CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3235 vulnerabilities reference this CWE, most recent first.
GHSA-3PRP-9GF7-4RXX
Vulnerability from github – Published: 2026-04-17 21:34 – Updated: 2026-04-24 21:01Summary
A Mass Assignment vulnerability in the DocumentStore creation endpoint allows authenticated users to control the primary key (id) and internal state fields of DocumentStore entities.
Because the service uses repository.save() with a client-supplied primary key, the POST create endpoint behaves as an implicit UPSERT operation. This enables overwriting existing DocumentStore objects.
In multi-workspace or multi-tenant deployments, this can lead to cross-workspace object takeover and broken object-level authorization (IDOR), allowing an attacker to reassign or modify DocumentStore objects belonging to other workspaces.
Details
The DocumentStore entity defines a globally unique primary key:
@PrimaryGeneratedColumn('uuid')
id: string
The create logic is implemented as:
const documentStore = repo.create(newDocumentStore)
const dbResponse = await repo.save(documentStore)
Here is no DTO allowlist or field filtering before persistence. The entire request body is mapped directly to the entity. TypeORM save() behavior:
- If the primary key (id) exists → UPDATE
- If not → INSERT
Because id is accepted from the client, the create endpoint effectively functions as an UPSERT endpoint.
This allows an authenticated user to submit:
{
"id": "<existing_store_id>",
"name": "modified",
"description": "modified",
"status": "SYNC",
"embeddingConfig": "...",
"vectorStoreConfig": "...",
"recordManagerConfig": "..."
}
If a DocumentStore with the supplied id already exists, save() performs an UPDATE rather than creating a new record.
Importantly:
The primary key is globally unique (uuid) It is not composite with workspaceId The create path does not enforce ownership validation before calling save() This introduces a broken object-level authorization risk.
If an attacker can obtain or enumerate a valid DocumentStore UUID belonging to another workspace, they can: Submit a POST create request with that UUID. Trigger an UPDATE on the existing record. Potentially overwrite fields including workspaceId, effectively reassigning the object to their own workspace.
Because the service layer does not verify that the existing record belongs to the caller’s workspace before updating, this may result in cross-workspace object takeover.
Additionally, several service functions retrieve DocumentStore entities by id without consistently scoping by workspaceId, increasing the risk of IDOR if controller-level protections are bypassed or misconfigured.
PoC
- Create a normal DocumentStore in Workspace A.
- Capture its id from the API response.
- From Workspace B (or another authenticated context), submit:
POST /api/v1/document-store
Content-Type: application/json
{
"id": "<id_from_workspace_A>",
"name": "hijacked",
"description": "hijacked"
}
Because the service uses repository.save() with a client-supplied primary key:
- The existing record is updated.
- The object may become reassigned depending on how workspaceId is handled at controller level.
- If workspaceId is overwritten during the create flow, the store is effectively migrated to the attacker’s workspace.
- This demonstrates object takeover via UPSERT semantics on a create endpoint.
Impact
This vulnerability enables:
- Mass Assignment on server-managed fields
- Overwrite of existing objects via implicit UPSERT behavior
- Broken Object Level Authorization (BOLA)
- Potential cross-workspace object takeover in multi-tenant deployments
- In a SaaS or shared-workspace environment, an attacker who can obtain or guess a valid UUID may modify or reassign DocumentStore objects belonging to other tenants.
Because DocumentStore objects control embedding providers, vector store configuration, and record management logic, successful takeover can affect data indexing, retrieval, and AI workflow execution.
This represents a high-risk authorization flaw in multi-tenant environments.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.0.13"
},
"package": {
"ecosystem": "npm",
"name": "flowise"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41277"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-639",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-17T21:34:16Z",
"nvd_published_at": "2026-04-23T20:16:16Z",
"severity": "HIGH"
},
"details": "### Summary\nA Mass Assignment vulnerability in the DocumentStore creation endpoint allows authenticated users to control the primary key (id) and internal state fields of DocumentStore entities.\n\nBecause the service uses repository.save() with a client-supplied primary key, the POST create endpoint behaves as an implicit UPSERT operation. This enables overwriting existing DocumentStore objects.\n\nIn multi-workspace or multi-tenant deployments, this can lead to cross-workspace object takeover and broken object-level authorization (IDOR), allowing an attacker to reassign or modify DocumentStore objects belonging to other workspaces.\n\n### Details\nThe DocumentStore entity defines a globally unique primary key:\n\n```typescript\n@PrimaryGeneratedColumn(\u0027uuid\u0027)\nid: string\n```\n\nThe create logic is implemented as:\n```typescript\nconst documentStore = repo.create(newDocumentStore)\nconst dbResponse = await repo.save(documentStore)\n```\n\nHere is no DTO allowlist or field filtering before persistence. The entire request body is mapped directly to the entity.\nTypeORM save() behavior:\n\n1. If the primary key (id) exists \u2192 UPDATE\n2. If not \u2192 INSERT\n\nBecause id is accepted from the client, the create endpoint effectively functions as an UPSERT endpoint.\n\nThis allows an authenticated user to submit:\n\n```json\n{\n \"id\": \"\u003cexisting_store_id\u003e\",\n \"name\": \"modified\",\n \"description\": \"modified\",\n \"status\": \"SYNC\",\n \"embeddingConfig\": \"...\",\n \"vectorStoreConfig\": \"...\",\n \"recordManagerConfig\": \"...\"\n}\n```\nIf a DocumentStore with the supplied id already exists, save() performs an UPDATE rather than creating a new record.\n\nImportantly:\n\nThe primary key is globally unique (uuid)\nIt is not composite with workspaceId\nThe create path does not enforce ownership validation before calling save()\nThis introduces a broken object-level authorization risk.\n\nIf an attacker can obtain or enumerate a valid DocumentStore UUID belonging to another workspace, they can:\nSubmit a POST create request with that UUID.\nTrigger an UPDATE on the existing record.\nPotentially overwrite fields including workspaceId, effectively reassigning the object to their own workspace.\n\nBecause the service layer does not verify that the existing record belongs to the caller\u2019s workspace before updating, this may result in cross-workspace object takeover.\n\nAdditionally, several service functions retrieve DocumentStore entities by id without consistently scoping by workspaceId, increasing the risk of IDOR if controller-level protections are bypassed or misconfigured.\n\n### PoC\n\n1. Create a normal DocumentStore in Workspace A.\n2. Capture its id from the API response.\n3. From Workspace B (or another authenticated context), submit:\n\n```http\nPOST /api/v1/document-store\nContent-Type: application/json\n\n{\n \"id\": \"\u003cid_from_workspace_A\u003e\",\n \"name\": \"hijacked\",\n \"description\": \"hijacked\"\n}\n```\n\nBecause the service uses repository.save() with a client-supplied primary key:\n\n- The existing record is updated.\n- The object may become reassigned depending on how workspaceId is handled at controller level.\n- If workspaceId is overwritten during the create flow, the store is effectively migrated to the attacker\u2019s workspace.\n- This demonstrates object takeover via UPSERT semantics on a create endpoint.\n\n### Impact\nThis vulnerability enables:\n\n- Mass Assignment on server-managed fields\n- Overwrite of existing objects via implicit UPSERT behavior\n- Broken Object Level Authorization (BOLA)\n- Potential cross-workspace object takeover in multi-tenant deployments\n- In a SaaS or shared-workspace environment, an attacker who can obtain or guess a valid UUID may modify or reassign DocumentStore objects belonging to other tenants.\n\nBecause DocumentStore objects control embedding providers, vector store configuration, and record management logic, successful takeover can affect data indexing, retrieval, and AI workflow execution.\n\nThis represents a high-risk authorization flaw in multi-tenant environments.",
"id": "GHSA-3prp-9gf7-4rxx",
"modified": "2026-04-24T21:01:04Z",
"published": "2026-04-17T21:34:16Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-3prp-9gf7-4rxx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41277"
},
{
"type": "PACKAGE",
"url": "https://github.com/FlowiseAI/Flowise"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Flowise: Mass Assignment in DocumentStore Create Endpoint Leads to Cross-Workspace Object Takeover (IDOR)"
}
GHSA-3PVF-VXRV-HH9C
Vulnerability from github – Published: 2026-03-24 16:53 – Updated: 2026-03-25 20:59Summary
A low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that they are not authorized to view.
The endpoint returns image bytes (or a preview redirect) without enforcing a per-asset view authorization check, leading to potential unauthorized disclosure of private files.
Details
Root cause:
- A user-controlled object reference (assetId) is used to load and return sensitive content.
- The action does not verify whether the current user is authorized to view that asset.
- This creates an authenticated IDOR / authorization bypass.
Impact
- Craft installations where private/non-public assets exist and low-privileged users can authenticate.
Resources
https://github.com/craftcms/cms/commit/7290d91639e
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.17.7"
},
"package": {
"ecosystem": "Packagist",
"name": "craftcms/cms"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0-RC1"
},
{
"fixed": "4.17.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.9.13"
},
"package": {
"ecosystem": "Packagist",
"name": "craftcms/cms"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0-RC1"
},
{
"fixed": "5.9.14"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33158"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-24T16:53:24Z",
"nvd_published_at": "2026-03-24T18:16:09Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nA low-privileged authenticated user can read private asset content by calling `assets/edit-image` with an arbitrary `assetId` that they are not authorized to view.\n\nThe endpoint returns image bytes (or a preview redirect) without enforcing a per-asset view authorization check, leading to potential unauthorized disclosure of private files.\n\n### Details\n\nRoot cause:\n - A user-controlled object reference (`assetId`) is used to load and return sensitive content.\n - The action does not verify whether the current user is authorized to view that asset.\n - This creates an authenticated IDOR / authorization bypass.\n\n### Impact\n\n- Craft installations where private/non-public assets exist and low-privileged users can authenticate.\n\n## Resources\n\nhttps://github.com/craftcms/cms/commit/7290d91639e",
"id": "GHSA-3pvf-vxrv-hh9c",
"modified": "2026-03-25T20:59:46Z",
"published": "2026-03-24T16:53:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-3pvf-vxrv-hh9c"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33158"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/commit/7290d91639e5e3a4f7e221dfbef95c9b77331860"
},
{
"type": "PACKAGE",
"url": "https://github.com/craftcms/cms"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/releases/tag/4.17.8"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/releases/tag/5.9.14"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR)"
}
GHSA-3Q6Q-26VG-V97X
Vulnerability from github – Published: 2026-07-14 00:03 – Updated: 2026-07-14 00:03Summary
Kimai 2.56.0 contains an authenticated improper authorization vulnerability in the preset-project activity creation flow. A user with the generic create_activity permission, but without access to a target project, can still create a new Activity under that unauthorized project by visiting the preset project creation route directly.
This is a persistent cross-project business-object creation issue. The attacker does not need permission to view or edit the target project and only needs to know a valid project.id.
Details
The issue affects the activity creation entry point that accepts a preset project identifier:
GET/POST /en/admin/activity/create/{project}GET/POST /en/admin/project/create/{customer}
In src/Controller/ActivityController.php, the controller checks only the global capability to create activities and does not verify whether the current user is allowed to create an activity under the supplied Project object.
The form and repository path also preserve the preset project instead of rejecting it when the user lacks access. Because the preset project is merged into the candidate set, the final save operation can persist a new Activity under a project that is outside the attacker's authorized project scope.
The same logic applies to the src/Controller/ProjectController.php.
A PoC was provided, but removed for security reasons.
Impact
This vulnerability allows an authenticated user to inject new child business objects into projects outside their authorized scope. An attacker can pollute another team's project configuration, influence later timesheet selection and rate inheritance, and create conditions for downstream business abuse if other users start using the injected activity.
Solution
- In
ActivityControllerwe now validate if the project can be edited with[IsGranted('edit', 'project')] - In
ProjectControllerwe now validate if if the customer can be edited with[IsGranted('edit', 'customer')]
See https://www.kimai.org/en/security/ghsa-3q6q-26vg-v97x
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.56.0"
},
"package": {
"ecosystem": "Packagist",
"name": "kimai/kimai"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.57.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-52821"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-14T00:03:42Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n\nKimai 2.56.0 contains an authenticated improper authorization vulnerability in the preset-project activity creation flow. A user with the generic `create_activity` permission, but without access to a target project, can still create a new `Activity` under that unauthorized project by visiting the preset project creation route directly.\n\nThis is a persistent cross-project business-object creation issue. The attacker does not need permission to view or edit the target project and only needs to know a valid `project.id`.\n\n### Details\n\nThe issue affects the activity creation entry point that accepts a preset project identifier:\n\n- `GET/POST /en/admin/activity/create/{project}`\n- `GET/POST /en/admin/project/create/{customer}`\n\nIn `src/Controller/ActivityController.php`, the controller checks only the global capability to create activities and does not verify whether the current user is allowed to create an activity under the supplied `Project` object.\n\nThe form and repository path also preserve the preset project instead of rejecting it when the user lacks access. Because the preset project is merged into the candidate set, the final save operation can persist a new `Activity` under a project that is outside the attacker\u0027s authorized project scope.\n\nThe same logic applies to the `src/Controller/ProjectController.php`.\n\n*A PoC was provided, but removed for security reasons.*\n\n### Impact\n\nThis vulnerability allows an authenticated user to inject new child business objects into projects outside their authorized scope. An attacker can pollute another team\u0027s project configuration, influence later timesheet selection and rate inheritance, and create conditions for downstream business abuse if other users start using the injected activity.\n\n# Solution\n\n- In `ActivityController` we now validate if the project can be edited with `[IsGranted(\u0027edit\u0027, \u0027project\u0027)]`\n- In `ProjectController` we now validate if if the customer can be edited with `[IsGranted(\u0027edit\u0027, \u0027customer\u0027)]`\n\nSee https://www.kimai.org/en/security/ghsa-3q6q-26vg-v97x",
"id": "GHSA-3q6q-26vg-v97x",
"modified": "2026-07-14T00:03:42Z",
"published": "2026-07-14T00:03:42Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/kimai/kimai/security/advisories/GHSA-3q6q-26vg-v97x"
},
{
"type": "PACKAGE",
"url": "https://github.com/kimai/kimai"
},
{
"type": "WEB",
"url": "https://www.kimai.org/en/security/ghsa-3q6q-26vg-v97x"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Kimai: Improper Authorization Through Activity Creation with Preset Project Allows Creation Under Unauthorized Projects"
}
GHSA-3QR8-PM5H-36F2
Vulnerability from github – Published: 2025-06-10 18:32 – Updated: 2025-06-10 18:32A authorization bypass through user-controlled key in Fortinet FortiPortal versions 7.4.0, versions 7.2.0 through 7.2.5, and versions 7.0.0 through 7.0.8 may allow an authenticated attacker to view unauthorized device information via key modification in API requests.
{
"affected": [],
"aliases": [
"CVE-2024-45329"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-10T17:19:25Z",
"severity": "MODERATE"
},
"details": "A authorization bypass through user-controlled key in Fortinet FortiPortal versions 7.4.0, versions 7.2.0 through 7.2.5, and versions 7.0.0 through 7.0.8 may allow an authenticated attacker to view unauthorized device information via key modification in API requests.",
"id": "GHSA-3qr8-pm5h-36f2",
"modified": "2025-06-10T18:32:27Z",
"published": "2025-06-10T18:32:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45329"
},
{
"type": "WEB",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-274"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3R8C-RQQR-C7H4
Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-05-24 19:04An Insecure Direct Object Reference (IDOR) vulnerability in Annex Cloud Loyalty Experience Platform <2021.1.0.1 allows any authenticated attacker to modify any existing user, including users assigned to different environments and clients. It was fixed in v2021.1.0.2.
{
"affected": [],
"aliases": [
"CVE-2021-31927"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-829"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-10T15:15:00Z",
"severity": "MODERATE"
},
"details": "An Insecure Direct Object Reference (IDOR) vulnerability in Annex Cloud Loyalty Experience Platform \u003c2021.1.0.1 allows any authenticated attacker to modify any existing user, including users assigned to different environments and clients. It was fixed in v2021.1.0.2.",
"id": "GHSA-3r8c-rqqr-c7h4",
"modified": "2022-05-24T19:04:52Z",
"published": "2022-05-24T19:04:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31927"
},
{
"type": "WEB",
"url": "https://github.com/Accenture/AARO-Bugs/blob/master/AARO-CVE-List.md"
},
{
"type": "WEB",
"url": "https://www.annexcloud.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3V2J-6FW9-F57C
Vulnerability from github – Published: 2026-07-15 18:41 – Updated: 2026-07-15 18:41Impact
Users below report_issues_for_unreleased_versions_threshold can assign unreleased product versions.
Patches
- https://github.com/mantisbt/mantisbt/commit/17072d4c322c85f7135ebec3417a6d90b525d12f
Workarounds
None
Resources
- https://mantisbt.org/bugs/view.php?id=37065
Credits
MantisBT thanks Vishal Shukla for discovering and responsibly reporting the issue.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.28.3"
},
"package": {
"ecosystem": "Packagist",
"name": "mantisbt/mantisbt"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.28.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-52882"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-15T18:41:55Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\nUsers below _report_issues_for_unreleased_versions_threshold_ can assign unreleased product versions.\n\n### Patches\n- https://github.com/mantisbt/mantisbt/commit/17072d4c322c85f7135ebec3417a6d90b525d12f\n\n### Workarounds\nNone\n\n### Resources\n- https://mantisbt.org/bugs/view.php?id=37065\n\n### Credits\nMantisBT thanks Vishal Shukla for discovering and responsibly reporting the issue.",
"id": "GHSA-3v2j-6fw9-f57c",
"modified": "2026-07-15T18:41:55Z",
"published": "2026-07-15T18:41:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-3v2j-6fw9-f57c"
},
{
"type": "WEB",
"url": "https://github.com/mantisbt/mantisbt/commit/17072d4c322c85f7135ebec3417a6d90b525d12f"
},
{
"type": "PACKAGE",
"url": "https://github.com/mantisbt/mantisbt"
},
{
"type": "WEB",
"url": "https://mantisbt.org/bugs/view.php?id=37065"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "MantisBT: REST and SOAP API Issue Update Accepts Unreleased Product Versions From Updaters"
}
GHSA-3VCC-WPCM-9VGM
Vulnerability from github – Published: 2025-04-16 00:31 – Updated: 2025-04-16 00:31Unauthenticated attackers can rename "rooms" of arbitrary users.
{
"affected": [],
"aliases": [
"CVE-2025-27561"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-15T22:15:19Z",
"severity": "MODERATE"
},
"details": "Unauthenticated attackers can rename \"rooms\" of arbitrary users.",
"id": "GHSA-3vcc-wpcm-9vgm",
"modified": "2025-04-16T00:31:37Z",
"published": "2025-04-16T00:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27561"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-3VCV-R276-FF59
Vulnerability from github – Published: 2023-12-20 18:30 – Updated: 2026-04-28 21:33Authorization Bypass Through User-Controlled Key vulnerability in Automattic WooPayments – Fully Integrated Solution Built and Supported by Woo.This issue affects WooPayments – Fully Integrated Solution Built and Supported by Woo: from n/a through 5.9.0.
{
"affected": [],
"aliases": [
"CVE-2023-35916"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-20T16:15:08Z",
"severity": "HIGH"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in Automattic WooPayments \u2013 Fully Integrated Solution Built and Supported by Woo.This issue affects WooPayments \u2013 Fully Integrated Solution Built and Supported by Woo: from n/a through 5.9.0.",
"id": "GHSA-3vcv-r276-ff59",
"modified": "2026-04-28T21:33:29Z",
"published": "2023-12-20T18:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35916"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/woocommerce-payments/wordpress-woocommerce-payments-plugin-5-9-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3VGG-7H5G-62MM
Vulnerability from github – Published: 2026-06-29 18:31 – Updated: 2026-06-29 18:31SigNoz through 0.130.1 contains a broken access control vulnerability that allows authenticated users to access other organizations' alert rules by supplying a target rule UUID, as the alert rule store predicates fail to filter by organization ID. Attackers can read, edit, and delete alert rules belonging to other organizations by exploiting the missing tenant isolation check, bypassing multi-tenant access controls.
{
"affected": [],
"aliases": [
"CVE-2026-57956"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-29T18:16:40Z",
"severity": "MODERATE"
},
"details": "SigNoz through 0.130.1 contains a broken access control vulnerability that allows authenticated users to access other organizations\u0027 alert rules by supplying a target rule UUID, as the alert rule store predicates fail to filter by organization ID. Attackers can read, edit, and delete alert rules belonging to other organizations by exploiting the missing tenant isolation check, bypassing multi-tenant access controls.",
"id": "GHSA-3vgg-7h5g-62mm",
"modified": "2026-06-29T18:31:56Z",
"published": "2026-06-29T18:31:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57956"
},
{
"type": "WEB",
"url": "https://github.com/SigNoz/signoz/issues/11830"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/signoz-cross-organization-insecure-direct-object-reference-in-alert-rules"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-3VHQ-CJ93-8R2V
Vulnerability from github – Published: 2023-12-19 21:32 – Updated: 2026-04-28 21:33Authorization Bypass Through User-Controlled Key vulnerability in J.N. Breetvelt a.K.A. OpaJaap WP Photo Album Plus.This issue affects WP Photo Album Plus: from n/a through 8.5.02.005.
{
"affected": [],
"aliases": [
"CVE-2023-49812"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-19T21:15:09Z",
"severity": "MODERATE"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in J.N. Breetvelt a.K.A. OpaJaap WP Photo Album Plus.This issue affects WP Photo Album Plus: from n/a through 8.5.02.005.",
"id": "GHSA-3vhq-cj93-8r2v",
"modified": "2026-04-28T21:33:26Z",
"published": "2023-12-19T21:32:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49812"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/wp-photo-album-plus/wordpress-wp-photo-album-plus-plugin-8-5-02-005-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.