Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3240 vulnerabilities reference this CWE, most recent first.

GHSA-2GW9-C2R2-F5QF

Vulnerability from github – Published: 2026-04-21 17:24 – Updated: 2026-06-09 10:52
VLAI
Summary
Neko has a Self-service Privilege Escalation for Authenticated Users
Details

Impact

Any authenticated user can immediately obtain full administrative control of the entire Neko instance (member management, room settings, broadcast control, session termination, etc.). This results in a complete compromise of the instance.

Patches

The vulnerability has been patched in the following releases:

Users should upgrade to v3.0.11 or later (for the 3.0 branch) or v3.1.2 or later.

Workarounds

If upgrading is not immediately possible, the following mitigations can reduce risk:

  • Restrict access to trusted users only (avoid granting accounts to untrusted parties)
  • Run the instance only when needed; avoid leaving it continuously exposed
  • Disable or restrict access to the /api/profile endpoint if feasible
  • Monitor for suspicious privilege changes or unexpected administrative actions

Note: These are temporary mitigations and do not fully eliminate the vulnerability. Upgrading is strongly recommended.

Credits

Neko thanks @blitzkrieg-patch for responsibly disclosing this vulnerability and reaching out directly. This contribution helped strengthen the project, and the whole community benefits from it.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/m1k1o/neko/server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.0.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/m1k1o/neko/server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-20250322225643-212bf8a60756"
            },
            {
              "fixed": "0.0.0-20260406184107-c54bcf1ee211"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-39386"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-269",
      "CWE-284",
      "CWE-639",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-21T17:24:42Z",
    "nvd_published_at": "2026-04-21T01:16:06Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nAny authenticated user can immediately obtain full administrative control of the entire Neko instance (member management, room settings, broadcast control, session termination, etc.). This results in a complete compromise of the instance.\n\n### Patches\n\nThe vulnerability has been patched in the following releases:\n\n- [v3.0.11](https://github.com/m1k1o/neko/releases/tag/v3.0.11) (backport release)\n- [v3.1.2](https://github.com/m1k1o/neko/releases/tag/v3.1.2) (latest stable release)\n\nUsers should upgrade to [v3.0.11](https://github.com/m1k1o/neko/releases/tag/v3.0.11) or later (for the 3.0 branch) or [v3.1.2](https://github.com/m1k1o/neko/releases/tag/v3.1.2) or later.\n\n### Workarounds\n\nIf upgrading is not immediately possible, the following mitigations can reduce risk:\n\n- Restrict access to trusted users only (avoid granting accounts to untrusted parties)\n- Run the instance only when needed; avoid leaving it continuously exposed\n- Disable or restrict access to the `/api/profile` endpoint if feasible\n- Monitor for suspicious privilege changes or unexpected administrative actions\n\nNote: These are temporary mitigations and do not fully eliminate the vulnerability. Upgrading is strongly recommended.\n\n### Credits\nNeko thanks @blitzkrieg-patch for responsibly disclosing this vulnerability and reaching out directly. This contribution helped strengthen the project, and the whole community benefits from it.",
  "id": "GHSA-2gw9-c2r2-f5qf",
  "modified": "2026-06-09T10:52:18Z",
  "published": "2026-04-21T17:24:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/m1k1o/neko/security/advisories/GHSA-2gw9-c2r2-f5qf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39386"
    },
    {
      "type": "WEB",
      "url": "https://github.com/m1k1o/neko/commit/6b561feb9016badea99ae7305091c0ff55e1d114"
    },
    {
      "type": "WEB",
      "url": "https://github.com/m1k1o/neko/commit/c54bcf1ee211e28104a2bb6db59583a39c4a4d6e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/m1k1o/neko"
    },
    {
      "type": "WEB",
      "url": "https://github.com/m1k1o/neko/releases/tag/v3.0.11"
    },
    {
      "type": "WEB",
      "url": "https://github.com/m1k1o/neko/releases/tag/v3.1.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Neko has a Self-service Privilege Escalation for Authenticated Users"
}

GHSA-2GWW-FH48-P92F

Vulnerability from github – Published: 2025-12-24 21:30 – Updated: 2025-12-24 21:30
VLAI
Details

Smartwares HOME easy 1.0.9 contains an authentication bypass vulnerability that allows unauthenticated attackers to access administrative web pages by disabling JavaScript. Attackers can navigate to multiple administrative endpoints and to bypass client-side validation and access sensitive system information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-25235"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-24T20:15:51Z",
    "severity": "HIGH"
  },
  "details": "Smartwares HOME easy 1.0.9 contains an authentication bypass vulnerability that allows unauthenticated attackers to access administrative web pages by disabling JavaScript. Attackers can navigate to multiple administrative endpoints and to bypass client-side validation and access sensitive system information.",
  "id": "GHSA-2gww-fh48-p92f",
  "modified": "2025-12-24T21:30:33Z",
  "published": "2025-12-24T21:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25235"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/47595"
    },
    {
      "type": "WEB",
      "url": "https://www.smartwares.eu"
    },
    {
      "type": "WEB",
      "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5540.php"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-2H2F-FRXQ-R68W

Vulnerability from github – Published: 2026-06-29 18:31 – Updated: 2026-06-29 18:31
VLAI
Details

PhotoPrism before 260601-a7d098548 contains a broken access control vulnerability that allows authenticated non-admin users to modify other users' profile information by sending requests to arbitrary user endpoints. Attackers can exploit the missing session-to-user identifier validation in the PUT users API endpoint to overwrite another user's profile details without authorization.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-57945"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-29T18:16:39Z",
    "severity": "MODERATE"
  },
  "details": "PhotoPrism before 260601-a7d098548 contains a broken access control vulnerability that allows authenticated non-admin users to modify other users\u0027 profile information by sending requests to arbitrary user endpoints. Attackers can exploit the missing session-to-user identifier validation in the PUT users API endpoint to overwrite another user\u0027s profile details without authorization.",
  "id": "GHSA-2h2f-frxq-r68w",
  "modified": "2026-06-29T18:31:55Z",
  "published": "2026-06-29T18:31:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57945"
    },
    {
      "type": "WEB",
      "url": "https://github.com/photoprism/photoprism/issues/5619"
    },
    {
      "type": "WEB",
      "url": "https://github.com/photoprism/photoprism/releases/tag/260601-a7d098548"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/photoprism-unauthorized-user-profile-modification-via-put-api-v1-users-uid-endpoint"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-2HFJ-JV6Q-762V

Vulnerability from github – Published: 2025-10-13 18:31 – Updated: 2025-10-13 21:01
VLAI
Summary
Liferay Publications vulnerable to Authorization Bypass Through User-Controlled Key
Details

Insecure direct object reference (IDOR) vulnerability in Publications in Liferay Portal 7.3.1 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92, and 7.3 GA through update 36 allows remote authenticated attackers to view the edit page of a publication via the _com_liferay_change_tracking_web_portlet_PublicationsPortlet_ctCollectionId parameter.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.liferay:com.liferay.change.tracking.web"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.122"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-62244"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-13T21:01:46Z",
    "nvd_published_at": "2025-10-13T17:15:34Z",
    "severity": "MODERATE"
  },
  "details": "Insecure direct object reference (IDOR) vulnerability in Publications in Liferay Portal 7.3.1 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92, and 7.3 GA through update 36 allows remote authenticated attackers to view the edit page of a publication via the `_com_liferay_change_tracking_web_portlet_PublicationsPortlet_ctCollectionId` parameter.",
  "id": "GHSA-2hfj-jv6q-762v",
  "modified": "2025-10-13T21:01:46Z",
  "published": "2025-10-13T18:31:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62244"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/0a7a4233881d6fa29fba12695b916d885d76349f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/31cf99363bf615f4a3383ffcc78d800de3fa2465"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/liferay/liferay-portal"
    },
    {
      "type": "WEB",
      "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62244"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Liferay Publications vulnerable to Authorization Bypass Through User-Controlled Key"
}

GHSA-2HR5-CVWP-JR5W

Vulnerability from github – Published: 2024-12-20 18:31 – Updated: 2024-12-20 21:37
VLAI
Summary
Oqtane Framework Insecure Direct Object Reference vulnerability
Details

An IDOR (Insecure Direct Object Reference) vulnerability exists in Oqtane Framework 6.0.0, allowing a logged-in user to access inbox messages of other users by manipulating the notification ID in the request URL. By changing the notification ID, an attacker can view sensitive mail details belonging to other users.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Oqtane.Framework"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "6.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Oqtane.Client"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "6.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Oqtane.Server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "6.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Oqtane.Shared"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "6.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-55186"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-20T19:40:59Z",
    "nvd_published_at": "2024-12-20T16:15:23Z",
    "severity": "LOW"
  },
  "details": "An IDOR (Insecure Direct Object Reference) vulnerability exists in Oqtane Framework 6.0.0, allowing a logged-in user to access inbox messages of other users by manipulating the notification ID in the request URL. By changing the notification ID, an attacker can view sensitive mail details belonging to other users.",
  "id": "GHSA-2hr5-cvwp-jr5w",
  "modified": "2024-12-20T21:37:23Z",
  "published": "2024-12-20T18:31:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55186"
    },
    {
      "type": "WEB",
      "url": "https://github.com/oqtane/oqtane.framework/pull/4876/files"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/SmitShah1518/00de9ecc46c1a8e2b189185c9d92afb0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/oqtane/oqtane.framework"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Oqtane Framework Insecure Direct Object Reference vulnerability"
}

GHSA-2JF4-QRJV-8CX6

Vulnerability from github – Published: 2024-01-31 12:30 – Updated: 2026-04-28 21:33
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in ali Forms Contact Form builder with drag & drop for WordPress – Kali Forms.This issue affects Contact Form builder with drag & drop for WordPress – Kali Forms: from n/a through 2.3.36.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-22305"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-31T12:16:05Z",
    "severity": "HIGH"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in ali Forms Contact Form builder with drag \u0026 drop for WordPress \u2013 Kali Forms.This issue affects Contact Form builder with drag \u0026 drop for WordPress \u2013 Kali Forms: from n/a through 2.3.36.",
  "id": "GHSA-2jf4-qrjv-8cx6",
  "modified": "2026-04-28T21:33:51Z",
  "published": "2024-01-31T12:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22305"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/kali-forms/wordpress-kali-forms-plugin-2-3-38-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2JFC-5XJV-8MV7

Vulnerability from github – Published: 2026-07-08 12:30 – Updated: 2026-07-08 12:30
VLAI
Details

The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.11.10. This is due to the 'wcfmvm_membership_change' AJAX action not validating user permission to modify other users. This makes it possible for authenticated attackers, with vendor level access and above, to change any user's role to 'wcfm_vendor' by changing their membership plan.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-3688"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-08T12:17:20Z",
    "severity": "HIGH"
  },
  "details": "The WCFM Membership \u2013 WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.11.10. This is due to the \u0027wcfmvm_membership_change\u0027 AJAX action not validating user permission to modify other users. This makes it possible for authenticated attackers, with vendor level access and above, to change any user\u0027s role to \u0027wcfm_vendor\u0027 by changing their membership plan.",
  "id": "GHSA-2jfc-5xjv-8mv7",
  "modified": "2026-07-08T12:30:24Z",
  "published": "2026-07-08T12:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3688"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3520777/wc-multivendor-membership"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8a934ccd-9330-4585-9994-838940d24980?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2M3F-82CC-H56X

Vulnerability from github – Published: 2025-04-22 09:30 – Updated: 2025-04-22 09:30
VLAI
Details

An authorization bypass in Unblu Spark allows a participant of a conversation to replace an existing, uploaded file.

Every uploaded file in Unblu gets assigned with a randomly generated Universally Unique ID (UUID). In case a participant of this or another conversation gets access to such a file ID, it can be used to replace the file without changing the file name and details or the name of the user who uploaded the file. During the upload, file interception and allowed file type rules are still applied correctly.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-3519"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-22T09:15:15Z",
    "severity": "HIGH"
  },
  "details": "An authorization bypass\u00a0in\u00a0Unblu Spark allows a\u00a0participant of a conversation\u00a0to replace an existing, uploaded file.\n\nEvery uploaded file in Unblu gets assigned with a randomly generated Universally Unique ID (UUID). In case a participant of this or another conversation gets access to such a file ID, it can be used to replace the file without changing the file name and details or the name of the user who uploaded the file. During the upload, file interception and allowed file type rules are still applied correctly.",
  "id": "GHSA-2m3f-82cc-h56x",
  "modified": "2025-04-22T09:30:35Z",
  "published": "2025-04-22T09:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3519"
    },
    {
      "type": "WEB",
      "url": "https://www.unblu.com/en/docs/latest/security-bulletins/#UBL-2025-001"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-2MH5-3CW6-HRRQ

Vulnerability from github – Published: 2026-05-07 06:31 – Updated: 2026-06-11 14:48
VLAI
Summary
Spring Cloud Config has an Authorization Bypass Through User-Controlled Key
Details

When using Google Secrets Manager as a backend for the Spring Cloud Config server a client can craft a request to the config server potentially exposing secrets from unintended GCP projects. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework.cloud:spring-cloud-config-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1.0"
            },
            {
              "last_affected": "3.1.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework.cloud:spring-cloud-config-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.1.0"
            },
            {
              "last_affected": "4.1.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework.cloud:spring-cloud-config-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.2.0"
            },
            {
              "last_affected": "4.2.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.3.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework.cloud:spring-cloud-config-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.3.0"
            },
            {
              "fixed": "4.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.0.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework.cloud:spring-cloud-config-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40981"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T16:19:03Z",
    "nvd_published_at": "2026-05-07T04:16:24Z",
    "severity": "HIGH"
  },
  "details": "When using Google Secrets Manager as a backend for the Spring Cloud Config server a client can craft a request to the config server potentially exposing secrets from unintended GCP projects.\nSpring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.",
  "id": "GHSA-2mh5-3cw6-hrrq",
  "modified": "2026-06-11T14:48:18Z",
  "published": "2026-05-07T06:31:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40981"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/spring-cloud/spring-cloud-config"
    },
    {
      "type": "WEB",
      "url": "https://spring.io/security/cve-2026-40981"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Spring Cloud Config has an Authorization Bypass Through User-Controlled Key "
}

GHSA-2MVX-F5QM-V2CH

Vulnerability from github – Published: 2026-04-16 21:34 – Updated: 2026-04-16 21:34
VLAI
Summary
Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog in My Calendar
Details

Summary

An unauthenticated Insecure Direct Object Reference (IDOR) and Denial of Service (DoS) vulnerability in the My Calendar plugin allows any unauthenticated user to extract calendar events (including private or hidden ones) from any sub-site on a WordPress Multisite network. On standard Single Site WordPress installations, this same endpoint crashes the PHP worker thread, creating an unauthenticated Denial of Service (DoS) vector.

Details

The vulnerability stems from the mc_ajax_mcjs_action AJAX function, which handles the mcjs_action endpoint. This endpoint is explicitly registered for unauthenticated users:

<?php
// In my-calendar-ajax.php
add_action( 'wp_ajax_nopriv_mcjs_action', 'mc_ajax_mcjs_action' );

When the behavior parameter is set to loadupcoming, the plugin accepts an args parameter from the $_REQUEST array. Instead of validating specific expected arguments, the plugin unsafely passes the entire string into PHP's parse_str() function:

<?php
$request = isset( $_REQUEST['args'] ) ? wp_unslash( sanitize_text_field( $_REQUEST['args'] ) ) : array();
$request = str_replace( '|', '&', $request );
$request = parse_str( $request, $args );
// ...
$response = my_calendar_upcoming_events( $args );

This allows an attacker to inject arbitrary key-value pairs into the $args array. This array is then passed to the my_calendar_upcoming_events() function located in my-calendar-widgets.php.

At the beginning of this function, the plugin processes the attacker-controlled site argument:

<?php
// In my-calendar-widgets.php
if ( $args['site'] ) {
    $args['site'] = ( 'global' === $args['site'] ) ? BLOG_ID_CURRENT_SITE : $args['site'];
    switch_to_blog( $args['site'] );
}

The plugin blindly passes the attacker's supplied site ID into WordPress core's switch_to_blog() function without checking if the requesting user has the appropriate network-level privileges (e.g., Super Admin).

On Multisite configurations, the database context switches to the targeted sub-site, queries its events, and returns the HTML-rendered events array in the JSON response, leading to Information Disclosure across tenant boundaries. On Single Site configurations, the switch_to_blog() function does not exist in WordPress core. Calling it triggers an Uncaught PHP Error (Call to undefined function switch_to_blog()), resulting in a 500 Internal Server error ("Critical Error"). Repeated requests to this unauthenticated endpoint easily exhaust server resources.

PoC

1. Multisite Information Disclosure - IDOR

curl -s "http://<target-domain>/wp-admin/admin-ajax.php?action=mcjs_action&behavior=loadupcoming&args=site=2"

2. Single Site Denial of Service (DoS)

If the WordPress instance is not a Multisite, passing any truthy value to the site parameter will instantly crash the request thread:

curl -i -s "http://<target-domain>/wp-admin/admin-ajax.php?action=mcjs_action&behavior=loadupcoming&args=site=1"

Impact

Vulnerability Type: Insecure Direct Object Reference (IDOR) / Information Exposure / Denial of Service (DoS) Who is impacted: All sites running the "My Calendar" plugin.

Anonymous internet users can silently map the network and extract private, unpublished, or intranet-specific events from unlaunched/internal sub-sites. Standard Single Site users are vulnerable to an easy-to-execute application-layer DoS, as it costs an attacker negligible resources to constantly crash PHP worker threads at an unauthenticated endpoint.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "joedolson/my-calendar"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.7.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40308"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T21:34:40Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nAn unauthenticated Insecure Direct Object Reference (IDOR) and Denial of Service (DoS) vulnerability in the My Calendar plugin allows any unauthenticated user to extract calendar events (including private or hidden ones) from any sub-site on a WordPress Multisite network. On standard Single Site WordPress installations, this same endpoint crashes the PHP worker thread, creating an unauthenticated Denial of Service (DoS) vector.\n\n### Details\n\nThe vulnerability stems from the `mc_ajax_mcjs_action AJAX` function, which handles the `mcjs_action` endpoint. This endpoint is explicitly registered for unauthenticated users:\n```php\n\u003c?php\n// In my-calendar-ajax.php\nadd_action( \u0027wp_ajax_nopriv_mcjs_action\u0027, \u0027mc_ajax_mcjs_action\u0027 );\n```\n\nWhen the behavior parameter is set to loadupcoming, the plugin accepts an args parameter from the $_REQUEST array. Instead of validating specific expected arguments, the plugin unsafely passes the entire string into PHP\u0027s parse_str() function:\n```php\n\u003c?php\n$request = isset( $_REQUEST[\u0027args\u0027] ) ? wp_unslash( sanitize_text_field( $_REQUEST[\u0027args\u0027] ) ) : array();\n$request = str_replace( \u0027|\u0027, \u0027\u0026\u0027, $request );\n$request = parse_str( $request, $args );\n// ...\n$response = my_calendar_upcoming_events( $args );\n```\n\nThis allows an attacker to inject arbitrary key-value pairs into the $args array. This array is then passed to the my_calendar_upcoming_events() function located in my-calendar-widgets.php.\n\nAt the beginning of this function, the plugin processes the attacker-controlled site argument:\n```php\n\u003c?php\n// In my-calendar-widgets.php\nif ( $args[\u0027site\u0027] ) {\n    $args[\u0027site\u0027] = ( \u0027global\u0027 === $args[\u0027site\u0027] ) ? BLOG_ID_CURRENT_SITE : $args[\u0027site\u0027];\n    switch_to_blog( $args[\u0027site\u0027] );\n}\n```\nThe plugin blindly passes the attacker\u0027s supplied site ID into WordPress core\u0027s `switch_to_blog()` function without checking if the requesting user has the appropriate network-level privileges (e.g., Super Admin).\n\nOn Multisite configurations, the database context switches to the targeted sub-site, queries its events, and returns the HTML-rendered events array in the JSON response, leading to Information Disclosure across tenant boundaries.\nOn Single Site configurations, the switch_to_blog() function does not exist in WordPress core. Calling it triggers an Uncaught PHP Error (Call to undefined function switch_to_blog()), resulting in a 500 Internal Server error (\"Critical Error\"). Repeated requests to this unauthenticated endpoint easily exhaust server resources.\n\n### PoC\n\n## 1. Multisite Information Disclosure - IDOR\n```\ncurl -s \"http://\u003ctarget-domain\u003e/wp-admin/admin-ajax.php?action=mcjs_action\u0026behavior=loadupcoming\u0026args=site=2\"\n```\n\n## 2.  Single Site Denial of Service (DoS)\nIf the WordPress instance is not a Multisite, passing any truthy value to the site parameter will instantly crash the request thread:\n```\ncurl -i -s \"http://\u003ctarget-domain\u003e/wp-admin/admin-ajax.php?action=mcjs_action\u0026behavior=loadupcoming\u0026args=site=1\"\n```\n\n### Impact\n\n**Vulnerability Type**: Insecure Direct Object Reference (IDOR) / Information Exposure / Denial of Service (DoS)\n**Who is impacted**: All sites running the \"My Calendar\" plugin.\n\nAnonymous internet users can silently map the network and extract private, unpublished, or intranet-specific events from unlaunched/internal sub-sites.\nStandard Single Site users are vulnerable to an easy-to-execute application-layer DoS, as it costs an attacker negligible resources to constantly crash PHP worker threads at an unauthenticated endpoint.",
  "id": "GHSA-2mvx-f5qm-v2ch",
  "modified": "2026-04-16T21:34:40Z",
  "published": "2026-04-16T21:34:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/joedolson/my-calendar/security/advisories/GHSA-2mvx-f5qm-v2ch"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/joedolson/my-calendar"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog in My Calendar"
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.