CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3235 vulnerabilities reference this CWE, most recent first.
GHSA-6XRG-C3GP-J55V
Vulnerability from github – Published: 2025-10-15 06:31 – Updated: 2025-10-15 06:31The Quick Featured Images plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 13.7.2 via the qfi_set_thumbnail and qfi_delete_thumbnail AJAX actions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to change or remove featured images of other user's posts.
{
"affected": [],
"aliases": [
"CVE-2025-11176"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-15T06:15:38Z",
"severity": "MODERATE"
},
"details": "The Quick Featured Images plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 13.7.2 via the qfi_set_thumbnail and qfi_delete_thumbnail AJAX actions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to change or remove featured images of other user\u0027s posts.",
"id": "GHSA-6xrg-c3gp-j55v",
"modified": "2025-10-15T06:31:09Z",
"published": "2025-10-15T06:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11176"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/quick-featured-images/tags/13.7.2/admin/class-Quick_Featured_Images_Columns.php#L506"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3376996%40quick-featured-images%2Ftrunk\u0026old=3271680%40quick-featured-images%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4f9a1cfc-5e52-40da-bb9d-8f2b46d37c8c?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-727R-MF78-GHXP
Vulnerability from github – Published: 2026-01-26 21:30 – Updated: 2026-06-30 03:35A flaw was found in KubeVirt Containerized Data Importer (CDI). This vulnerability allows a user to clone PersistentVolumeClaims (PVCs) from unauthorized namespaces, resulting in unauthorized access to data via the DataImportCron PVC source mechanism.
{
"affected": [],
"aliases": [
"CVE-2025-14459"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-26T20:16:07Z",
"severity": "HIGH"
},
"details": "A flaw was found in KubeVirt Containerized Data Importer (CDI). This vulnerability allows a user to clone PersistentVolumeClaims (PVCs) from unauthorized namespaces, resulting in unauthorized access to data via the DataImportCron PVC source mechanism.",
"id": "GHSA-727r-mf78-ghxp",
"modified": "2026-06-30T03:35:30Z",
"published": "2026-01-26T21:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14459"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:0950"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-14459"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2420938"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-14459.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7286-PGFV-VXVH
Vulnerability from github – Published: 2023-10-11 12:30 – Updated: 2025-02-13 19:18Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by verifying that the instance part in SASL authentication ID is listed in zoo.cfg server list. The instance part in SASL auth ID is optional and if it's missing, like 'eve@EXAMPLE.COM', the authorization check will be skipped. As a result an arbitrary endpoint could join the cluster and begin propagating counterfeit changes to the leader, essentially giving it complete read-write access to the data tree. Quorum Peer authentication is not enabled by default.
Users are recommended to upgrade to version 3.9.1, 3.8.3, 3.7.2, which fixes the issue.
Alternately ensure the ensemble election/quorum communication is protected by a firewall as this will mitigate the issue.
See the documentation for more details on correct cluster administration.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.zookeeper:zookeeper"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.7.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.zookeeper:zookeeper"
},
"ranges": [
{
"events": [
{
"introduced": "3.8.0"
},
{
"fixed": "3.8.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.zookeeper:zookeeper"
},
"ranges": [
{
"events": [
{
"introduced": "3.9.0"
},
{
"fixed": "3.9.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-44981"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2023-10-11T20:36:50Z",
"nvd_published_at": "2023-10-11T12:15:11Z",
"severity": "CRITICAL"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by verifying that the instance part in SASL authentication ID is listed in zoo.cfg server list. The instance part in SASL auth ID is optional and if it\u0027s missing, like \u0027eve@EXAMPLE.COM\u0027, the authorization check will be skipped.\u00a0As a result an arbitrary endpoint could join the cluster and begin propagating counterfeit changes to the leader, essentially giving it complete read-write access to the data tree.\u00a0Quorum Peer authentication is not enabled by default.\n\nUsers are recommended to upgrade to version 3.9.1, 3.8.3, 3.7.2, which fixes the issue.\n\nAlternately ensure the ensemble election/quorum communication is protected by a firewall as this will mitigate the issue.\n\nSee the documentation for more details on correct cluster administration.",
"id": "GHSA-7286-pgfv-vxvh",
"modified": "2025-02-13T19:18:13Z",
"published": "2023-10-11T12:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44981"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/zookeeper"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/wf0yrk84dg1942z1o74kd8nycg6pgm5b"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00029.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240621-0007"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2023/dsa-5544"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/10/11/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper"
}
GHSA-729R-Q9XR-M8J5
Vulnerability from github – Published: 2022-04-07 00:00 – Updated: 2022-04-14 00:00OrangeHRM 4.10 is vulnerable to Insecure Direct Object Reference (IDOR) via the end point symfony/web/index.php/time/createTimesheet`. Any user can create a timesheet in another user's account.
{
"affected": [],
"aliases": [
"CVE-2022-27108"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-06T15:15:00Z",
"severity": "MODERATE"
},
"details": "OrangeHRM 4.10 is vulnerable to Insecure Direct Object Reference (IDOR) via the end point symfony/web/index.php/time/createTimesheet`. Any user can create a timesheet in another user\u0027s account.",
"id": "GHSA-729r-q9xr-m8j5",
"modified": "2022-04-14T00:00:30Z",
"published": "2022-04-07T00:00:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27108"
},
{
"type": "WEB",
"url": "https://github.com/orangehrm/orangehrm/issues/1173"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-72F9-GHC4-FPV2
Vulnerability from github – Published: 2025-12-27 12:30 – Updated: 2025-12-27 12:30A weakness has been identified in getmaxun maxun up to 0.0.28. The affected element is the function router.get of the file server/src/routes/auth.ts of the component Authentication Endpoint. Executing manipulation can lead to improper authorization. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-15106"
],
"database_specific": {
"cwe_ids": [
"CWE-266",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-27T11:15:51Z",
"severity": "MODERATE"
},
"details": "A weakness has been identified in getmaxun maxun up to 0.0.28. The affected element is the function router.get of the file server/src/routes/auth.ts of the component Authentication Endpoint. Executing manipulation can lead to improper authorization. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-72f9-ghc4-fpv2",
"modified": "2025-12-27T12:30:12Z",
"published": "2025-12-27T12:30:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15106"
},
{
"type": "WEB",
"url": "https://gist.github.com/H2u8s/1a0bdb19d5c8c8f4dc72cb49ffe9a22b"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.338477"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.338477"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.710268"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-72P9-6VV6-GVQH
Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-07-01 19:47When creating an export through the pretix API, API clients are returned an UUID value for their export job (a long, random string like 35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client can then request the actual file for download. The same kind of UUID is used in other places in pretix when temporary files are generated for internal use or download.
One remaining API endpoint, however, wrongfully did not verify if the UUID used for download actually belongs to a file that is supposed to be downloadable and belongs to the correct user. In reality, this is hard to exploit because an attacker would need to have access to a valid UUID for the file they desire which is unlikely to happen without a separate security problem giving them access to logs etc.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pretix"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-9712"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-01T19:47:20Z",
"nvd_published_at": "2026-05-27T15:16:36Z",
"severity": "LOW"
},
"details": "When creating an export through the pretix API, API clients are returned an UUID value for their export job (a long, random string like 35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client can then request the actual file for download. The same kind of UUID is used in other places in pretix when temporary files are generated for internal use or download.\n\nOne remaining API endpoint, however, wrongfully did not verify if the UUID used for download actually belongs to a file that is supposed to be downloadable and belongs to the correct user. In reality, this is hard to exploit because an attacker would need to have access to a valid UUID for the file they desire which is unlikely to happen without a separate security problem giving them access to logs etc.",
"id": "GHSA-72p9-6vv6-gvqh",
"modified": "2026-07-01T19:47:20Z",
"published": "2026-05-27T15:33:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9712"
},
{
"type": "PACKAGE",
"url": "https://github.com/pretix/pretix"
},
{
"type": "WEB",
"url": "https://pretix.eu/about/en/blog/20260527-release-2026-4-2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "pretix vulnerable to Authorization Bypass Through User-Controlled Key"
}
GHSA-72PH-PRPQ-5J96
Vulnerability from github – Published: 2025-12-11 15:30 – Updated: 2026-06-04 09:30Authorization Bypass Through User-Controlled Key vulnerability in Netiket Information Technologies Ltd. Co. ApplyLogic allows Exploitation of Trusted Identifiers.This issue affects ApplyLogic: through 01.12.2025.
{
"affected": [],
"aliases": [
"CVE-2025-13124"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-11T15:15:46Z",
"severity": "HIGH"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in Netiket Information Technologies Ltd. Co. ApplyLogic allows Exploitation of Trusted Identifiers.This issue affects ApplyLogic: through 01.12.2025.",
"id": "GHSA-72ph-prpq-5j96",
"modified": "2026-06-04T09:30:33Z",
"published": "2025-12-11T15:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13124"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0447"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-25-0447"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-7362-RVW7-57JJ
Vulnerability from github – Published: 2025-04-15 21:31 – Updated: 2025-04-15 21:31Unauthenticated attackers can obtain restricted information about a user's smart device collections (i.e., "scenes").
{
"affected": [],
"aliases": [
"CVE-2025-30514"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-15T21:15:57Z",
"severity": "MODERATE"
},
"details": "Unauthenticated attackers can obtain restricted information about a user\u0027s smart device collections (i.e., \"scenes\").",
"id": "GHSA-7362-rvw7-57jj",
"modified": "2025-04-15T21:31:45Z",
"published": "2025-04-15T21:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30514"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-736C-QMFV-4R4H
Vulnerability from github – Published: 2023-11-08 00:30 – Updated: 2023-11-15 18:30In the module "Order Duplicator " Clone and Delete Existing Order" (orderduplicate) in version <= 1.1.7 from Silbersaiten for PrestaShop, a guest can download personal information without restriction. Due to a lack of permissions control, a guest can download personal information from ps_customer/ps_address tables such as name / surname / phone number / full postal address.
{
"affected": [],
"aliases": [
"CVE-2023-45380"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-07T23:15:07Z",
"severity": "HIGH"
},
"details": "In the module \"Order Duplicator \" Clone and Delete Existing Order\" (orderduplicate) in version \u003c= 1.1.7 from Silbersaiten for PrestaShop, a guest can download personal information without restriction. Due to a lack of permissions control, a guest can download personal information from ps_customer/ps_address tables such as name / surname / phone number / full postal address.",
"id": "GHSA-736c-qmfv-4r4h",
"modified": "2023-11-15T18:30:21Z",
"published": "2023-11-08T00:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45380"
},
{
"type": "WEB",
"url": "https://security.friendsofpresta.org/modules/2023/11/07/orderduplicate.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-73C8-QMPH-R39F
Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 12:32An Insecure Direct Object Reference (IDOR) vulnerability exists in the PATCH /v1/runs/:id/score endpoint of lunary-ai/lunary version 1.6.0. This vulnerability allows an attacker to update the score data of any run by manipulating the id parameter in the request URL, which corresponds to the runId_score in the database. The endpoint does not sufficiently validate whether the authenticated user has permission to modify the specified runId, enabling an attacker with a valid account to modify other users' runId scores by specifying different id values. This issue was fixed in version 1.6.1.
{
"affected": [],
"aliases": [
"CVE-2024-11137"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-20T10:15:23Z",
"severity": "HIGH"
},
"details": "An Insecure Direct Object Reference (IDOR) vulnerability exists in the `PATCH /v1/runs/:id/score` endpoint of lunary-ai/lunary version 1.6.0. This vulnerability allows an attacker to update the score data of any run by manipulating the id parameter in the request URL, which corresponds to the `runId_score` in the database. The endpoint does not sufficiently validate whether the authenticated user has permission to modify the specified runId, enabling an attacker with a valid account to modify other users\u0027 runId scores by specifying different id values. This issue was fixed in version 1.6.1.",
"id": "GHSA-73c8-qmph-r39f",
"modified": "2025-03-20T12:32:41Z",
"published": "2025-03-20T12:32:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11137"
},
{
"type": "WEB",
"url": "https://github.com/lunary-ai/lunary/commit/ded72a95c220904a151d27daf3c67e8644e386c6"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/0a399d86-0105-4f48-a77b-9fa7d7054be8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.