CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3234 vulnerabilities reference this CWE, most recent first.
GHSA-3FH3-9F74-H562
Vulnerability from github – Published: 2024-12-09 09:31 – Updated: 2024-12-09 09:31An object-level access control vulnerability in Unifiedtransform version 2.0 and potentially earlier versions allows unauthorized access to student grades. A malicious student user can view grades of other students by manipulating the student_id parameter in the marks viewing endpoint. The vulnerability exists due to insufficient access control checks in MarkController.php. At the time of publication of the CVE no patch is available.
{
"affected": [],
"aliases": [
"CVE-2024-12305"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-09T09:15:04Z",
"severity": "MODERATE"
},
"details": "An object-level access control vulnerability in Unifiedtransform version 2.0 and potentially earlier versions allows unauthorized access to student grades. A malicious student user can view grades of other students by manipulating the student_id parameter in the marks viewing endpoint. The vulnerability exists due to insufficient access control checks in MarkController.php. At the time of publication of the CVE no patch is available.",
"id": "GHSA-3fh3-9f74-h562",
"modified": "2024-12-09T09:31:20Z",
"published": "2024-12-09T09:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12305"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/90a7299e-9233-43fd-b666-7375c4fdbb3c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3FX2-9CXR-PGRX
Vulnerability from github – Published: 2024-05-14 15:32 – Updated: 2024-05-14 15:32The SP Project & Document Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cdm_save_category AJAX action in all versions up to, and including, 4.70. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary folder name that do not belong to them.
{
"affected": [],
"aliases": [
"CVE-2024-1693"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T14:48:34Z",
"severity": "MODERATE"
},
"details": "The SP Project \u0026 Document Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cdm_save_category AJAX action in all versions up to, and including, 4.70. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary folder name that do not belong to them.",
"id": "GHSA-3fx2-9cxr-pgrx",
"modified": "2024-05-14T15:32:52Z",
"published": "2024-05-14T15:32:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1693"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/sp-client-document-manager/trunk/classes/ajax.php#L786"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1951ad6c-17b5-44ae-85e2-376b99df742e?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3GHG-3787-W2XR
Vulnerability from github – Published: 2026-01-08 21:28 – Updated: 2026-01-11 14:56Summary
An Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an unauthenticated attacker to access guest address information without supplying valid credentials or session cookies.
Details
During testing, it was observed that all guest users can make an unauthenticated request to retrieve address data belonging to other guest users by manipulating object identifiers. The attacker would need to know the storefront URL structure to perform this attack (which can be learnt after creating a registered user account).
Affected Component(s)
* Address Edit endpoint: /addresses/{addressId}/edit
Root Cause - Faulty authorization check in CanCanCan Ability class:
- can :manage, ::Spree::Address, user_id: user.id
+ can :manage, ::Spree::Address, user_id: user.id if user.persisted?
the user object in Spree::Ability class for guest users is a Spree.user_class.new object.
Addresses endpoint to access it is part of the spree_storefront gem. Headless builds using APIs are not affected, as the Addresses endpoint there is only for registered users, and records are scoped to the currently signed-in user.
PoC
Preconditions - No authentication required - No cookies or session tokens set
To reproduce this vulnerability simply perform the request shown below, replacing the number with an arbitrary value.
For the initial request the Guest Address id = 6 is used to obtain the information
Request
GET /addresses/6/edit
Repeat the request and check the response, in this example using Guest Address id = 2.
Request
GET /addresses/2/edit
Impact
An unauthenticated attacker can:
- Enumerate and retrieve guest address information (Addresses associated with User accounts are NOT affected)
- Access personally identifiable information (PII) such as:
- Full names
- Physical addresses
- Phone numbers (if present)
This vulnerability could lead to:
- Privacy violations
- Regulatory compliance issues (e.g., GDPR)
- Loss of user trust
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "spree_core"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "spree_core"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.0.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "spree_core"
},
"ranges": [
{
"events": [
{
"introduced": "5.1.0"
},
{
"fixed": "5.1.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "spree_core"
},
"ranges": [
{
"events": [
{
"introduced": "5.2.0"
},
{
"fixed": "5.2.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-22589"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-08T21:28:04Z",
"nvd_published_at": "2026-01-10T04:16:01Z",
"severity": "HIGH"
},
"details": "### Summary\nAn Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an unauthenticated attacker to access guest address information without supplying valid credentials or session cookies.\n\n### Details\nDuring testing, it was observed that all guest users can make an unauthenticated request to retrieve address data belonging to other guest users by manipulating object identifiers. The attacker would need to know the storefront URL structure to perform this attack (which can be learnt after creating a registered user account).\n\nAffected Component(s)\n* Address Edit endpoint: `/addresses/{addressId}/edit`\n\nRoot Cause\n- Faulty authorization check in CanCanCan Ability class:\n\n```diff\n- can :manage, ::Spree::Address, user_id: user.id\n+ can :manage, ::Spree::Address, user_id: user.id if user.persisted?\n```\n\nthe `user` object in `Spree::Ability` class for guest users is a `Spree.user_class.new` object. \n\nAddresses endpoint to access it is part of the `spree_storefront` gem. **Headless builds using APIs are not affected,** as the Addresses endpoint there is only for registered users, and records are scoped to the currently signed-in user.\n\n### PoC\nPreconditions\n- No authentication required\n- No cookies or session tokens set\n\nTo reproduce this vulnerability simply perform the request shown below, replacing the number with an arbitrary value. \n\n**For the initial request the Guest Address id = 6 is used to obtain the information**\n\n**Request**\nGET `/addresses/6/edit`\n\n\u003cimg width=\"291\" height=\"454\" alt=\"IDOR Guest\" src=\"https://github.com/user-attachments/assets/d21d01a2-8fa5-4ab1-b9e2-6ee65bd6b5a2\" /\u003e\n\nRepeat the request and check the response, in this example using Guest Address id = 2.\n\n**Request**\nGET `/addresses/2/edit`\n\n[\u003cimg width=\"360\" height=\"519\" alt=\"IDOR Guest Address ID 2\" src=\"https://github.com/user-attachments/assets/1ce35990-3d11-4f47-9bba-266b5361313c\" /\u003e\n](url)\n\n### Impact\nAn unauthenticated attacker can:\n\n- Enumerate and retrieve guest address information (Addresses associated with User accounts are NOT affected)\n- Access personally identifiable information (PII) such as:\n- Full names\n- Physical addresses\n- Phone numbers (if present)\n\nThis vulnerability could lead to:\n\n- Privacy violations\n- Regulatory compliance issues (e.g., GDPR)\n- Loss of user trust",
"id": "GHSA-3ghg-3787-w2xr",
"modified": "2026-01-11T14:56:25Z",
"published": "2026-01-08T21:28:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/spree/spree/security/advisories/GHSA-3ghg-3787-w2xr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22589"
},
{
"type": "WEB",
"url": "https://github.com/spree/spree/commit/16067def6de8e0742d55313e83b0fbab6d2fd795"
},
{
"type": "WEB",
"url": "https://github.com/spree/spree/commit/4c2bd62326fba0d846fd9e4bad2c62433829b3ad"
},
{
"type": "WEB",
"url": "https://github.com/spree/spree/commit/d051925778f24436b62fa8e4a6b842c72ca80a67"
},
{
"type": "WEB",
"url": "https://github.com/spree/spree/commit/e1cff4605eb15472904602aebaf8f2d04852d6ad"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_core/CVE-2026-22589.yml"
},
{
"type": "PACKAGE",
"url": "https://github.com/spree/spree"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Spree API has Unauthenticated IDOR - Guest Address"
}
GHSA-3GJ6-5JX3-784R
Vulnerability from github – Published: 2024-09-04 09:30 – Updated: 2024-09-04 09:30The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.0.8 via the duplicate_post function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate posts written by other authors including admins. This includes the ability to duplicate password-protected posts, which reveals their contents.
{
"affected": [],
"aliases": [
"CVE-2024-8123"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-04T07:15:05Z",
"severity": "MODERATE"
},
"details": "The The Ultimate WordPress Toolkit \u2013 WP Extended plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.0.8 via the duplicate_post function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate posts written by other authors including admins. This includes the ability to duplicate password-protected posts, which reveals their contents.",
"id": "GHSA-3gj6-5jx3-784r",
"modified": "2024-09-04T09:30:45Z",
"published": "2024-09-04T09:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8123"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/wpextended/trunk/includes/modules/core_extensions/wpext_duplicator/wpext_duplicator.php#L48"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3145430%40wpextended%2Ftrunk\u0026old=3134345%40wpextended%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b1e421fb-4839-4e2d-911f-e2fa8c756744?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3GJH-JVM6-6PFG
Vulnerability from github – Published: 2026-04-20 18:31 – Updated: 2026-04-20 18:31A vulnerability exists in the Buffalo Link Station version 1.85-0.01 that allows unauthenticated or guest-level users to enumerate valid usernames and their associated privilege roles. The issue is triggered by modifying a parameter within requests sent to the /nasapi endpoint.
{
"affected": [],
"aliases": [
"CVE-2025-66954"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-20T17:16:29Z",
"severity": "MODERATE"
},
"details": "A vulnerability exists in the Buffalo Link Station version 1.85-0.01 that allows unauthenticated or guest-level users to enumerate valid usernames and their associated privilege roles. The issue is triggered by modifying a parameter within requests sent to the /nasapi endpoint.",
"id": "GHSA-3gjh-jvm6-6pfg",
"modified": "2026-04-20T18:31:49Z",
"published": "2026-04-20T18:31:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66954"
},
{
"type": "WEB",
"url": "https://github.com/DBmonster19/CVE-2025-66954"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3GQH-C39X-HVHH
Vulnerability from github – Published: 2024-08-19 00:31 – Updated: 2024-08-19 00:31Authorization Bypass Through User-Controlled Key vulnerability in Dylan James Zephyr Project Manager.This issue affects Zephyr Project Manager: from n/a through 3.3.100.
{
"affected": [],
"aliases": [
"CVE-2024-43322"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-18T22:15:11Z",
"severity": "MODERATE"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in Dylan James Zephyr Project Manager.This issue affects Zephyr Project Manager: from n/a through 3.3.100.",
"id": "GHSA-3gqh-c39x-hvhh",
"modified": "2024-08-19T00:31:09Z",
"published": "2024-08-19T00:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43322"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/zephyr-project-manager/wordpress-zephyr-project-manager-plugin-3-3-100-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-3GWJ-2MCQ-R22X
Vulnerability from github – Published: 2026-05-12 18:30 – Updated: 2026-05-13 18:30An insecure direct object reference in MK-Auth 23.01K4.9 allows attackers to access and send support calls for other users via manipulation of the chamado parameter through a crafted GET request.
{
"affected": [],
"aliases": [
"CVE-2023-30059"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-12T16:16:12Z",
"severity": "MODERATE"
},
"details": "An insecure direct object reference in MK-Auth 23.01K4.9 allows attackers to access and send support calls for other users via manipulation of the chamado parameter through a crafted GET request.",
"id": "GHSA-3gwj-2mcq-r22x",
"modified": "2026-05-13T18:30:40Z",
"published": "2026-05-12T18:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30059"
},
{
"type": "WEB",
"url": "https://github.com/yueslly/MKAUTH-IDOR"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3HXP-MVW5-V9P7
Vulnerability from github – Published: 2026-06-16 06:30 – Updated: 2026-06-16 06:30The Static Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2. This is due to the static_block_content() shortcode handler retrieving a post via get_post() using an attacker-supplied 'id' attribute and outputting its post_content without verifying the post's status (private, draft, pending) or the requesting user's capability to view it. This makes it possible for authenticated attackers, with contributor-level access and above, to read the contents of arbitrary posts, including private and draft static blocks (and any other post type) created by administrators, by embedding the [static_block_content id="X"] shortcode in their own content and previewing it.
{
"affected": [],
"aliases": [
"CVE-2026-10780"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-16T06:16:58Z",
"severity": "MODERATE"
},
"details": "The Static Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2. This is due to the static_block_content() shortcode handler retrieving a post via get_post() using an attacker-supplied \u0027id\u0027 attribute and outputting its post_content without verifying the post\u0027s status (private, draft, pending) or the requesting user\u0027s capability to view it. This makes it possible for authenticated attackers, with contributor-level access and above, to read the contents of arbitrary posts, including private and draft static blocks (and any other post type) created by administrators, by embedding the [static_block_content id=\"X\"] shortcode in their own content and previewing it.",
"id": "GHSA-3hxp-mvw5-v9p7",
"modified": "2026-06-16T06:30:24Z",
"published": "2026-06-16T06:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10780"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/static-block/trunk/static-block.php#L244"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/static-block/trunk/static-block.php#L268"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/static-block/trunk/static-block.php#L270"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f88c00ca-cf9e-44e7-9495-686ace1ead21?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3J4C-6C9J-P6JJ
Vulnerability from github – Published: 2025-02-13 15:31 – Updated: 2026-01-29 21:30Insecure direct object reference (IDOR) vulnerability in Anapi Group's h6web, allows an authenticated attacker to access other users' information by making a POST request and modifying the “pkrelated” parameter in the “/h6web/ha_datos_hermano.php” endpoint to refer to another user. In addition, the first request could also allow the attacker to impersonate other users. As a result, all requests made after exploitation of the IDOR vulnerability will be executed with the privileges of the impersonated user.
{
"affected": [],
"aliases": [
"CVE-2025-1270"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-13T13:15:09Z",
"severity": "CRITICAL"
},
"details": "Insecure direct object reference (IDOR) vulnerability in Anapi Group\u0027s h6web, allows an authenticated attacker to access other users\u0027 information by making a POST request and modifying the \u201cpkrelated\u201d parameter in the \u201c/h6web/ha_datos_hermano.php\u201d endpoint to refer to another user. In addition, the first request could also allow the attacker to impersonate other users. As a result, all requests made after exploitation of the IDOR vulnerability will be executed with the privileges of the impersonated user.",
"id": "GHSA-3j4c-6c9j-p6jj",
"modified": "2026-01-29T21:30:24Z",
"published": "2025-02-13T15:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1270"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-anapi-group-h6web"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-3J4H-62VW-5645
Vulnerability from github – Published: 2023-12-20 00:32 – Updated: 2026-04-28 21:33Authorization Bypass Through User-Controlled Key vulnerability in XWP Stream.This issue affects Stream: from n/a through 3.9.2.
{
"affected": [],
"aliases": [
"CVE-2022-43450"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-19T22:15:07Z",
"severity": "MODERATE"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in XWP Stream.This issue affects Stream: from n/a through 3.9.2.",
"id": "GHSA-3j4h-62vw-5645",
"modified": "2026-04-28T21:33:27Z",
"published": "2023-12-20T00:32:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43450"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/stream/wordpress-stream-plugin-3-9-2-auth-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.