CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3238 vulnerabilities reference this CWE, most recent first.
GHSA-7Q3W-XQJW-G3CR
Vulnerability from github – Published: 2026-06-11 20:26 – Updated: 2026-06-11 20:26The recordSelectOptionsQuery() method may be used to scope the options available in the Select field for AttachAction and AssociateAction. However, the built-in validation rule for these fields did not apply the same scope. As a result, a user who can trigger these actions could tamper with the Livewire component's state and submit an out-of-scope value.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.3.50"
},
"package": {
"ecosystem": "Packagist",
"name": "filament/tables"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.3.51"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.11.3"
},
"package": {
"ecosystem": "Packagist",
"name": "filament/actions"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.11.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.6.3"
},
"package": {
"ecosystem": "Packagist",
"name": "filament/actions"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.6.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48067"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-11T20:26:07Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "The `recordSelectOptionsQuery()` method may be used to scope the options available in the `Select` field for `AttachAction` and `AssociateAction`. However, the built-in validation rule for these fields did not apply the same scope. As a result, a user who can trigger these actions could tamper with the Livewire component\u0027s state and submit an out-of-scope value.",
"id": "GHSA-7q3w-xqjw-g3cr",
"modified": "2026-06-11T20:26:07Z",
"published": "2026-06-11T20:26:07Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/filamentphp/filament/security/advisories/GHSA-7q3w-xqjw-g3cr"
},
{
"type": "PACKAGE",
"url": "https://github.com/filamentphp/filament"
},
{
"type": "WEB",
"url": "https://github.com/filamentphp/filament/releases/tag/v3.3.51"
},
{
"type": "WEB",
"url": "https://github.com/filamentphp/filament/releases/tag/v4.11.4"
},
{
"type": "WEB",
"url": "https://github.com/filamentphp/filament/releases/tag/v5.6.4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Filament has inconsistent scope enforcement for its AttachAction and AssociateAction Select fields"
}
GHSA-7QFC-F7PW-CRM3
Vulnerability from github – Published: 2022-05-24 17:02 – Updated: 2024-04-04 02:42An Insecure Direct Object Reference (IDOR) vulnerability in the Xtivia Web Time and Expense (WebTE) interface used for Microsoft Dynamics NAV before 2017 allows an attacker to download arbitrary files by specifying arbitrary values for the recId and filename parameters of the /Home/GetAttachment function.
{
"affected": [],
"aliases": [
"CVE-2019-19616"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-12-06T03:15:00Z",
"severity": "MODERATE"
},
"details": "An Insecure Direct Object Reference (IDOR) vulnerability in the Xtivia Web Time and Expense (WebTE) interface used for Microsoft Dynamics NAV before 2017 allows an attacker to download arbitrary files by specifying arbitrary values for the recId and filename parameters of the /Home/GetAttachment function.",
"id": "GHSA-7qfc-f7pw-crm3",
"modified": "2024-04-04T02:42:17Z",
"published": "2022-05-24T17:02:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19616"
},
{
"type": "WEB",
"url": "http://www.nolanbkennedy.com/post/insecure-direct-object-reference-idor-in-xtivia-web-time-and-expense-webte"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7QQC-26MG-M329
Vulnerability from github – Published: 2025-11-13 06:30 – Updated: 2025-11-13 06:30The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.5 via the pagelayer_replace_page function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to replace media files belonging to other users, including administrators.
{
"affected": [],
"aliases": [
"CVE-2025-12366"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-13T04:15:45Z",
"severity": "MODERATE"
},
"details": "The Page Builder: Pagelayer \u2013 Drag and Drop website builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.5 via the pagelayer_replace_page function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to replace media files belonging to other users, including administrators.",
"id": "GHSA-7qqc-26mg-m329",
"modified": "2025-11-13T06:30:24Z",
"published": "2025-11-13T06:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12366"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/pagelayer/tags/2.0.4/main/replace-media.php#L31"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3394407%40pagelayer%2Ftrunk\u0026old=3384061%40pagelayer%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2216d82c-29ae-4355-8118-6ebc49726c12?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7R8M-5C4M-7J6C
Vulnerability from github – Published: 2024-11-22 21:32 – Updated: 2025-12-08 21:30An authorization bypass through user-controlled key vulnerability has been reported to affect Media Streaming add-on. If exploited, the vulnerability could allow local network attackers to gain privilege.
We have already fixed the vulnerability in the following version: Media Streaming add-on 500.1.1.6 ( 2024/08/02 ) and later
{
"affected": [],
"aliases": [
"CVE-2024-50395"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-22T16:15:32Z",
"severity": "MODERATE"
},
"details": "An authorization bypass through user-controlled key vulnerability has been reported to affect Media Streaming add-on. If exploited, the vulnerability could allow local network attackers to gain privilege.\n\nWe have already fixed the vulnerability in the following version:\nMedia Streaming add-on 500.1.1.6 ( 2024/08/02 ) and later",
"id": "GHSA-7r8m-5c4m-7j6c",
"modified": "2025-12-08T21:30:17Z",
"published": "2024-11-22T21:32:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50395"
},
{
"type": "WEB",
"url": "https://www.qnap.com/en/security-advisory/qsa-24-47"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-7R8M-V3X4-CRWV
Vulnerability from github – Published: 2025-12-09 18:30 – Updated: 2025-12-11 18:30Multiple Incorrect Access Control vulnerabilities in adata Software GmbH Mitarbeiterportal 2.15.2.0 allow remote authenticated, low-privileged users to carry out administrative functions and manipulate data of other users via unauthorized API calls.
{
"affected": [],
"aliases": [
"CVE-2025-61075"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-09T16:18:00Z",
"severity": "HIGH"
},
"details": "Multiple Incorrect Access Control vulnerabilities in adata Software GmbH Mitarbeiterportal 2.15.2.0 allow remote authenticated, low-privileged users to carry out administrative functions and manipulate data of other users via unauthorized API calls.",
"id": "GHSA-7r8m-v3x4-crwv",
"modified": "2025-12-11T18:30:42Z",
"published": "2025-12-09T18:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61075"
},
{
"type": "WEB",
"url": "https://no-sec.net/posts/cve-2025-61075"
},
{
"type": "WEB",
"url": "https://www.adata.de/mitarbeiter-portal"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7R8P-M878-X7QG
Vulnerability from github – Published: 2025-12-04 21:31 – Updated: 2025-12-04 21:31Insecure Direct Object Reference vulnerability in Medtronic CareLink Network which allows an authenticated attacker with access to specific device and user information to submit web requests to an API endpoint that would expose sensitive user information. This issue affects CareLink Network: before December 4, 2025.
{
"affected": [],
"aliases": [
"CVE-2025-12997"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-04T20:16:17Z",
"severity": "LOW"
},
"details": "Insecure Direct Object Reference vulnerability in Medtronic CareLink Network which allows an authenticated attacker with access to specific device and user information to submit web requests to an API endpoint that would expose sensitive user information. This issue affects CareLink Network: before December 4, 2025.",
"id": "GHSA-7r8p-m878-x7qg",
"modified": "2025-12-04T21:31:05Z",
"published": "2025-12-04T21:31:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12997"
},
{
"type": "WEB",
"url": "https://www.medtronic.com/en-us/e/product-security/security-bulletins/carelink-network-vulnerabilities.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7R98-6GHP-7MFV
Vulnerability from github – Published: 2024-07-09 18:30 – Updated: 2024-07-09 18:30An authorization bypass through user-controlled key in Fortinet FortiPortal version 7.2.0, and versions 7.0.0 through 7.0.6 allows attacker to view unauthorized resources via HTTP or HTTPS requests.
{
"affected": [],
"aliases": [
"CVE-2024-21759"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-09T16:15:04Z",
"severity": "MODERATE"
},
"details": "An authorization bypass through user-controlled key in Fortinet FortiPortal version 7.2.0, and versions 7.0.0 through 7.0.6 allows attacker to view unauthorized resources via HTTP or HTTPS requests.",
"id": "GHSA-7r98-6ghp-7mfv",
"modified": "2024-07-09T18:30:48Z",
"published": "2024-07-09T18:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21759"
},
{
"type": "WEB",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-011"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7RM2-XQ32-WW37
Vulnerability from github – Published: 2023-08-30 15:30 – Updated: 2024-04-04 07:17The All Users Messenger WordPress plugin through 1.24 does not prevent non-administrator users from deleting messages from the all-users messenger.
{
"affected": [],
"aliases": [
"CVE-2023-4023"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-30T15:15:09Z",
"severity": "MODERATE"
},
"details": "The All Users Messenger WordPress plugin through 1.24 does not prevent non-administrator users from deleting messages from the all-users messenger.",
"id": "GHSA-7rm2-xq32-ww37",
"modified": "2024-04-04T07:17:39Z",
"published": "2023-08-30T15:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4023"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/682c0226-28bd-4051-830d-8b679626213d"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7RQ4-XGXV-P42R
Vulnerability from github – Published: 2022-05-13 01:43 – Updated: 2022-05-13 01:43In Kanboard before 1.0.47, by altering form data, an authenticated user can remove attachments from a private project of another user.
{
"affected": [],
"aliases": [
"CVE-2017-15209"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-10-11T01:32:00Z",
"severity": "MODERATE"
},
"details": "In Kanboard before 1.0.47, by altering form data, an authenticated user can remove attachments from a private project of another user.",
"id": "GHSA-7rq4-xgxv-p42r",
"modified": "2022-05-13T01:43:41Z",
"published": "2022-05-13T01:43:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15209"
},
{
"type": "WEB",
"url": "https://github.com/kanboard/kanboard/commit/7100f6de8a1f566e260b3e65312767e4cde112b1"
},
{
"type": "WEB",
"url": "https://kanboard.net/news/version-1.0.47"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2017/10/04/9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7RQP-QM5J-JM9C
Vulnerability from github – Published: 2022-05-24 17:01 – Updated: 2022-05-24 17:01Belkin Linksys Velop 1.1.8.192419 devices allows remote attackers to discover the recovery key via a direct request for the /sysinfo_json.cgi URI.
{
"affected": [],
"aliases": [
"CVE-2019-16340"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-11-21T15:15:00Z",
"severity": "MODERATE"
},
"details": "Belkin Linksys Velop 1.1.8.192419 devices allows remote attackers to discover the recovery key via a direct request for the /sysinfo_json.cgi URI.",
"id": "GHSA-7rqp-qm5j-jm9c",
"modified": "2022-05-24T17:01:40Z",
"published": "2022-05-24T17:01:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16340"
},
{
"type": "WEB",
"url": "https://puzzor.github.io/Linksys-Velop-Authentication-bypass"
},
{
"type": "WEB",
"url": "https://www.linksys.com/us/support-article?articleNum=207568"
},
{
"type": "WEB",
"url": "http://s3.amazonaws.com/downloads.linksys.com/support/assets/releasenotes/WHW03_A03_Velop_Customer_Release_Notes_1.1.9.195026.txt"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.