from github – Published: 2026-03-17 09:31 – Updated: 2026-04-27 16:45The extension fails to properly reset the generated MFA code after successful authentication. This leads to a possible MFA bypass for future login attempts by providing an empty string as MFA code to the extensions MFA provider.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "ralffreit/mfa-email"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "ralffreit/mfa-email"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.0.0"
]
}
],
"aliases": [
"CVE-2026-4208"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-18T16:17:23Z",
"nvd_published_at": "2026-03-17T09:16:14Z",
"severity": "HIGH"
},
"details": "The extension fails to properly reset the generated MFA code after successful authentication. This leads to a possible MFA bypass for future login attempts by providing an empty string as MFA code to the extensions MFA provider.",
"id": "GHSA-29r8-gvx4-r9w3",
"modified": "2026-04-27T16:45:42Z",
"published": "2026-03-17T09:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4208"
},
{
"type": "WEB",
"url": "https://github.com/MrSilaz/mfa_email/commit/0bb7e85b236a5232f7b092915453dd7c3da48f12"
},
{
"type": "PACKAGE",
"url": "https://github.com/MrSilaz/mfa_email"
},
{
"type": "WEB",
"url": "https://github.com/MrSilaz/mfa_email/releases/tag/v1.0.7"
},
{
"type": "WEB",
"url": "https://github.com/MrSilaz/mfa_email/releases/tag/v2.0.1"
},
{
"type": "WEB",
"url": "https://typo3.org/security/advisory/typo3-ext-sa-2026-007"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Authentication Bypass in extension \"E-Mail MFA Provider\" (mfa_email)"
}
GHSA-29VX-66RC-RCVQ
Vulnerability from github – Published: 2026-07-17 09:31 – Updated: 2026-07-17 15:32The WPS Bookings for WooCommerce WordPress plugin before 3.11.7 does not verify that a booking order belongs to the requesting user before cancelling it, allowing any authenticated user, such as a Subscriber or Customer, to cancel and void other customers' booking orders.
{
"affected": [],
"aliases": [
"CVE-2026-12393"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-17T07:16:38Z",
"severity": "MODERATE"
},
"details": "The WPS Bookings for WooCommerce WordPress plugin before 3.11.7 does not verify that a booking order belongs to the requesting user before cancelling it, allowing any authenticated user, such as a Subscriber or Customer, to cancel and void other customers\u0027 booking orders.",
"id": "GHSA-29vx-66rc-rcvq",
"modified": "2026-07-17T15:32:27Z",
"published": "2026-07-17T09:31:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12393"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/e2088a99-cde1-4c67-91c7-ddb60da11985"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.