CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3214 vulnerabilities reference this CWE, most recent first.
GHSA-5679-7QRC-5M7J
Vulnerability from github – Published: 2020-04-29 16:31 – Updated: 2021-09-02 18:48Impact
Authenticated users can craft a request that reveals Execution data and logs and Job details that they are not authorized to see.
Depending on the configuration and the way that Rundeck is used, this could result in anything between a high severity risk, or a very low risk. If access is tightly restricted and all users on the system have access to all projects, this is not really much of an issue. If access is wider and allows login for users that do not have access to any projects, or project access is restricted, there is a larger issue. If access is meant to be restricted and secrets, sensitive data, or intellectual property are exposed in Rundeck execution output and job data, the risk becomes much higher.
Details
An authenticated user could craft a request to:
- View Executions and download execution logs without access to
readorviewthe associated Job, or ad-hoc resource. - Get the list of running executions in a project, without Event
readaccess, if they havereadaccess to view the project. - View the Options definitions of a Job without access to view the Job.
- View the definition of a workflow step of a Job without access to view the Job.
- View the SCM diff of a modified Job definition if SCM is enabled, without Project
exportaccess level. - View the New User Profile Form for a different username, without User
adminaccess. Note: they would not be allowed to create or modify a profile for a different user, or reveal any user profile information for a different user.
Some authenticated API requests were not correctly checking appropriate authorization levels:
- The list of running Executions would be sent without
readaccess to Events. - The Plugin Input Parameters for a SCM plugin would be sent without authorization for project
import,scm_import,export, orscm_exportactions. - Job Retry action could retry an execution without
readorviewaccess to the Execution, which would reveal the Execution's option values. (runaccess to the Job was still required).
Patches
Upgrade to Rundeck version 3.2.6
Workarounds
None
References
Report
If you have any questions or comments about this advisory: * Email us at security@rundeck.com
To report security issues to Rundeck please use the form at http://rundeck.com/security
Reporter: Justine Osborne of Apple Information Security
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.rundeck:rundeck"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.2.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-11009"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2020-04-29T16:30:45Z",
"nvd_published_at": "2020-04-29T17:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nAuthenticated users can craft a request that reveals Execution data and logs and Job details that they are not authorized to see.\n\n\u003e Depending on the configuration and the way that Rundeck is used, this could result in anything between a high severity risk, or a very low risk. If access is tightly restricted and all users on the system have access to all projects, this is not really much of an issue. If access is wider and allows login for users that do not have access to any projects, or project access is restricted, there is a larger issue. If access is meant to be restricted and secrets, sensitive data, or intellectual property are exposed in Rundeck execution output and job data, the risk becomes much higher.\n\n### Details\n\nAn authenticated user could craft a request to:\n\n* View Executions and download execution logs without access to `read` or `view` the associated Job, or ad-hoc resource.\n* Get the list of running executions in a project, without Event `read` access, if they have `read` access to view the project.\n* View the Options definitions of a Job without access to view the Job.\n* View the definition of a workflow step of a Job without access to view the Job.\n* View the SCM diff of a modified Job definition if SCM is enabled, without Project `export` access level.\n* View the New User Profile Form for a different username, without User `admin` access. Note: they would not be allowed to create or modify a profile for a different user, or reveal any user profile information for a different user.\n\nSome authenticated API requests were not correctly checking appropriate authorization levels:\n\n* The list of running Executions would be sent without `read` access to Events.\n* The Plugin Input Parameters for a SCM plugin would be sent without authorization for project `import`,`scm_import`,`export`, or `scm_export` actions.\n* Job Retry action could retry an execution without `read` or `view` access to the Execution, which would reveal the Execution\u0027s option values. (`run` access to the Job was still required).\n\n### Patches\nUpgrade to Rundeck version 3.2.6\n\n### Workarounds\nNone\n\n### References\n[3.2.6 Release Notes](https://docs.rundeck.com/docs/history/3_2_x/version-3.2.6.html)\n\n### Report\nIf you have any questions or comments about this advisory:\n* Email us at [security@rundeck.com](mailto:security@rundeck.com)\n\nTo report security issues to Rundeck please use the form at [http://rundeck.com/security](http://rundeck.com/security)\n\nReporter: Justine Osborne of Apple Information Security",
"id": "GHSA-5679-7qrc-5m7j",
"modified": "2021-09-02T18:48:11Z",
"published": "2020-04-29T16:31:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rundeck/rundeck/security/advisories/GHSA-5679-7qrc-5m7j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11009"
},
{
"type": "WEB",
"url": "https://docs.rundeck.com/docs/history/3_2_x/version-3.2.6.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/rundeck/rundeck"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "IDOR can reveal execution data and logs to unauthorized user in Rundeck"
}
GHSA-56RF-V7JX-HXGF
Vulnerability from github – Published: 2025-12-31 15:30 – Updated: 2026-04-01 18:36Authorization Bypass Through User-Controlled Key vulnerability in Jewel Theme Master Addons for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Master Addons for Elementor: from n/a through 2.0.9.9.4.
{
"affected": [],
"aliases": [
"CVE-2025-63053"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-31T15:15:54Z",
"severity": "MODERATE"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in Jewel Theme Master Addons for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Master Addons for Elementor: from n/a through 2.0.9.9.4.",
"id": "GHSA-56rf-v7jx-hxgf",
"modified": "2026-04-01T18:36:27Z",
"published": "2025-12-31T15:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-63053"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/master-addons/vulnerability/wordpress-master-addons-for-elementor-plugin-2-0-9-9-4-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://vdp.patchstack.com/database/wordpress/plugin/master-addons/vulnerability/wordpress-master-addons-for-elementor-plugin-2-0-9-9-4-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-572Q-472R-V8M3
Vulnerability from github – Published: 2026-01-22 18:30 – Updated: 2026-01-27 00:31Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.4.
{
"affected": [],
"aliases": [
"CVE-2025-47555"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-22T17:15:54Z",
"severity": "HIGH"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through \u003c= 3.9.4.",
"id": "GHSA-572q-472r-v8m3",
"modified": "2026-01-27T00:31:09Z",
"published": "2026-01-22T18:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47555"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/tutor/vulnerability/wordpress-tutor-lms-plugin-3-9-4-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-576J-7QWW-F874
Vulnerability from github – Published: 2026-05-14 06:31 – Updated: 2026-05-14 06:31GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.1 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with Guest permissions to view issues in projects they were not authorized to access.
{
"affected": [],
"aliases": [
"CVE-2025-13874"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-14T06:16:20Z",
"severity": "MODERATE"
},
"details": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.1 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with Guest permissions to view issues in projects they were not authorized to access.",
"id": "GHSA-576j-7qww-f874",
"modified": "2026-05-14T06:31:32Z",
"published": "2026-05-14T06:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13874"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/3445398"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/582634"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-578W-C832-XRGC
Vulnerability from github – Published: 2024-10-31 06:30 – Updated: 2024-10-31 06:30The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.36.0 via the submit_quizzes() function due to missing validation on the 'entry_id' user controlled key. This makes it possible for unauthenticated attackers to modify other user's quiz submissions.
{
"affected": [],
"aliases": [
"CVE-2024-9700"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-31T06:15:05Z",
"severity": "MODERATE"
},
"details": "The Forminator Forms \u2013 Contact Form, Payment Form \u0026 Custom Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.36.0 via the submit_quizzes() function due to missing validation on the \u0027entry_id\u0027 user controlled key. This makes it possible for unauthenticated attackers to modify other user\u0027s quiz submissions.",
"id": "GHSA-578w-c832-xrgc",
"modified": "2024-10-31T06:30:45Z",
"published": "2024-10-31T06:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9700"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/forminator/tags/1.35.1/library/modules/quizzes/front/front-action.php#L548"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3172942"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fbed35ca-1630-46a4-8b1f-60cc7216f294?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-57C3-9RJJ-44M5
Vulnerability from github – Published: 2023-07-12 06:30 – Updated: 2024-04-04 06:01The LearnDash LMS plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 4.6.0. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for attackers with with existing account access at any level, to change user passwords and potentially take over administrator accounts.
{
"affected": [],
"aliases": [
"CVE-2023-3105"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-12T05:15:10Z",
"severity": "HIGH"
},
"details": "The LearnDash LMS plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 4.6.0. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for attackers with with existing account access at any level, to change user passwords and potentially take over administrator accounts.",
"id": "GHSA-57c3-9rjj-44m5",
"modified": "2024-04-04T06:01:36Z",
"published": "2023-07-12T06:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3105"
},
{
"type": "WEB",
"url": "https://www.learndash.com/release-notes"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2318b3e1-268d-45fa-83bf-c6e88f1b9013?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-57C8-XJXF-CQC2
Vulnerability from github – Published: 2026-04-08 09:31 – Updated: 2026-04-08 09:31The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 6.3.7. This is due to the wpas_get_ticket_replies_ajax() function failing to verify whether the authenticated user has permission to view the specific ticket being requested. This makes it possible for authenticated attackers, with subscriber-level access and above, to access sensitive information from all support tickets in the system by manipulating the ticket_id parameter.
{
"affected": [],
"aliases": [
"CVE-2026-4654"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-08T08:16:24Z",
"severity": "MODERATE"
},
"details": "The Awesome Support \u2013 WordPress HelpDesk \u0026 Support Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 6.3.7. This is due to the wpas_get_ticket_replies_ajax() function failing to verify whether the authenticated user has permission to view the specific ticket being requested. This makes it possible for authenticated attackers, with subscriber-level access and above, to access sensitive information from all support tickets in the system by manipulating the ticket_id parameter.",
"id": "GHSA-57c8-xjxf-cqc2",
"modified": "2026-04-08T09:31:31Z",
"published": "2026-04-08T09:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4654"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.7/includes/functions-post.php#L1823"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.7/includes/functions-post.php#L1851"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/awesome-support/trunk/includes/functions-post.php#L1823"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/awesome-support/trunk/includes/functions-post.php#L1851"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3497662%40awesome-support\u0026new=3497662%40awesome-support\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9f9015fa-b3f0-4312-8acd-02b715e26f33?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-57P3-67R2-VWM7
Vulnerability from github – Published: 2025-04-25 15:31 – Updated: 2025-04-25 15:31A security vulnerability was discovered in Moodle that can allow hackers to gain access to sensitive information about students and prevent them from logging into their accounts, even after they had completed two-factor authentication (2FA).
{
"affected": [],
"aliases": [
"CVE-2025-3625"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-25T15:15:36Z",
"severity": "HIGH"
},
"details": "A security vulnerability was discovered in Moodle that can allow hackers to gain access to sensitive information about students and prevent them from logging into their accounts, even after they had completed two-factor authentication (2FA).",
"id": "GHSA-57p3-67r2-vwm7",
"modified": "2025-04-25T15:31:22Z",
"published": "2025-04-25T15:31:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3625"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-3625"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359690"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-57Q4-65MF-59MF
Vulnerability from github – Published: 2026-05-14 06:31 – Updated: 2026-05-14 06:31GitLab has remediated an issue in GitLab EE affecting all versions from 11.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that under certain conditions could have allowed an authenticated user with developer-role permissions to remove code owner approval rules from merge requests due to improper access control.
{
"affected": [],
"aliases": [
"CVE-2026-6063"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-14T06:16:24Z",
"severity": "MODERATE"
},
"details": "GitLab has remediated an issue in GitLab EE affecting all versions from 11.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that under certain conditions could have allowed an authenticated user with developer-role permissions to remove code owner approval rules from merge requests due to improper access control.",
"id": "GHSA-57q4-65mf-59mf",
"modified": "2026-05-14T06:31:33Z",
"published": "2026-05-14T06:31:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6063"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/3649087"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/596332"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-58F6-6RJ2-3V8R
Vulnerability from github – Published: 2026-07-02 20:29 – Updated: 2026-07-02 20:29Summary
When Steeltoe management endpoints are configured to listen on an alternate port (Management:Endpoints:Port is configured), the middleware responsible for restricting access to the endpoints uses the Host HTTP header rather than the actual network socket port.
Impact
An unauthenticated remote attacker can reach every actuator endpoint using a specially crafted HTTP request.
Affected configuration
- The application's public port is accessible over from the network.
Management:Endpoints:Portis configured to a value different from the application's main listener port.- The request scheme matches
Management:Endpoints:SslEnabled. For example,httpwhenSslEnabledisfalse(the default), orhttpswhenSslEnabledistrue.
Mitigations
If an immediate upgrade to a patched version is not possible:
- Add explicit ASP.NET Core authorization (
RequireAuthorization) to all sensitive actuator endpoints as a defense-in-depth measure independent of port isolation. - Configure the reverse proxy or load balancer to enforce the
Hostheader value and prevent clients from setting an arbitrary port.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.1.0"
},
"package": {
"ecosystem": "NuGet",
"name": "Steeltoe.Management.Endpoint"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.2.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.3.0"
},
"package": {
"ecosystem": "NuGet",
"name": "Steeltoe.Management.EndpointCore"
},
"ranges": [
{
"events": [
{
"introduced": "3.2.2"
},
{
"fixed": "3.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-50194"
],
"database_specific": {
"cwe_ids": [
"CWE-288",
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-02T20:29:13Z",
"nvd_published_at": "2026-06-17T22:16:23Z",
"severity": "HIGH"
},
"details": "### Summary\n\nWhen Steeltoe management endpoints are configured to listen on an alternate port (`Management:Endpoints:Port` is configured), the middleware responsible for restricting access to the endpoints uses the `Host` HTTP header rather than the actual network socket port. \n\n### Impact\n\nAn unauthenticated remote attacker can reach every actuator endpoint using a specially crafted HTTP request.\n\n### Affected configuration\n\n- The application\u0027s public port is accessible over from the network.\n- `Management:Endpoints:Port` is configured to a value different from the application\u0027s main listener port.\n- The request scheme matches `Management:Endpoints:SslEnabled`. For example, `http` when `SslEnabled` is `false` (the default), or `https` when `SslEnabled` is `true`.\n\n### Mitigations\n\nIf an immediate upgrade to a patched version is not possible:\n\n- Add explicit ASP.NET Core authorization (`RequireAuthorization`) to all sensitive actuator endpoints as a defense-in-depth measure independent of port isolation.\n- Configure the reverse proxy or load balancer to enforce the `Host` header value and prevent clients from setting an arbitrary port.",
"id": "GHSA-58f6-6rj2-3v8r",
"modified": "2026-07-02T20:29:13Z",
"published": "2026-07-02T20:29:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/SteeltoeOSS/security-advisories/security/advisories/GHSA-58f6-6rj2-3v8r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50194"
},
{
"type": "WEB",
"url": "https://github.com/SteeltoeOSS/Steeltoe/commit/4cbc352fe89ac2e6c609554e435ab28996fec5e9"
},
{
"type": "WEB",
"url": "https://github.com/SteeltoeOSS/Steeltoe/commit/b7ca93c510aaa08d7e4ebec40ce20c5811c2c4b6"
},
{
"type": "PACKAGE",
"url": "https://github.com/SteeltoeOSS/steeltoe"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Steeltoe vulnerable to management-port isolation bypass via spoofed Host header"
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.