Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3234 vulnerabilities reference this CWE, most recent first.

GHSA-78XV-3XPM-3HCQ

Vulnerability from github – Published: 2022-06-14 00:00 – Updated: 2022-06-22 00:00
VLAI
Details

The iQ Block Country WordPress plugin through 1.2.13 does not properly checks HTTP headers in order to validate the origin IP address, allowing threat actors to bypass it's block feature by spoofing the headers.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1762"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290",
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-13T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "The iQ Block Country WordPress plugin through 1.2.13 does not properly checks HTTP headers in order to validate the origin IP address, allowing threat actors to bypass it\u0027s block feature by spoofing the headers.",
  "id": "GHSA-78xv-3xpm-3hcq",
  "modified": "2022-06-22T00:00:52Z",
  "published": "2022-06-14T00:00:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1762"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/03254977-37cc-4365-979b-326f9637be85"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-792C-2VQR-262X

Vulnerability from github – Published: 2024-12-17 15:31 – Updated: 2026-06-02 09:36
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in NextGeography NG Analyser allows Functionality Misuse.This issue affects NG Analyser: before 2.2.711.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-9819"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-17T13:15:19Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in NextGeography NG Analyser allows Functionality Misuse.This issue affects NG Analyser: before 2.2.711.",
  "id": "GHSA-792c-2vqr-262x",
  "modified": "2026-06-02T09:36:14Z",
  "published": "2024-12-17T15:31:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9819"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-24-1889"
    },
    {
      "type": "WEB",
      "url": "https://www.usom.gov.tr/bildirim/tr-24-1889"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-795Q-XXMC-P2WG

Vulnerability from github – Published: 2022-03-28 00:00 – Updated: 2022-04-06 00:02
VLAI
Details

WoWonder The Ultimate PHP Social Network Platform v4.0.0 was discovered to contain an access control issue which allows unauthenticated attackers to arbitrarily change group ID names.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-26254"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-27T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "WoWonder The Ultimate PHP Social Network Platform v4.0.0 was discovered to contain an access control issue which allows unauthenticated attackers to arbitrarily change group ID names.",
  "id": "GHSA-795q-xxmc-p2wg",
  "modified": "2022-04-06T00:02:13Z",
  "published": "2022-03-28T00:00:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26254"
    },
    {
      "type": "WEB",
      "url": "https://youtu.be/b665r1ZfCg4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-796C-RM6V-RCCX

Vulnerability from github – Published: 2026-07-03 06:32 – Updated: 2026-07-03 06:32
VLAI
Details

The MotoPress Appointment Booking plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 2.4.4. This is due to the POST /motopress/appointment/v1/bookings REST endpoint being registered with 'permission_callback' => '__return_true', allowing unauthenticated access, while the createBooking handler in BookingsRestController.php accepts an attacker-supplied payment_details.booking_id value and loads the referenced booking via findById() without verifying that the caller owns or has any rights to that booking. This makes it possible for unauthenticated attackers to overwrite the customer name, email address, phone number, and customer_id of any non-confirmed victim booking by submitting a request with no reservation items, causing BookingService::createBooking() to load the existing victim booking object and persist it with attacker-controlled customer data. Victim booking IDs can be harvested prior to exploitation without authentication by querying the also-publicly-accessible GET /motopress/appointment/v1/bookings/reservations endpoint with a guessable service_id and date range, and only bookings whose status is not STATUS_CONFIRMED (e.g., pending or auto-draft) are valid targets.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-9180"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-03T06:16:22Z",
    "severity": "MODERATE"
  },
  "details": "The MotoPress Appointment Booking plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 2.4.4. This is due to the `POST /motopress/appointment/v1/bookings` REST endpoint being registered with `\u0027permission_callback\u0027 =\u003e \u0027__return_true\u0027`, allowing unauthenticated access, while the `createBooking` handler in `BookingsRestController.php` accepts an attacker-supplied `payment_details.booking_id` value and loads the referenced booking via `findById()` without verifying that the caller owns or has any rights to that booking. This makes it possible for unauthenticated attackers to overwrite the customer name, email address, phone number, and `customer_id` of any non-confirmed victim booking by submitting a request with no reservation items, causing `BookingService::createBooking()` to load the existing victim booking object and persist it with attacker-controlled customer data. Victim booking IDs can be harvested prior to exploitation without authentication by querying the also-publicly-accessible `GET /motopress/appointment/v1/bookings/reservations` endpoint with a guessable `service_id` and date range, and only bookings whose status is not `STATUS_CONFIRMED` (e.g., pending or auto-draft) are valid targets.",
  "id": "GHSA-796c-rm6v-rccx",
  "modified": "2026-07-03T06:32:07Z",
  "published": "2026-07-03T06:32:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9180"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/motopress-appointment-lite/tags/2.4.3/includes/rest/controllers/motopress/appointment/v1/BookingsRestController.php#L30"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/motopress-appointment-lite/tags/2.4.3/includes/rest/controllers/motopress/appointment/v1/BookingsRestController.php#L308"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/motopress-appointment-lite/tags/2.4.3/includes/rest/controllers/motopress/appointment/v1/BookingsRestController.php#L98"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/motopress-appointment-lite/tags/2.4.3/includes/services/BookingService.php#L29"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3583168/motopress-appointment-lite/trunk/includes/rest/controllers/motopress/appointment/v1/BookingsRestController.php"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e9a6521d-39b2-48f4-834b-888047619df5?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-798J-RGHC-7F74

Vulnerability from github – Published: 2025-12-30 12:30 – Updated: 2026-01-20 15:32
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes FiveStar fivestar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FiveStar: from n/a through <= 1.7.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-69032"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-30T11:16:01Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes FiveStar fivestar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FiveStar: from n/a through \u003c= 1.7.",
  "id": "GHSA-798j-rghc-7f74",
  "modified": "2026-01-20T15:32:47Z",
  "published": "2025-12-30T12:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69032"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Theme/fivestar/vulnerability/wordpress-fivestar-theme-1-7-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://vdp.patchstack.com/database/Wordpress/Theme/fivestar/vulnerability/wordpress-fivestar-theme-1-7-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-79G9-878F-3C34

Vulnerability from github – Published: 2022-12-12 18:30 – Updated: 2022-12-15 15:32
VLAI
Details

The All-In-One Security (AIOS) WordPress plugin before 5.0.8 is susceptible to IP Spoofing attacks, which can lead to bypassed security features (like IP blocks, rate limiting, brute force protection, and more).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-4097"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-12T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The All-In-One Security (AIOS) WordPress plugin before 5.0.8 is susceptible to IP Spoofing attacks, which can lead to bypassed security features (like IP blocks, rate limiting, brute force protection, and more).",
  "id": "GHSA-79g9-878f-3c34",
  "modified": "2022-12-15T15:32:13Z",
  "published": "2022-12-12T18:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4097"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/15819d33-7497-4f7d-bbb8-b3ab147806c4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-79RR-2P25-73C5

Vulnerability from github – Published: 2026-06-18 18:35 – Updated: 2026-06-18 18:35
VLAI
Details

The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) expose sensitive account information through the 'update-profile/' API endpoint. A remote, unauthenticated attacker can submit a request containing an arbitrary 'user_id' parameter and receive a JSON response containing account-specific information, including the associated email address.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-54105"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-18T17:16:33Z",
    "severity": "MODERATE"
  },
  "details": "The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) expose sensitive account information through the \u0027update-profile/\u0027 API endpoint. A remote, unauthenticated attacker can submit a request containing an arbitrary \u0027user_id\u0027 parameter and receive a JSON response containing account-specific information, including the associated email address.",
  "id": "GHSA-79rr-2p25-73c5",
  "modified": "2026-06-18T18:35:24Z",
  "published": "2026-06-18T18:35:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54105"
    },
    {
      "type": "WEB",
      "url": "https://epds.gao.gov"
    },
    {
      "type": "WEB",
      "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-169-01.json"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-54105"
    },
    {
      "type": "WEB",
      "url": "https://www.eds.cbca.gov/login"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-79W3-Q3H6-8V22

Vulnerability from github – Published: 2026-01-22 18:30 – Updated: 2026-01-27 00:31
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Fiorello fiorello allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fiorello: from n/a through <= 1.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-22396"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-22T17:16:32Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Fiorello fiorello allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fiorello: from n/a through \u003c= 1.0.",
  "id": "GHSA-79w3-q3h6-8v22",
  "modified": "2026-01-27T00:31:12Z",
  "published": "2026-01-22T18:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22396"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Theme/fiorello/vulnerability/wordpress-fiorello-theme-1-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7CCV-HHVC-62HG

Vulnerability from github – Published: 2022-05-17 03:57 – Updated: 2025-04-14 20:49
VLAI
Summary
Apache Ranger allows users to bypass intended access restrictions via direct access to module URLs
Details

The Policy Admin Tool in Apache Ranger before 0.5.0 allows remote authenticated users to bypass intended access restrictions via direct access to module URLs.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.ranger:ranger"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2015-0266"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-14T20:49:35Z",
    "nvd_published_at": "2016-04-11T19:59:00Z",
    "severity": "HIGH"
  },
  "details": "The Policy Admin Tool in Apache Ranger before 0.5.0 allows remote authenticated users to bypass intended access restrictions via direct access to module URLs.",
  "id": "GHSA-7ccv-hhvc-62hg",
  "modified": "2025-04-14T20:49:35Z",
  "published": "2022-05-17T03:57:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0266"
    },
    {
      "type": "WEB",
      "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/ranger"
    },
    {
      "type": "WEB",
      "url": "https://mail-archives.apache.org/mod_mbox/ranger-dev/201508.mbox/%3CD1E7EC30.9D53F%25vel%40apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://mail-archives.apache.org/mod_mbox/ranger-dev/201508.mbox/%3CD1E7EC30.9D53F%25vel@apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20200228073944/http://www.securityfocus.com/bid/76221"
    },
    {
      "type": "WEB",
      "url": "http://www.slideshare.net/wojdwo/big-problems-with-big-data-hadoop-interfaces-security"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Ranger allows users to bypass intended access restrictions via direct access to module URLs"
}

GHSA-7CGV-V83V-RR87

Vulnerability from github – Published: 2022-09-23 00:00 – Updated: 2025-05-28 19:39
VLAI
Summary
HashiCorp Vault vulnerable to incorrect metadata access
Details

An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3. A vulnerability in the Identity Engine was found where, in a deployment where an entity has multiple mount accessors with shared alias names, Vault may overwrite metadata to the wrong alias due to an issue with checking the proper alias assigned to an entity. This may allow for unintended access to key/value paths using that metadata in Vault.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/hashicorp/vault"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.11.0"
            },
            {
              "fixed": "1.11.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/hashicorp/vault"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.10.0"
            },
            {
              "fixed": "1.10.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/hashicorp/vault"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.8.0"
            },
            {
              "fixed": "1.9.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-40186"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-23T20:58:54Z",
    "nvd_published_at": "2022-09-22T01:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3. A vulnerability in the Identity Engine was found where, in a deployment where an entity has multiple mount accessors with shared alias names, Vault may overwrite metadata to the wrong alias due to an issue with checking the proper alias assigned to an entity. This may allow for unintended access to key/value paths using that metadata in Vault.",
  "id": "GHSA-7cgv-v83v-rr87",
  "modified": "2025-05-28T19:39:57Z",
  "published": "2022-09-23T00:00:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40186"
    },
    {
      "type": "WEB",
      "url": "https://discuss.hashicorp.com"
    },
    {
      "type": "WEB",
      "url": "https://discuss.hashicorp.com/t/hcsec-2022-18-vault-entity-alias-metadata-may-leak-between-aliases-with-the-same-name-assigned-to-the-same-entity/44550"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hashicorp/vault"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20221111-0008"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "HashiCorp Vault vulnerable to incorrect metadata access"
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.