CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3229 vulnerabilities reference this CWE, most recent first.
GHSA-68GW-R2X5-7R5R
Vulnerability from github – Published: 2022-12-23 12:30 – Updated: 2023-06-27 20:24Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.0.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/usememos/memos"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-4686"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-30T16:27:38Z",
"nvd_published_at": "2022-12-23T12:15:00Z",
"severity": "CRITICAL"
},
"details": "Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.0.",
"id": "GHSA-68gw-r2x5-7r5r",
"modified": "2023-06-27T20:24:50Z",
"published": "2022-12-23T12:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4686"
},
{
"type": "WEB",
"url": "https://github.com/usememos/memos/commit/dca35bde877aab6e64ef51b52e590b5d48f692f9"
},
{
"type": "PACKAGE",
"url": "https://github.com/usememos/memos"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/caa0b22c-501f-44eb-af65-65c315cd1637"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "usememos/memos Authorization Bypass Through User-Controlled Key vulnerability"
}
GHSA-68J5-4M99-W9W9
Vulnerability from github – Published: 2026-03-18 12:59 – Updated: 2026-03-20 21:16Summary
A permission enforcement flaw allows users without download privileges (download=false) to still expose and retrieve file content via public share links when they retain share privileges (share=true). This bypasses intended access control policy and enables unauthorized data exfiltration to unauthenticated users. Where download restrictions are used for data-loss prevention or role separation.
Details
The backend applies inconsistent authorization checks across download paths:
- Direct raw download correctly enforces
Perm.Download: - [raw.go](https://github.com/filebrowser/filebrowser/blob/master/http/raw.go#82)
- Share creation only enforces
Perm.Share: - [share.go](https://github.com/filebrowser/filebrowser/blob/master/http/share.go#21)
- Public share/download handlers serve shared content without verifying owner
Perm.Download: - public.go(filebrowser/http/public.go:18)
- public.go(filebrowser/http/public.go:116)
As a result, a user who is blocked from direct downloads can create a share and obtain the same file via /api/public/dl/<hash>.
PoC
- Create a non-admin user with:
perm.share = true-
perm.download = false -
Login as that user and upload a PDF file:
-
POST /api/resources/nodl_secret_<rand>.pdfwithContent-Type: application/pdf -
Verify direct raw download is denied:
GET /api/raw/nodl_secret_<rand>.pdf-
Expected and observed:
202 Accepted(blocked) -
Create share for same file:
POST /api/share/nodl_secret_<rand>.pdf-
Observed:
200, response includeshash(example:qxfK3JMG) -
Download publicly without authentication:
GET /api/public/dl/<hash>- Observed (vulnerable):
200,Content-Type: application/pdf, and PDF bytes are returned
Live evidence captured (March 1, 2026):
- create user: 201
- create file: 200
- direct /api/raw: 202 Accepted
- create share: 200
- public download /api/public/dl/mxK-ppZb: 200
- public download content-type: application/pdf
- public download body length: 327 bytes
Impact
This is an access control / authorization policy bypass vulnerability.
- Who can exploit: Any authenticated user granted
share=truebut denieddownload. - Who is impacted: Operators and organizations relying on download restrictions to prevent data export.
- What can happen: Restricted users can still distribute and retrieve files publicly, including unauthenticated access through share URLs.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "https://github.com/filebrowser/filebrowser"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.61.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32761"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-639",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-18T12:59:12Z",
"nvd_published_at": "2026-03-20T00:16:17Z",
"severity": "MODERATE"
},
"details": "### Summary\nA permission enforcement flaw allows users without download privileges (`download=false`) to still expose and retrieve file content via public share links when they retain share privileges (`share=true`). This bypasses intended access control policy and enables unauthorized data exfiltration to unauthenticated users. Where download restrictions are used for data-loss prevention or role separation.\n\n### Details\nThe backend applies inconsistent authorization checks across download paths:\n\n- Direct raw download correctly enforces `Perm.Download`:\n - [[raw.go](https://github.com/filebrowser/filebrowser/blob/master/http/raw.go#82)](filebrowser/http/raw.go:82)\n- Share creation only enforces `Perm.Share`:\n - [[share.go](https://github.com/filebrowser/filebrowser/blob/master/http/share.go#21)](filebrowser/http/share.go:21)\n- Public share/download handlers serve shared content without verifying owner `Perm.Download`:\n - [public.go](https://github.com/filebrowser/filebrowser/blob/master/http/public.go#18)(filebrowser/http/public.go:18)\n - [public.go](https://github.com/filebrowser/filebrowser/blob/master/http/public.go#116)(filebrowser/http/public.go:116)\n\nAs a result, a user who is blocked from direct downloads can create a share and obtain the same file via `/api/public/dl/\u003chash\u003e`.\n\n### PoC\n\n1. Create a non-admin user with:\n- `perm.share = true`\n- `perm.download = false`\n\n2. Login as that user and upload a **PDF** file:\n- `POST /api/resources/nodl_secret_\u003crand\u003e.pdf` with `Content-Type: application/pdf`\n\n3. Verify direct raw download is denied:\n- `GET /api/raw/nodl_secret_\u003crand\u003e.pdf`\n- Expected and observed: `202 Accepted` (blocked)\n\n4. Create share for same file:\n- `POST /api/share/nodl_secret_\u003crand\u003e.pdf`\n- Observed: `200`, response includes `hash` (example: `qxfK3JMG`)\n\n5. Download publicly without authentication:\n- `GET /api/public/dl/\u003chash\u003e`\n- Observed (vulnerable): `200`, `Content-Type: application/pdf`, and PDF bytes are returned\n\nLive evidence captured (March 1, 2026):\n- `create user`: `201`\n- `create file`: `200`\n- `direct /api/raw`: `202 Accepted`\n- `create share`: `200`\n- `public download /api/public/dl/mxK-ppZb`: `200`\n- `public download content-type`: `application/pdf`\n- `public download body length`: `327` bytes\n\n### Impact\nThis is an **access control / authorization policy bypass** vulnerability.\n\n- **Who can exploit:** Any authenticated user granted `share=true` but denied `download`.\n- **Who is impacted:** Operators and organizations relying on download restrictions to prevent data export.\n- **What can happen:** Restricted users can still distribute and retrieve files publicly, including unauthenticated access through share URLs.",
"id": "GHSA-68j5-4m99-w9w9",
"modified": "2026-03-20T21:16:13Z",
"published": "2026-03-18T12:59:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-68j5-4m99-w9w9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32761"
},
{
"type": "WEB",
"url": "https://github.com/filebrowser/filebrowser/commit/09a26166b4f79446e7174c017380f6db45444e32"
},
{
"type": "PACKAGE",
"url": "https://github.com/filebrowser/filebrowser"
},
{
"type": "WEB",
"url": "https://github.com/filebrowser/filebrowser/releases/tag/v2.62.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "File Browser has an Authorization Policy Bypass in Public Share Download Flow"
}
GHSA-68QQ-4WV4-QX36
Vulnerability from github – Published: 2025-11-21 15:31 – Updated: 2025-11-21 15:31The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.2.9 via the 'eh_crm_ticket_single_view_client' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of all support tickets.
{
"affected": [],
"aliases": [
"CVE-2025-10039"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-21T13:15:45Z",
"severity": "MODERATE"
},
"details": "The ELEX WordPress HelpDesk \u0026 Customer Ticketing System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.2.9 via the \u0027eh_crm_ticket_single_view_client\u0027 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of all support tickets.",
"id": "GHSA-68qq-4wv4-qx36",
"modified": "2025-11-21T15:31:25Z",
"published": "2025-11-21T15:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10039"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/elex-helpdesk-customer-support-ticket-system/trunk/includes/class-crm-ajax-functions.php#L259"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3391342"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d9ffc0af-9c3d-4f8e-ae0b-e51c0c67dfe1?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-68W5-W573-Q2R8
Vulnerability from github – Published: 2026-05-11 17:58 – Updated: 2026-05-19 16:09MantisBT allows a low-privileged authenticated user having add_profile_threshold to create a global profile despite not having manage_global_profile_threshold, by tampering with the user_id parameter in a valid profile creation request.
Impact
Authentication bypass
Patches
- 3f952e68fa864e0e60abc3e84adecf3cfa84c75e
Workarounds
None
Credits
Thanks to Vishal Shukla for discovering and responsibly reporting the issues.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "mantisbt/mantisbt"
},
"ranges": [
{
"events": [
{
"introduced": "2.28.0"
},
{
"fixed": "2.28.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33052"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-11T17:58:50Z",
"nvd_published_at": "2026-05-19T02:16:15Z",
"severity": "MODERATE"
},
"details": "MantisBT allows a low-privileged authenticated user having *add_profile_threshold* to create a global profile despite not having *manage_global_profile_threshold*, by tampering with the user_id parameter in a valid profile creation request.\n\n### Impact\nAuthentication bypass\n\n### Patches\n- 3f952e68fa864e0e60abc3e84adecf3cfa84c75e\n\n### Workarounds\nNone\n\n### Credits\nThanks to Vishal Shukla for discovering and responsibly reporting the issues.",
"id": "GHSA-68w5-w573-q2r8",
"modified": "2026-05-19T16:09:47Z",
"published": "2026-05-11T17:58:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-68w5-w573-q2r8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33052"
},
{
"type": "WEB",
"url": "https://github.com/mantisbt/mantisbt/commit/3f952e68fa864e0e60abc3e84adecf3cfa84c75e"
},
{
"type": "PACKAGE",
"url": "https://github.com/mantisbt/mantisbt"
},
{
"type": "WEB",
"url": "https://github.com/mantisbt/mantisbt/releases/tag/release-2.28.2"
},
{
"type": "WEB",
"url": "https://mantisbt.org/bugs/view.php?id=36974"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "MantisBT Has Authorization Bypass in Global Profile Creation"
}
GHSA-6963-573W-VXVF
Vulnerability from github – Published: 2026-03-26 06:30 – Updated: 2026-03-26 06:30The Elementor Website Builder plugin for WordPress is vulnerable to Incorrect Authorization to Sensitive Information Exposure in all versions up to, and including, 3.35.7. This is due to a logic error in the is_allowed_to_read_template() function permission check that treats non-published templates as readable without verifying edit capabilities. This makes it possible for authenticated attackers, with contributor-level access and above, to read private or draft Elementor template content via the 'template_id' supplied to the 'get_template_data' action of the 'elementor_ajax' endpoint.
{
"affected": [],
"aliases": [
"CVE-2026-1206"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-26T06:16:09Z",
"severity": "MODERATE"
},
"details": "The Elementor Website Builder plugin for WordPress is vulnerable to Incorrect Authorization to Sensitive Information Exposure in all versions up to, and including, 3.35.7. This is due to a logic error in the is_allowed_to_read_template() function permission check that treats non-published templates as readable without verifying edit capabilities. This makes it possible for authenticated attackers, with contributor-level access and above, to read private or draft Elementor template content via the \u0027template_id\u0027 supplied to the \u0027get_template_data\u0027 action of the \u0027elementor_ajax\u0027 endpoint.",
"id": "GHSA-6963-573w-vxvf",
"modified": "2026-03-26T06:30:21Z",
"published": "2026-03-26T06:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1206"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3489160/elementor/trunk/includes/template-library/sources/local.php?old=3473768\u0026old_path=elementor%2Ftrunk%2Fincludes%2Ftemplate-library%2Fsources%2Flocal.php"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a4420935-4952-4460-afc2-1c6df6965b3d?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-69GG-PVP7-2FX5
Vulnerability from github – Published: 2026-07-01 09:30 – Updated: 2026-07-01 09:30The Qi Blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.4.9 via the 'page_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, to modify the stored Qi Blocks styles of arbitrary posts, templates, or widgets they do not own — including site-wide surfaces via the reserved 'template' and 'widget' page_id values — enabling unauthorized frontend defacement, content hiding, and degradation of any page on the site. The endpoint's permission_callback checks only the generic edit_posts and publish_posts capabilities, meaning any user with the built-in Author role satisfies the check regardless of post ownership.
{
"affected": [],
"aliases": [
"CVE-2026-10096"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-01T08:16:19Z",
"severity": "MODERATE"
},
"details": "The Qi Blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.4.9 via the \u0027page_id\u0027 parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, to modify the stored Qi Blocks styles of arbitrary posts, templates, or widgets they do not own \u2014 including site-wide surfaces via the reserved \u0027template\u0027 and \u0027widget\u0027 page_id values \u2014 enabling unauthorized frontend defacement, content hiding, and degradation of any page on the site. The endpoint\u0027s permission_callback checks only the generic edit_posts and publish_posts capabilities, meaning any user with the built-in Author role satisfies the check regardless of post ownership.",
"id": "GHSA-69gg-pvp7-2fx5",
"modified": "2026-07-01T09:30:25Z",
"published": "2026-07-01T09:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10096"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/qi-blocks/tags/1.4.9/inc/admin/global-styles/class-qi-blocks-framework-global-styles.php#L134"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/qi-blocks/tags/1.4.9/inc/admin/global-styles/class-qi-blocks-framework-global-styles.php#L142"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/qi-blocks/tags/1.4.9/inc/admin/global-styles/class-qi-blocks-framework-global-styles.php#L82"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3572812%40qi-blocks\u0026new=3572812%40qi-blocks\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/64251fd4-1627-49d0-831f-5cb9898c38bf?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6CCC-8WGJ-7RF9
Vulnerability from github – Published: 2023-07-10 18:30 – Updated: 2024-04-04 05:53The EventON WordPress plugin before 2.1.2 does not validate that the event_id parameter in its eventon_ics_download ajax action is a valid Event, allowing unauthenticated visitors to access any Post (including unpublished or protected posts) content via the ics export functionality by providing the numeric id of the post.
{
"affected": [],
"aliases": [
"CVE-2023-3219"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-10T16:15:55Z",
"severity": "MODERATE"
},
"details": "The EventON WordPress plugin before 2.1.2 does not validate that the event_id parameter in its eventon_ics_download ajax action is a valid Event, allowing unauthenticated visitors to access any Post (including unpublished or protected posts) content via the ics export functionality by providing the numeric id of the post.",
"id": "GHSA-6ccc-8wgj-7rf9",
"modified": "2024-04-04T05:53:33Z",
"published": "2023-07-10T18:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3219"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/72d80887-0270-4987-9739-95b1a178c1fd"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/173992/WordPress-EventON-Calendar-4.4-Insecure-Direct-Object-Reference.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6CJ8-H4PG-P2JV
Vulnerability from github – Published: 2023-08-10 15:30 – Updated: 2024-04-04 06:48Cacti before 1.2.6 allows IDOR (Insecure Direct Object Reference) for accessing any graph via a modified local_graph_id parameter to graph_xport.php. This is a different vulnerability than CVE-2019-16723.
{
"affected": [],
"aliases": [
"CVE-2023-37543"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-10T15:15:09Z",
"severity": "HIGH"
},
"details": "Cacti before 1.2.6 allows IDOR (Insecure Direct Object Reference) for accessing any graph via a modified local_graph_id parameter to graph_xport.php. This is a different vulnerability than CVE-2019-16723.",
"id": "GHSA-6cj8-h4pg-p2jv",
"modified": "2024-04-04T06:48:28Z",
"published": "2023-08-10T15:30:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Cacti/cacti/security/advisories/GHSA-4x82-8w8m-w8hj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37543"
},
{
"type": "WEB",
"url": "https://medium.com/%40hussainfathy99/exciting-news-my-first-cve-discovery-cve-2023-37543-idor-vulnerability-in-cacti-bbb6c386afed"
},
{
"type": "WEB",
"url": "https://medium.com/@hussainfathy99/exciting-news-my-first-cve-discovery-cve-2023-37543-idor-vulnerability-in-cacti-bbb6c386afed"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6CQF-CFHV-659G
Vulnerability from github – Published: 2025-11-13 22:34 – Updated: 2026-02-03 17:23Summary
It has been found an Insecure Direct Object Reference (IDOR) vulnerability in the FileBrowser application's share deletion functionality. This vulnerability allows any authenticated user with share permissions to delete other users' shared links without authorization checks.
The impact is significant as malicious actors can disrupt business operations by systematically removing shared files and links. This leads to denial of service for legitimate users, potential data loss in collaborative environments, and breach of data confidentiality agreements. In organizational settings, this could affect critical file sharing for projects, presentations, or document collaboration.
Details
Technical Analysis
The vulnerability exists in/http/share.go at lines 72-82. The shareDeleteHandler function processes deletion requests using only the share hash without comparing the link.UserID with the current authenticated user's ID (d.user.ID). This missing authorization check enables the vulnerability.
var shareDeleteHandler = withPermShare(func(_ http.ResponseWriter, r *http.Request, d *data) (int, error) {
hash := strings.TrimSuffix(r.URL.Path, "/")
hash = strings.TrimPrefix(hash, "/")
if hash == "" {
return http.StatusBadRequest, nil
}
err := d.store.Share.Delete(hash) // Missing ownership validation
return errToStatus(err), err
})
PoC
Reproduce Steps:
Prerequisites: Two authenticated user accounts (User A and User B) with share permissions
Step 1: User A creates a share link and obtains the share hash (e.g., MEEuZK-v)
Step 2: User B authenticates and obtains a valid JWT token
Step 3: User B sends DELETE request to /api/share/MEEuZK-v with their own JWT token
Step 4: Observe that User A's share is deleted without authorization
DELETE /api/share/MEEuZK-v HTTP/1.1 Host: filebrowser.local Content-Type: application/json
Impact
The impact is significant as malicious actors can disrupt business operations by systematically removing shared files and links. This leads to denial of service for legitimate users, potential data loss in collaborative environments, and breach of data confidentiality agreements. In organizational settings, this could affect critical file sharing for projects, presentations, or document collaboration.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/filebrowser/filebrowser/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.45.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-64523"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-13T22:34:51Z",
"nvd_published_at": "2025-11-12T23:15:39Z",
"severity": "HIGH"
},
"details": "### Summary\nIt has been found an Insecure Direct Object Reference (IDOR) vulnerability in the FileBrowser application\u0027s share deletion functionality. This vulnerability allows any authenticated user with share permissions to delete other users\u0027 shared links without authorization checks.\n\nThe impact is significant as malicious actors can disrupt business operations by systematically removing shared files and links. This leads to denial of service for legitimate users, potential data loss in collaborative environments, and breach of data confidentiality agreements. In organizational settings, this could affect critical file sharing for projects, presentations, or document collaboration.\n\n### Details\n**Technical Analysis**\n\nThe vulnerability exists in` /http/share.go` at lines 72-82. The shareDeleteHandler function processes deletion requests using only the share hash without comparing the link.UserID with the current authenticated user\u0027s ID (d.user.ID). This missing authorization check enables the vulnerability.\n\n```\nvar shareDeleteHandler = withPermShare(func(_ http.ResponseWriter, r *http.Request, d *data) (int, error) {\n hash := strings.TrimSuffix(r.URL.Path, \"/\")\n hash = strings.TrimPrefix(hash, \"/\")\n\n if hash == \"\" {\n return http.StatusBadRequest, nil\n }\n\n err := d.store.Share.Delete(hash) // Missing ownership validation\n return errToStatus(err), err\n})\n```\n\n### PoC\n**Reproduce Steps:**\n\nPrerequisites: Two authenticated user accounts (User A and User B) with share permissions\n\nStep 1: User A creates a share link and obtains the share hash (e.g., MEEuZK-v)\n\nStep 2: User B authenticates and obtains a valid JWT token\n\nStep 3: User B sends DELETE request to /api/share/MEEuZK-v with their own JWT token\n\nStep 4: Observe that User A\u0027s share is deleted without authorization\n\nDELETE /api/share/MEEuZK-v HTTP/1.1\nHost: filebrowser.local\nContent-Type: application/json\n\n### Impact\n\nThe impact is significant as malicious actors can disrupt business operations by systematically removing shared files and links. This leads to denial of service for legitimate users, potential data loss in collaborative environments, and breach of data confidentiality agreements. In organizational settings, this could affect critical file sharing for projects, presentations, or document collaboration.",
"id": "GHSA-6cqf-cfhv-659g",
"modified": "2026-02-03T17:23:10Z",
"published": "2025-11-13T22:34:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-6cqf-cfhv-659g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64523"
},
{
"type": "WEB",
"url": "https://github.com/filebrowser/filebrowser/commit/291223b3cefe1e50fae8f73d70464b1dc25351a4"
},
{
"type": "PACKAGE",
"url": "https://github.com/filebrowser/filebrowser"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "File Browser is Vulnerable to Insecure Direct Object Reference (IDOR) in Share Deletion Function"
}
GHSA-6FPQ-HHV8-HC9F
Vulnerability from github – Published: 2026-05-11 18:31 – Updated: 2026-05-11 21:31HireFlow v1.2 is vulnerable to Incorrect Access Control. The application does not enforce object-level authorization on the /candidate/ and /interview/ endpoints. The route handlers retrieve records by the user-supplied ID without verifying that the requesting user is the owner or has an authorized role. Any authenticated user can access any other user's candidate profiles and interview notes by iterating the integer ID in the URL path, constituting a horizontal privilege escalation and full data breach of all records in the system.
{
"affected": [],
"aliases": [
"CVE-2026-38568"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-11T18:16:32Z",
"severity": "HIGH"
},
"details": "HireFlow v1.2 is vulnerable to Incorrect Access Control. The application does not enforce object-level authorization on the /candidate/\u003cid\u003e and /interview/\u003cid\u003e endpoints. The route handlers retrieve records by the user-supplied ID without verifying that the requesting user is the owner or has an authorized role. Any authenticated user can access any other user\u0027s candidate profiles and interview notes by iterating the integer ID in the URL path, constituting a horizontal privilege escalation and full data breach of all records in the system.",
"id": "GHSA-6fpq-hhv8-hc9f",
"modified": "2026-05-11T21:31:32Z",
"published": "2026-05-11T18:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-38568"
},
{
"type": "WEB",
"url": "https://github.com/StratonWebDesigners/HireFlow"
},
{
"type": "WEB",
"url": "https://github.com/hijackedamygdala/CVE-Disclosures/tree/main/HireFlow/CVE-2026-38568"
},
{
"type": "WEB",
"url": "https://www.sourcecodester.com/python/18688/hireflow-%E2%80%93-complete-interview-management-system.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.