Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3238 vulnerabilities reference this CWE, most recent first.

GHSA-7Q3W-XQJW-G3CR

Vulnerability from github – Published: 2026-06-11 20:26 – Updated: 2026-06-11 20:26
VLAI
Summary
Filament has inconsistent scope enforcement for its AttachAction and AssociateAction Select fields
Details

The recordSelectOptionsQuery() method may be used to scope the options available in the Select field for AttachAction and AssociateAction. However, the built-in validation rule for these fields did not apply the same scope. As a result, a user who can trigger these actions could tamper with the Livewire component's state and submit an out-of-scope value.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.3.50"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "filament/tables"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.3.51"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.11.3"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "filament/actions"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.11.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.6.3"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "filament/actions"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.6.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-48067"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-11T20:26:07Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "The `recordSelectOptionsQuery()` method may be used to scope the options available in the `Select` field for `AttachAction` and `AssociateAction`. However, the built-in validation rule for these fields did not apply the same scope. As a result, a user who can trigger these actions could tamper with the Livewire component\u0027s state and submit an out-of-scope value.",
  "id": "GHSA-7q3w-xqjw-g3cr",
  "modified": "2026-06-11T20:26:07Z",
  "published": "2026-06-11T20:26:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/filamentphp/filament/security/advisories/GHSA-7q3w-xqjw-g3cr"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/filamentphp/filament"
    },
    {
      "type": "WEB",
      "url": "https://github.com/filamentphp/filament/releases/tag/v3.3.51"
    },
    {
      "type": "WEB",
      "url": "https://github.com/filamentphp/filament/releases/tag/v4.11.4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/filamentphp/filament/releases/tag/v5.6.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Filament has inconsistent scope enforcement for its AttachAction and AssociateAction Select fields"
}

GHSA-7QFC-F7PW-CRM3

Vulnerability from github – Published: 2022-05-24 17:02 – Updated: 2024-04-04 02:42
VLAI
Details

An Insecure Direct Object Reference (IDOR) vulnerability in the Xtivia Web Time and Expense (WebTE) interface used for Microsoft Dynamics NAV before 2017 allows an attacker to download arbitrary files by specifying arbitrary values for the recId and filename parameters of the /Home/GetAttachment function.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-19616"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-12-06T03:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An Insecure Direct Object Reference (IDOR) vulnerability in the Xtivia Web Time and Expense (WebTE) interface used for Microsoft Dynamics NAV before 2017 allows an attacker to download arbitrary files by specifying arbitrary values for the recId and filename parameters of the /Home/GetAttachment function.",
  "id": "GHSA-7qfc-f7pw-crm3",
  "modified": "2024-04-04T02:42:17Z",
  "published": "2022-05-24T17:02:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19616"
    },
    {
      "type": "WEB",
      "url": "http://www.nolanbkennedy.com/post/insecure-direct-object-reference-idor-in-xtivia-web-time-and-expense-webte"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7QQC-26MG-M329

Vulnerability from github – Published: 2025-11-13 06:30 – Updated: 2025-11-13 06:30
VLAI
Details

The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.5 via the pagelayer_replace_page function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to replace media files belonging to other users, including administrators.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-12366"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-13T04:15:45Z",
    "severity": "MODERATE"
  },
  "details": "The Page Builder: Pagelayer \u2013 Drag and Drop website builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.5 via the pagelayer_replace_page function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to replace media files belonging to other users, including administrators.",
  "id": "GHSA-7qqc-26mg-m329",
  "modified": "2025-11-13T06:30:24Z",
  "published": "2025-11-13T06:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12366"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/pagelayer/tags/2.0.4/main/replace-media.php#L31"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3394407%40pagelayer%2Ftrunk\u0026old=3384061%40pagelayer%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2216d82c-29ae-4355-8118-6ebc49726c12?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7R8M-5C4M-7J6C

Vulnerability from github – Published: 2024-11-22 21:32 – Updated: 2025-12-08 21:30
VLAI
Details

An authorization bypass through user-controlled key vulnerability has been reported to affect Media Streaming add-on. If exploited, the vulnerability could allow local network attackers to gain privilege.

We have already fixed the vulnerability in the following version: Media Streaming add-on 500.1.1.6 ( 2024/08/02 ) and later

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-50395"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-22T16:15:32Z",
    "severity": "MODERATE"
  },
  "details": "An authorization bypass through user-controlled key vulnerability has been reported to affect Media Streaming add-on. If exploited, the vulnerability could allow local network attackers to gain privilege.\n\nWe have already fixed the vulnerability in the following version:\nMedia Streaming add-on 500.1.1.6 ( 2024/08/02 ) and later",
  "id": "GHSA-7r8m-5c4m-7j6c",
  "modified": "2025-12-08T21:30:17Z",
  "published": "2024-11-22T21:32:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50395"
    },
    {
      "type": "WEB",
      "url": "https://www.qnap.com/en/security-advisory/qsa-24-47"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-7R8M-V3X4-CRWV

Vulnerability from github – Published: 2025-12-09 18:30 – Updated: 2025-12-11 18:30
VLAI
Details

Multiple Incorrect Access Control vulnerabilities in adata Software GmbH Mitarbeiterportal 2.15.2.0 allow remote authenticated, low-privileged users to carry out administrative functions and manipulate data of other users via unauthorized API calls.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-61075"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-09T16:18:00Z",
    "severity": "HIGH"
  },
  "details": "Multiple Incorrect Access Control vulnerabilities in adata Software GmbH Mitarbeiterportal 2.15.2.0 allow remote authenticated, low-privileged users to carry out administrative functions and manipulate data of other users via unauthorized API calls.",
  "id": "GHSA-7r8m-v3x4-crwv",
  "modified": "2025-12-11T18:30:42Z",
  "published": "2025-12-09T18:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61075"
    },
    {
      "type": "WEB",
      "url": "https://no-sec.net/posts/cve-2025-61075"
    },
    {
      "type": "WEB",
      "url": "https://www.adata.de/mitarbeiter-portal"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7R8P-M878-X7QG

Vulnerability from github – Published: 2025-12-04 21:31 – Updated: 2025-12-04 21:31
VLAI
Details

Insecure Direct Object Reference vulnerability in Medtronic CareLink Network which allows an authenticated attacker with access to specific device and user information to submit web requests to an API endpoint that would expose sensitive user information. This issue affects CareLink Network: before December 4, 2025.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-12997"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-04T20:16:17Z",
    "severity": "LOW"
  },
  "details": "Insecure Direct Object Reference vulnerability in Medtronic CareLink Network which allows an authenticated attacker with access to specific device and user information to submit web requests to an API endpoint that would expose sensitive user information. This issue affects CareLink Network: before December 4, 2025.",
  "id": "GHSA-7r8p-m878-x7qg",
  "modified": "2025-12-04T21:31:05Z",
  "published": "2025-12-04T21:31:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12997"
    },
    {
      "type": "WEB",
      "url": "https://www.medtronic.com/en-us/e/product-security/security-bulletins/carelink-network-vulnerabilities.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7R98-6GHP-7MFV

Vulnerability from github – Published: 2024-07-09 18:30 – Updated: 2024-07-09 18:30
VLAI
Details

An authorization bypass through user-controlled key in Fortinet FortiPortal version 7.2.0, and versions 7.0.0 through 7.0.6 allows attacker to view unauthorized resources via HTTP or HTTPS requests.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-21759"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-09T16:15:04Z",
    "severity": "MODERATE"
  },
  "details": "An authorization bypass through user-controlled key in Fortinet FortiPortal version 7.2.0, and versions 7.0.0 through 7.0.6 allows attacker to view unauthorized resources via HTTP or HTTPS requests.",
  "id": "GHSA-7r98-6ghp-7mfv",
  "modified": "2024-07-09T18:30:48Z",
  "published": "2024-07-09T18:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21759"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-011"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7RM2-XQ32-WW37

Vulnerability from github – Published: 2023-08-30 15:30 – Updated: 2024-04-04 07:17
VLAI
Details

The All Users Messenger WordPress plugin through 1.24 does not prevent non-administrator users from deleting messages from the all-users messenger.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-4023"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-30T15:15:09Z",
    "severity": "MODERATE"
  },
  "details": "The All Users Messenger WordPress plugin through 1.24 does not prevent non-administrator users from deleting messages from the all-users messenger.",
  "id": "GHSA-7rm2-xq32-ww37",
  "modified": "2024-04-04T07:17:39Z",
  "published": "2023-08-30T15:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4023"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/682c0226-28bd-4051-830d-8b679626213d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7RQ4-XGXV-P42R

Vulnerability from github – Published: 2022-05-13 01:43 – Updated: 2022-05-13 01:43
VLAI
Details

In Kanboard before 1.0.47, by altering form data, an authenticated user can remove attachments from a private project of another user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-15209"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-10-11T01:32:00Z",
    "severity": "MODERATE"
  },
  "details": "In Kanboard before 1.0.47, by altering form data, an authenticated user can remove attachments from a private project of another user.",
  "id": "GHSA-7rq4-xgxv-p42r",
  "modified": "2022-05-13T01:43:41Z",
  "published": "2022-05-13T01:43:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15209"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kanboard/kanboard/commit/7100f6de8a1f566e260b3e65312767e4cde112b1"
    },
    {
      "type": "WEB",
      "url": "https://kanboard.net/news/version-1.0.47"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2017/10/04/9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7RQP-QM5J-JM9C

Vulnerability from github – Published: 2022-05-24 17:01 – Updated: 2022-05-24 17:01
VLAI
Details

Belkin Linksys Velop 1.1.8.192419 devices allows remote attackers to discover the recovery key via a direct request for the /sysinfo_json.cgi URI.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-16340"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-11-21T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Belkin Linksys Velop 1.1.8.192419 devices allows remote attackers to discover the recovery key via a direct request for the /sysinfo_json.cgi URI.",
  "id": "GHSA-7rqp-qm5j-jm9c",
  "modified": "2022-05-24T17:01:40Z",
  "published": "2022-05-24T17:01:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16340"
    },
    {
      "type": "WEB",
      "url": "https://puzzor.github.io/Linksys-Velop-Authentication-bypass"
    },
    {
      "type": "WEB",
      "url": "https://www.linksys.com/us/support-article?articleNum=207568"
    },
    {
      "type": "WEB",
      "url": "http://s3.amazonaws.com/downloads.linksys.com/support/assets/releasenotes/WHW03_A03_Velop_Customer_Release_Notes_1.1.9.195026.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.