CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3235 vulnerabilities reference this CWE, most recent first.
GHSA-35WF-3WQ2-R3HX
Vulnerability from github – Published: 2023-03-07 00:30 – Updated: 2023-03-13 19:15In Moodle, insufficient capability checks made it possible to remove other users' calendar URL subscriptions.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "3.11.0-beta"
},
{
"fixed": "3.11.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "3.10.0-beta"
},
{
"fixed": "3.10.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.9.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-36400"
],
"database_specific": {
"cwe_ids": [
"CWE-276",
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-08T00:20:15Z",
"nvd_published_at": "2023-03-06T22:15:00Z",
"severity": "MODERATE"
},
"details": "In Moodle, insufficient capability checks made it possible to remove other users\u0027 calendar URL subscriptions.",
"id": "GHSA-35wf-3wq2-r3hx",
"modified": "2023-03-13T19:15:56Z",
"published": "2023-03-07T00:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36400"
},
{
"type": "PACKAGE",
"url": "https://github.com/moodle/moodle"
},
{
"type": "WEB",
"url": "https://moodle.org/mod/forum/discuss.php?d=424806"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Moodle has Incorrect Default Permissions"
}
GHSA-35XW-38XF-5F44
Vulnerability from github – Published: 2022-08-29 20:06 – Updated: 2022-09-02 00:01The Sensei LMS WordPress plugin before 4.5.2 does not ensure that the sender of a private message is either the teacher or the original sender, allowing any authenticated user to send messages to arbitrary private conversation via a IDOR attack. Note: Attackers are not able to see responses/messages between the teacher and student
{
"affected": [],
"aliases": [
"CVE-2022-2080"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-29T18:15:00Z",
"severity": "MODERATE"
},
"details": "The Sensei LMS WordPress plugin before 4.5.2 does not ensure that the sender of a private message is either the teacher or the original sender, allowing any authenticated user to send messages to arbitrary private conversation via a IDOR attack. Note: Attackers are not able to see responses/messages between the teacher and student",
"id": "GHSA-35xw-38xf-5f44",
"modified": "2022-09-02T00:01:15Z",
"published": "2022-08-29T20:06:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2080"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1592596"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/5395d196-a39a-4a58-913e-5b5b9d6123a5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3677-P5Q3-VX7H
Vulnerability from github – Published: 2026-04-08 09:31 – Updated: 2026-04-13 18:30Authorization Bypass Through User-Controlled Key vulnerability in WP Chill Image Photo Gallery Final Tiles Grid final-tiles-grid-gallery-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Photo Gallery Final Tiles Grid: from n/a through <= 3.6.11.
{
"affected": [],
"aliases": [
"CVE-2026-39510"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-08T09:16:25Z",
"severity": "LOW"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in WP Chill Image Photo Gallery Final Tiles Grid final-tiles-grid-gallery-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Photo Gallery Final Tiles Grid: from n/a through \u003c= 3.6.11.",
"id": "GHSA-3677-p5q3-vx7h",
"modified": "2026-04-13T18:30:38Z",
"published": "2026-04-08T09:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39510"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/final-tiles-grid-gallery-lite/vulnerability/wordpress-image-photo-gallery-final-tiles-grid-plugin-3-6-11-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-36PF-7582-RQCR
Vulnerability from github – Published: 2026-07-16 12:32 – Updated: 2026-07-16 12:32HCL DFXServer is affected by a Broken Authentication vulnerability via direct API access. The application fails to verify the user's authentication status when accessing specific API endpoints, allowing an unauthenticated attacker to interact with the APIs and perform unauthorized actions without valid credentials.
{
"affected": [],
"aliases": [
"CVE-2026-35147"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-16T12:17:35Z",
"severity": "HIGH"
},
"details": "HCL DFXServer is affected by a Broken Authentication vulnerability via direct API access. The application fails to verify the user\u0027s authentication status when accessing specific API endpoints, allowing an unauthenticated attacker to interact with the APIs and perform unauthorized actions without valid credentials.",
"id": "GHSA-36pf-7582-rqcr",
"modified": "2026-07-16T12:32:29Z",
"published": "2026-07-16T12:32:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35147"
},
{
"type": "WEB",
"url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0131782"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-36WC-4PRF-GP6G
Vulnerability from github – Published: 2022-09-17 00:00 – Updated: 2022-09-21 00:00The Login No Captcha reCAPTCHA WordPress plugin before 1.7 doesn't check the proper IP address allowing attackers to spoof IP addresses on the allow list and bypass the need for captcha on the login screen.
{
"affected": [],
"aliases": [
"CVE-2022-2913"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-16T09:15:00Z",
"severity": "MODERATE"
},
"details": "The Login No Captcha reCAPTCHA WordPress plugin before 1.7 doesn\u0027t check the proper IP address allowing attackers to spoof IP addresses on the allow list and bypass the need for captcha on the login screen.",
"id": "GHSA-36wc-4prf-gp6g",
"modified": "2022-09-21T00:00:39Z",
"published": "2022-09-17T00:00:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2913"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/5231ac18-ea9a-4bb9-af9f-e3d95a3b54f1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-375W-QXCP-H82P
Vulnerability from github – Published: 2024-09-12 15:33 – Updated: 2026-06-03 18:33Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Utarit Information SoliClub allows Retrieve Embedded Sensitive Data.This issue affects SoliClub: before 4.4.0 for iOS, before 5.2.1 for Android.
{
"affected": [],
"aliases": [
"CVE-2024-3305"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-12T13:15:12Z",
"severity": "HIGH"
},
"details": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Utarit Information SoliClub allows Retrieve Embedded Sensitive Data.This issue affects SoliClub: before 4.4.0 for iOS, before 5.2.1 for Android.",
"id": "GHSA-375w-qxcp-h82p",
"modified": "2026-06-03T18:33:05Z",
"published": "2024-09-12T15:33:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3305"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-24-1457"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-24-1457"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-377J-R7WX-8V2H
Vulnerability from github – Published: 2025-12-17 09:30 – Updated: 2025-12-17 09:30The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.13.2. This is due to the plugin not properly verifying that a user is authorized before the ninja-forms-views REST endpoints return form metadata and submission content. This makes it possible for unauthenticated attackers to read arbitrary form definitions and submission records via a leaked bearer token granted they can load any page containing the Submissions Table block. NOTE: The developer released a patch for this issue in 3.13.1, but inadvertently introduced a REST API endpoint in which a valid bearer token could be minted for arbitrary form IDs, making this patch ineffective.
{
"affected": [],
"aliases": [
"CVE-2025-11924"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-17T07:15:57Z",
"severity": "HIGH"
},
"details": "The Ninja Forms \u2013 The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.13.2. This is due to the plugin not properly verifying that a user is authorized before the `ninja-forms-views` REST endpoints return form metadata and submission content. This makes it possible for unauthenticated attackers to read arbitrary form definitions and submission records via a leaked bearer token granted they can load any page containing the Submissions Table block. NOTE: The developer released a patch for this issue in 3.13.1, but inadvertently introduced a REST API endpoint in which a valid bearer token could be minted for arbitrary form IDs, making this patch ineffective.",
"id": "GHSA-377j-r7wx-8v2h",
"modified": "2025-12-17T09:30:26Z",
"published": "2025-12-17T09:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11924"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3415563/ninja-forms"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4240cdae-9122-443e-8a7e-3369e74384be?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-37F6-M354-672C
Vulnerability from github – Published: 2022-03-08 00:00 – Updated: 2022-03-17 00:02The UsersWP WordPress plugin before 1.2.3.1 is missing access controls when updating a user avatar, and does not make sure file names for user avatars are unique, allowing a logged in user to overwrite another users avatar.
{
"affected": [],
"aliases": [
"CVE-2022-0442"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-07T09:15:00Z",
"severity": "MODERATE"
},
"details": "The UsersWP WordPress plugin before 1.2.3.1 is missing access controls when updating a user avatar, and does not make sure file names for user avatars are unique, allowing a logged in user to overwrite another users avatar.",
"id": "GHSA-37f6-m354-672c",
"modified": "2022-03-17T00:02:55Z",
"published": "2022-03-08T00:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0442"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/9cf0822a-c9d6-4ebc-b905-95b143d1a692"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-384Q-GQ9C-W4G3
Vulnerability from github – Published: 2022-05-21 00:00 – Updated: 2022-06-03 00:00Insecure Direct Object References (IDOR) vulnerability in Spiffy Plugins Spiffy Calendar <= 4.9.0 at WordPress allows an attacker to edit or delete events.
{
"affected": [],
"aliases": [
"CVE-2022-29434"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-20T21:15:00Z",
"severity": "MODERATE"
},
"details": "Insecure Direct Object References (IDOR) vulnerability in Spiffy Plugins Spiffy Calendar \u003c= 4.9.0 at WordPress allows an attacker to edit or delete events.",
"id": "GHSA-384q-gq9c-w4g3",
"modified": "2022-06-03T00:00:58Z",
"published": "2022-05-21T00:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29434"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/spiffy-calendar/wordpress-spiffy-calendar-plugin-4-9-0-edit-delete-event-via-idor-vulnerability"
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/spiffy-calendar/#developers"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-393C-P46R-7C95
Vulnerability from github – Published: 2026-04-04 06:06 – Updated: 2026-04-09 19:05Summary
A broken access control vulnerability was identified in the Directus file management API that allows authenticated users to overwrite files belonging to other users by manipulating the filename_disk parameter.
Details
The PATCH /files/{id} endpoint accepts a user-controlled filename_disk parameter. By setting this value to match the storage path of another user's file, an attacker can overwrite that file's content while manipulating metadata fields such as uploaded_by to obscure the tampering.
Impact
- Unauthorized File Overwrite: Attackers can replace legitimate files with malicious content, creating significant risk of malware propagation and data corruption.
- Remote Code Execution: If the storage backend is shared with the extensions location, attackers can deploy malicious extensions that execute arbitrary code when loaded.
- Data Integrity Compromise: Files can be tampered with or replaced without visible indication in the application interface.
Mitigation
The filename_disk parameter should be treated as a server-controlled value. Uniqueness of storage paths must be enforced server-side, and filename_disk should be excluded from the fields users are permitted to update directly.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "directus"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "11.17.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-39942"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-639",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-04T06:06:39Z",
"nvd_published_at": "2026-04-09T17:16:29Z",
"severity": "HIGH"
},
"details": "## Summary\n\nA broken access control vulnerability was identified in the Directus file management API that allows authenticated users to overwrite files belonging to other users by manipulating the `filename_disk` parameter.\n\n## Details\n\nThe `PATCH /files/{id}` endpoint accepts a user-controlled `filename_disk` parameter. By setting this value to match the storage path of another user\u0027s file, an attacker can overwrite that file\u0027s content while manipulating metadata fields such as `uploaded_by` to obscure the tampering.\n\n## Impact\n\n- **Unauthorized File Overwrite**: Attackers can replace legitimate files with malicious content, creating significant risk of malware propagation and data corruption.\n- **Remote Code Execution**: If the storage backend is shared with the extensions location, attackers can deploy malicious extensions that execute arbitrary code when loaded.\n- **Data Integrity Compromise**: Files can be tampered with or replaced without visible indication in the application interface.\n\n## Mitigation\n\nThe `filename_disk` parameter should be treated as a server-controlled value. Uniqueness of storage paths must be enforced server-side, and `filename_disk` should be excluded from the fields users are permitted to update directly.",
"id": "GHSA-393c-p46r-7c95",
"modified": "2026-04-09T19:05:27Z",
"published": "2026-04-04T06:06:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/directus/directus/security/advisories/GHSA-393c-p46r-7c95"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39942"
},
{
"type": "PACKAGE",
"url": "https://github.com/directus/directus"
},
{
"type": "WEB",
"url": "https://github.com/directus/directus/releases/tag/v11.17.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Directus: Path Traversal and Broken Access Control in File Management API"
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.