Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3229 vulnerabilities reference this CWE, most recent first.

GHSA-68GW-R2X5-7R5R

Vulnerability from github – Published: 2022-12-23 12:30 – Updated: 2023-06-27 20:24
VLAI
Summary
usememos/memos Authorization Bypass Through User-Controlled Key vulnerability
Details

Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.0.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/usememos/memos"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-4686"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-30T16:27:38Z",
    "nvd_published_at": "2022-12-23T12:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.0.",
  "id": "GHSA-68gw-r2x5-7r5r",
  "modified": "2023-06-27T20:24:50Z",
  "published": "2022-12-23T12:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4686"
    },
    {
      "type": "WEB",
      "url": "https://github.com/usememos/memos/commit/dca35bde877aab6e64ef51b52e590b5d48f692f9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/usememos/memos"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/caa0b22c-501f-44eb-af65-65c315cd1637"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "usememos/memos Authorization Bypass Through User-Controlled Key vulnerability"
}

GHSA-68J5-4M99-W9W9

Vulnerability from github – Published: 2026-03-18 12:59 – Updated: 2026-03-20 21:16
VLAI
Summary
File Browser has an Authorization Policy Bypass in Public Share Download Flow
Details

Summary

A permission enforcement flaw allows users without download privileges (download=false) to still expose and retrieve file content via public share links when they retain share privileges (share=true). This bypasses intended access control policy and enables unauthorized data exfiltration to unauthenticated users. Where download restrictions are used for data-loss prevention or role separation.

Details

The backend applies inconsistent authorization checks across download paths:

As a result, a user who is blocked from direct downloads can create a share and obtain the same file via /api/public/dl/<hash>.

PoC

  1. Create a non-admin user with:
  2. perm.share = true
  3. perm.download = false

  4. Login as that user and upload a PDF file:

  5. POST /api/resources/nodl_secret_<rand>.pdf with Content-Type: application/pdf

  6. Verify direct raw download is denied:

  7. GET /api/raw/nodl_secret_<rand>.pdf
  8. Expected and observed: 202 Accepted (blocked)

  9. Create share for same file:

  10. POST /api/share/nodl_secret_<rand>.pdf
  11. Observed: 200, response includes hash (example: qxfK3JMG)

  12. Download publicly without authentication:

  13. GET /api/public/dl/<hash>
  14. Observed (vulnerable): 200, Content-Type: application/pdf, and PDF bytes are returned

Live evidence captured (March 1, 2026): - create user: 201 - create file: 200 - direct /api/raw: 202 Accepted - create share: 200 - public download /api/public/dl/mxK-ppZb: 200 - public download content-type: application/pdf - public download body length: 327 bytes

Impact

This is an access control / authorization policy bypass vulnerability.

  • Who can exploit: Any authenticated user granted share=true but denied download.
  • Who is impacted: Operators and organizations relying on download restrictions to prevent data export.
  • What can happen: Restricted users can still distribute and retrieve files publicly, including unauthenticated access through share URLs.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "https://github.com/filebrowser/filebrowser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.61.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32761"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-639",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-18T12:59:12Z",
    "nvd_published_at": "2026-03-20T00:16:17Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nA permission enforcement flaw allows users without download privileges (`download=false`) to still expose and retrieve file content via public share links when they retain share privileges (`share=true`). This bypasses intended access control policy and enables unauthorized data exfiltration to unauthenticated users. Where download restrictions are used for data-loss prevention or role separation.\n\n### Details\nThe backend applies inconsistent authorization checks across download paths:\n\n- Direct raw download correctly enforces `Perm.Download`:\n  - [[raw.go](https://github.com/filebrowser/filebrowser/blob/master/http/raw.go#82)](filebrowser/http/raw.go:82)\n- Share creation only enforces `Perm.Share`:\n  - [[share.go](https://github.com/filebrowser/filebrowser/blob/master/http/share.go#21)](filebrowser/http/share.go:21)\n- Public share/download handlers serve shared content without verifying owner `Perm.Download`:\n  - [public.go](https://github.com/filebrowser/filebrowser/blob/master/http/public.go#18)(filebrowser/http/public.go:18)\n  - [public.go](https://github.com/filebrowser/filebrowser/blob/master/http/public.go#116)(filebrowser/http/public.go:116)\n\nAs a result, a user who is blocked from direct downloads can create a share and obtain the same file via `/api/public/dl/\u003chash\u003e`.\n\n### PoC\n\n1. Create a non-admin user with:\n- `perm.share = true`\n- `perm.download = false`\n\n2. Login as that user and upload a **PDF** file:\n- `POST /api/resources/nodl_secret_\u003crand\u003e.pdf` with `Content-Type: application/pdf`\n\n3. Verify direct raw download is denied:\n- `GET /api/raw/nodl_secret_\u003crand\u003e.pdf`\n- Expected and observed: `202 Accepted` (blocked)\n\n4. Create share for same file:\n- `POST /api/share/nodl_secret_\u003crand\u003e.pdf`\n- Observed: `200`, response includes `hash` (example: `qxfK3JMG`)\n\n5. Download publicly without authentication:\n- `GET /api/public/dl/\u003chash\u003e`\n- Observed (vulnerable): `200`, `Content-Type: application/pdf`, and PDF bytes are returned\n\nLive evidence captured (March 1, 2026):\n- `create user`: `201`\n- `create file`: `200`\n- `direct /api/raw`: `202 Accepted`\n- `create share`: `200`\n- `public download /api/public/dl/mxK-ppZb`: `200`\n- `public download content-type`: `application/pdf`\n- `public download body length`: `327` bytes\n\n### Impact\nThis is an **access control / authorization policy bypass** vulnerability.\n\n- **Who can exploit:** Any authenticated user granted `share=true` but denied `download`.\n- **Who is impacted:** Operators and organizations relying on download restrictions to prevent data export.\n- **What can happen:** Restricted users can still distribute and retrieve files publicly, including unauthenticated access through share URLs.",
  "id": "GHSA-68j5-4m99-w9w9",
  "modified": "2026-03-20T21:16:13Z",
  "published": "2026-03-18T12:59:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-68j5-4m99-w9w9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32761"
    },
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/commit/09a26166b4f79446e7174c017380f6db45444e32"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/filebrowser/filebrowser"
    },
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/releases/tag/v2.62.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "File Browser has an Authorization Policy Bypass in Public Share Download Flow"
}

GHSA-68QQ-4WV4-QX36

Vulnerability from github – Published: 2025-11-21 15:31 – Updated: 2025-11-21 15:31
VLAI
Details

The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.2.9 via the 'eh_crm_ticket_single_view_client' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of all support tickets.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-10039"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-21T13:15:45Z",
    "severity": "MODERATE"
  },
  "details": "The ELEX WordPress HelpDesk \u0026 Customer Ticketing System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.2.9 via the \u0027eh_crm_ticket_single_view_client\u0027 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of all support tickets.",
  "id": "GHSA-68qq-4wv4-qx36",
  "modified": "2025-11-21T15:31:25Z",
  "published": "2025-11-21T15:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10039"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/elex-helpdesk-customer-support-ticket-system/trunk/includes/class-crm-ajax-functions.php#L259"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3391342"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d9ffc0af-9c3d-4f8e-ae0b-e51c0c67dfe1?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-68W5-W573-Q2R8

Vulnerability from github – Published: 2026-05-11 17:58 – Updated: 2026-05-19 16:09
VLAI
Summary
MantisBT Has Authorization Bypass in Global Profile Creation
Details

MantisBT allows a low-privileged authenticated user having add_profile_threshold to create a global profile despite not having manage_global_profile_threshold, by tampering with the user_id parameter in a valid profile creation request.

Impact

Authentication bypass

Patches

  • 3f952e68fa864e0e60abc3e84adecf3cfa84c75e

Workarounds

None

Credits

Thanks to Vishal Shukla for discovering and responsibly reporting the issues.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "mantisbt/mantisbt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.28.0"
            },
            {
              "fixed": "2.28.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33052"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T17:58:50Z",
    "nvd_published_at": "2026-05-19T02:16:15Z",
    "severity": "MODERATE"
  },
  "details": "MantisBT allows a low-privileged authenticated user having *add_profile_threshold* to create a global profile despite not having *manage_global_profile_threshold*, by tampering with the user_id parameter in a valid profile creation request.\n\n### Impact\nAuthentication bypass\n\n### Patches\n- 3f952e68fa864e0e60abc3e84adecf3cfa84c75e\n\n### Workarounds\nNone\n\n### Credits\nThanks to Vishal Shukla for discovering and responsibly reporting the issues.",
  "id": "GHSA-68w5-w573-q2r8",
  "modified": "2026-05-19T16:09:47Z",
  "published": "2026-05-11T17:58:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-68w5-w573-q2r8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33052"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mantisbt/mantisbt/commit/3f952e68fa864e0e60abc3e84adecf3cfa84c75e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mantisbt/mantisbt"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mantisbt/mantisbt/releases/tag/release-2.28.2"
    },
    {
      "type": "WEB",
      "url": "https://mantisbt.org/bugs/view.php?id=36974"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "MantisBT Has Authorization Bypass in Global Profile Creation"
}

GHSA-6963-573W-VXVF

Vulnerability from github – Published: 2026-03-26 06:30 – Updated: 2026-03-26 06:30
VLAI
Details

The Elementor Website Builder plugin for WordPress is vulnerable to Incorrect Authorization to Sensitive Information Exposure in all versions up to, and including, 3.35.7. This is due to a logic error in the is_allowed_to_read_template() function permission check that treats non-published templates as readable without verifying edit capabilities. This makes it possible for authenticated attackers, with contributor-level access and above, to read private or draft Elementor template content via the 'template_id' supplied to the 'get_template_data' action of the 'elementor_ajax' endpoint.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-1206"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-26T06:16:09Z",
    "severity": "MODERATE"
  },
  "details": "The Elementor Website Builder plugin for WordPress is vulnerable to Incorrect Authorization to Sensitive Information Exposure in all versions up to, and including, 3.35.7. This is due to a logic error in the is_allowed_to_read_template() function permission check that treats non-published templates as readable without verifying edit capabilities. This makes it possible for authenticated attackers, with contributor-level access and above, to read private or draft Elementor template content via the \u0027template_id\u0027 supplied to the \u0027get_template_data\u0027 action of the \u0027elementor_ajax\u0027 endpoint.",
  "id": "GHSA-6963-573w-vxvf",
  "modified": "2026-03-26T06:30:21Z",
  "published": "2026-03-26T06:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1206"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3489160/elementor/trunk/includes/template-library/sources/local.php?old=3473768\u0026old_path=elementor%2Ftrunk%2Fincludes%2Ftemplate-library%2Fsources%2Flocal.php"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a4420935-4952-4460-afc2-1c6df6965b3d?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-69GG-PVP7-2FX5

Vulnerability from github – Published: 2026-07-01 09:30 – Updated: 2026-07-01 09:30
VLAI
Details

The Qi Blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.4.9 via the 'page_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, to modify the stored Qi Blocks styles of arbitrary posts, templates, or widgets they do not own — including site-wide surfaces via the reserved 'template' and 'widget' page_id values — enabling unauthorized frontend defacement, content hiding, and degradation of any page on the site. The endpoint's permission_callback checks only the generic edit_posts and publish_posts capabilities, meaning any user with the built-in Author role satisfies the check regardless of post ownership.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-10096"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-01T08:16:19Z",
    "severity": "MODERATE"
  },
  "details": "The Qi Blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.4.9 via the \u0027page_id\u0027 parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, to modify the stored Qi Blocks styles of arbitrary posts, templates, or widgets they do not own \u2014 including site-wide surfaces via the reserved \u0027template\u0027 and \u0027widget\u0027 page_id values \u2014 enabling unauthorized frontend defacement, content hiding, and degradation of any page on the site. The endpoint\u0027s permission_callback checks only the generic edit_posts and publish_posts capabilities, meaning any user with the built-in Author role satisfies the check regardless of post ownership.",
  "id": "GHSA-69gg-pvp7-2fx5",
  "modified": "2026-07-01T09:30:25Z",
  "published": "2026-07-01T09:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10096"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/qi-blocks/tags/1.4.9/inc/admin/global-styles/class-qi-blocks-framework-global-styles.php#L134"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/qi-blocks/tags/1.4.9/inc/admin/global-styles/class-qi-blocks-framework-global-styles.php#L142"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/qi-blocks/tags/1.4.9/inc/admin/global-styles/class-qi-blocks-framework-global-styles.php#L82"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3572812%40qi-blocks\u0026new=3572812%40qi-blocks\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/64251fd4-1627-49d0-831f-5cb9898c38bf?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6CCC-8WGJ-7RF9

Vulnerability from github – Published: 2023-07-10 18:30 – Updated: 2024-04-04 05:53
VLAI
Details

The EventON WordPress plugin before 2.1.2 does not validate that the event_id parameter in its eventon_ics_download ajax action is a valid Event, allowing unauthenticated visitors to access any Post (including unpublished or protected posts) content via the ics export functionality by providing the numeric id of the post.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-3219"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-10T16:15:55Z",
    "severity": "MODERATE"
  },
  "details": "The EventON WordPress plugin before 2.1.2 does not validate that the event_id parameter in its eventon_ics_download ajax action is a valid Event, allowing unauthenticated visitors to access any Post (including unpublished or protected posts) content via the ics export functionality by providing the numeric id of the post.",
  "id": "GHSA-6ccc-8wgj-7rf9",
  "modified": "2024-04-04T05:53:33Z",
  "published": "2023-07-10T18:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3219"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/72d80887-0270-4987-9739-95b1a178c1fd"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/173992/WordPress-EventON-Calendar-4.4-Insecure-Direct-Object-Reference.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6CJ8-H4PG-P2JV

Vulnerability from github – Published: 2023-08-10 15:30 – Updated: 2024-04-04 06:48
VLAI
Details

Cacti before 1.2.6 allows IDOR (Insecure Direct Object Reference) for accessing any graph via a modified local_graph_id parameter to graph_xport.php. This is a different vulnerability than CVE-2019-16723.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-37543"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-10T15:15:09Z",
    "severity": "HIGH"
  },
  "details": "Cacti before 1.2.6 allows IDOR (Insecure Direct Object Reference) for accessing any graph via a modified local_graph_id parameter to graph_xport.php. This is a different vulnerability than CVE-2019-16723.",
  "id": "GHSA-6cj8-h4pg-p2jv",
  "modified": "2024-04-04T06:48:28Z",
  "published": "2023-08-10T15:30:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Cacti/cacti/security/advisories/GHSA-4x82-8w8m-w8hj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37543"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/%40hussainfathy99/exciting-news-my-first-cve-discovery-cve-2023-37543-idor-vulnerability-in-cacti-bbb6c386afed"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/@hussainfathy99/exciting-news-my-first-cve-discovery-cve-2023-37543-idor-vulnerability-in-cacti-bbb6c386afed"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6CQF-CFHV-659G

Vulnerability from github – Published: 2025-11-13 22:34 – Updated: 2026-02-03 17:23
VLAI
Summary
File Browser is Vulnerable to Insecure Direct Object Reference (IDOR) in Share Deletion Function
Details

Summary

It has been found an Insecure Direct Object Reference (IDOR) vulnerability in the FileBrowser application's share deletion functionality. This vulnerability allows any authenticated user with share permissions to delete other users' shared links without authorization checks.

The impact is significant as malicious actors can disrupt business operations by systematically removing shared files and links. This leads to denial of service for legitimate users, potential data loss in collaborative environments, and breach of data confidentiality agreements. In organizational settings, this could affect critical file sharing for projects, presentations, or document collaboration.

Details

Technical Analysis

The vulnerability exists in/http/share.go at lines 72-82. The shareDeleteHandler function processes deletion requests using only the share hash without comparing the link.UserID with the current authenticated user's ID (d.user.ID). This missing authorization check enables the vulnerability.

var shareDeleteHandler = withPermShare(func(_ http.ResponseWriter, r *http.Request, d *data) (int, error) {
    hash := strings.TrimSuffix(r.URL.Path, "/")
    hash = strings.TrimPrefix(hash, "/")

    if hash == "" {
        return http.StatusBadRequest, nil
    }

    err := d.store.Share.Delete(hash)  // Missing ownership validation
    return errToStatus(err), err
})

PoC

Reproduce Steps:

Prerequisites: Two authenticated user accounts (User A and User B) with share permissions

Step 1: User A creates a share link and obtains the share hash (e.g., MEEuZK-v)

Step 2: User B authenticates and obtains a valid JWT token

Step 3: User B sends DELETE request to /api/share/MEEuZK-v with their own JWT token

Step 4: Observe that User A's share is deleted without authorization

DELETE /api/share/MEEuZK-v HTTP/1.1 Host: filebrowser.local Content-Type: application/json

Impact

The impact is significant as malicious actors can disrupt business operations by systematically removing shared files and links. This leads to denial of service for legitimate users, potential data loss in collaborative environments, and breach of data confidentiality agreements. In organizational settings, this could affect critical file sharing for projects, presentations, or document collaboration.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/filebrowser/filebrowser/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.45.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-64523"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-13T22:34:51Z",
    "nvd_published_at": "2025-11-12T23:15:39Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nIt has been found an Insecure Direct Object Reference (IDOR) vulnerability in the FileBrowser application\u0027s share deletion functionality. This vulnerability allows any authenticated user with share permissions to delete other users\u0027 shared links without authorization checks.\n\nThe impact is significant as malicious actors can disrupt business operations by systematically removing shared files and links. This leads to denial of service for legitimate users, potential data loss in collaborative environments, and breach of data confidentiality agreements. In organizational settings, this could affect critical file sharing for projects, presentations, or document collaboration.\n\n### Details\n**Technical Analysis**\n\nThe vulnerability exists in` /http/share.go` at lines 72-82. The shareDeleteHandler function processes deletion requests using only the share hash without comparing the link.UserID with the current authenticated user\u0027s ID (d.user.ID). This missing authorization check enables the vulnerability.\n\n```\nvar shareDeleteHandler = withPermShare(func(_ http.ResponseWriter, r *http.Request, d *data) (int, error) {\n    hash := strings.TrimSuffix(r.URL.Path, \"/\")\n    hash = strings.TrimPrefix(hash, \"/\")\n\n    if hash == \"\" {\n        return http.StatusBadRequest, nil\n    }\n\n    err := d.store.Share.Delete(hash)  // Missing ownership validation\n    return errToStatus(err), err\n})\n```\n\n### PoC\n**Reproduce Steps:**\n\nPrerequisites: Two authenticated user accounts (User A and User B) with share permissions\n\nStep 1: User A creates a share link and obtains the share hash (e.g., MEEuZK-v)\n\nStep 2: User B authenticates and obtains a valid JWT token\n\nStep 3: User B sends DELETE request to /api/share/MEEuZK-v with their own JWT token\n\nStep 4: Observe that User A\u0027s share is deleted without authorization\n\nDELETE /api/share/MEEuZK-v HTTP/1.1\nHost: filebrowser.local\nContent-Type: application/json\n\n### Impact\n\nThe impact is significant as malicious actors can disrupt business operations by systematically removing shared files and links. This leads to denial of service for legitimate users, potential data loss in collaborative environments, and breach of data confidentiality agreements. In organizational settings, this could affect critical file sharing for projects, presentations, or document collaboration.",
  "id": "GHSA-6cqf-cfhv-659g",
  "modified": "2026-02-03T17:23:10Z",
  "published": "2025-11-13T22:34:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-6cqf-cfhv-659g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64523"
    },
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/commit/291223b3cefe1e50fae8f73d70464b1dc25351a4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/filebrowser/filebrowser"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "File Browser is Vulnerable to Insecure Direct Object Reference (IDOR) in Share Deletion Function"
}

GHSA-6FPQ-HHV8-HC9F

Vulnerability from github – Published: 2026-05-11 18:31 – Updated: 2026-05-11 21:31
VLAI
Details

HireFlow v1.2 is vulnerable to Incorrect Access Control. The application does not enforce object-level authorization on the /candidate/ and /interview/ endpoints. The route handlers retrieve records by the user-supplied ID without verifying that the requesting user is the owner or has an authorized role. Any authenticated user can access any other user's candidate profiles and interview notes by iterating the integer ID in the URL path, constituting a horizontal privilege escalation and full data breach of all records in the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-38568"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-11T18:16:32Z",
    "severity": "HIGH"
  },
  "details": "HireFlow v1.2 is vulnerable to Incorrect Access Control. The application does not enforce object-level authorization on the /candidate/\u003cid\u003e and /interview/\u003cid\u003e endpoints. The route handlers retrieve records by the user-supplied ID without verifying that the requesting user is the owner or has an authorized role. Any authenticated user can access any other user\u0027s candidate profiles and interview notes by iterating the integer ID in the URL path, constituting a horizontal privilege escalation and full data breach of all records in the system.",
  "id": "GHSA-6fpq-hhv8-hc9f",
  "modified": "2026-05-11T21:31:32Z",
  "published": "2026-05-11T18:31:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-38568"
    },
    {
      "type": "WEB",
      "url": "https://github.com/StratonWebDesigners/HireFlow"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hijackedamygdala/CVE-Disclosures/tree/main/HireFlow/CVE-2026-38568"
    },
    {
      "type": "WEB",
      "url": "https://www.sourcecodester.com/python/18688/hireflow-%E2%80%93-complete-interview-management-system.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.