CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3238 vulnerabilities reference this CWE, most recent first.
GHSA-7WRV-9F62-9F8C
Vulnerability from github – Published: 2024-10-17 03:31 – Updated: 2024-10-17 03:31The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 3.6.0. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources, and the user current password check is missing. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts.
{
"affected": [],
"aliases": [
"CVE-2024-9862"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-17T02:15:03Z",
"severity": "CRITICAL"
},
"details": "The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 3.6.0. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources, and the user current password check is missing. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts.",
"id": "GHSA-7wrv-9f62-9f8c",
"modified": "2024-10-17T03:31:31Z",
"published": "2024-10-17T03:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9862"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/miniorange-firebase-sms-otp-verification/tags/3.6.0/handler/forms/class-loginform.php#L236"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3169869/miniorange-firebase-sms-otp-verification#file3"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9c3df12d-e526-4a23-89d3-bfdcea9f7b2d?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7X43-MPFG-R9WJ
Vulnerability from github – Published: 2026-03-03 20:38 – Updated: 2026-03-04 18:38The GraphQL directive @parseRefs, intended to parse internal reference tags (e.g., {user:1:email}), can be abused by both authenticated users and unauthenticated guests (if a Public Schema is enabled) to access sensitive attributes of any element in the CMS. The implementation in Elements::parseRefs fails to perform authorization checks, allowing attackers to read data they are not authorized to view.
Vulnerability Details
craft\services\Elements::parseRefs identifies reference tags and resolves them using _getRefTokenReplacement. This method fetches the referenced element and accesses the specified attribute via $element->$attribute.
- Missing Auth Check: It bypasses
canView()checks. - Polymorphic Access:
getElementTypeByRefHandleallows referencing any element type (entry, asset, user, category). - Custom Field Access: Since Craft elements use
__get()to resolve custom field handles, an attacker is not limited to core attributes. They can exfiltrate any custom field data by enumerating the field handle (e.g.{entry:123:privateNotes}).
Attack Vectors
- Privilege Escalation / User Data Leak
An attacker can enumerate sensitive attributes of administrators or other users.
-
Payload:
{user:1:email}or{user:1:photoId} -
Arbitrary Property Reflection & Server-Side Logic Execution
The vulnerability allows reflecting any accessible property of the underlying Element model.
- Username/Admin Enumeration:
{user:1:username}(Confirmed: returns admin), {user:1:admin}. -
Internal Path Disclosure: Accessing methods that trigger errors (e.g.,
{user:1:authKey}) exposes full server stack traces in the GraphQL error response (e.g., Exception: No user session token exists with paths like/var/www/html/...). -
IDOR on Private Entries & Assets (Polymorphism)
The vulnerability is not limited to Users. Reference tags can target any element type.
- Payload:
{entry:456:myConfidentialField}(Bypasses canView checks). -
Asset Path Leakage:
{volume:1:path}can expose internal file system paths. -
Unauthenticated Exploitation (Public Schema)
Confirmed locally. The @parseRefs directive is active in the Public Schema. By injecting a payload into a public-facing field (e.g., a "News" entry title), an unauthenticated guest can trigger the resolution and retrieve the sensitive output.
Steps to Reproduce
- Setup (Admin Panel):
- Create a Section (e.g., "News") and an Entry Type.
- Create a new Entry in that section. Set the Title to the payload: {user:1:username} or {user:1:email}.
-
Go to GraphQL > Schemas > Public Schema. Enable it, and ensure "Query for elements in the Site" and "News" section queries are checked.
-
Execute Exploit (Unauthenticated):
- Send a POST request to http://localhost:8000/index.php?action=graphql/api:
curl -X POST \
-H "Content-Type: application/json" \
-d '{"query": "{ entries { title @parseRefs } }"}'
- Observation:
- The API returns
{"data":{"entries":[{"title":"admin"}]}}(or the email). - Using
{user:1:authKey}triggers an internal server error that leaks the full server path in string format.
Impact
- Critical Information Disclosure: Full PII enumeration (emails, usernames).
- System Information Leakage: Absolute server paths via stack traces.
- Authentication Bypass: Guest accounts can effectively query the database as the system user.
Recommended Fix
Modify Elements::parseRefs to enforce canView permissions on the resolved element before extracting attributes.
References
https://github.com/craftcms/cms/commit/4d98a07e47580f1712095825d3e3c4d67bc9f8b9
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "craftcms/cms"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0-RC1"
},
{
"fixed": "4.17.0-beta.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "craftcms/cms"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0-RC1"
},
{
"fixed": "5.9.0-beta.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-28696"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-03T20:38:55Z",
"nvd_published_at": "2026-03-04T17:16:21Z",
"severity": "HIGH"
},
"details": "The GraphQL directive `@parseRefs`, intended to parse internal reference tags (e.g., `{user:1:email}`), can be abused by both authenticated users and unauthenticated guests (if a Public Schema is enabled) to access sensitive attributes of any element in the CMS. The implementation in `Elements::parseRefs` fails to perform authorization checks, allowing attackers to read data they are not authorized to view.\n\n## Vulnerability Details\n\n`craft\\services\\Elements::parseRefs` identifies reference tags and resolves them using `_getRefTokenReplacement`. This method fetches the referenced element and accesses the specified attribute via $element-\u003e$attribute.\n\n- Missing Auth Check: It bypasses `canView()` checks.\n- Polymorphic Access: `getElementTypeByRefHandle` allows referencing any element type (entry, asset, user, category).\n- Custom Field Access: Since Craft elements use `__get()` to resolve custom field handles, an attacker is not limited to core attributes. They can exfiltrate any custom field data by enumerating the field handle (e.g. `{entry:123:privateNotes}`).\n\n## Attack Vectors\n\n1. Privilege Escalation / User Data Leak\n\nAn attacker can enumerate sensitive attributes of administrators or other users.\n\n- Payload: `{user:1:email}` or `{user:1:photoId}`\n\n2. Arbitrary Property Reflection \u0026 Server-Side Logic Execution\n\nThe vulnerability allows reflecting any accessible property of the underlying Element model.\n\n- Username/Admin Enumeration: `{user:1:username}` (Confirmed: returns admin), {user:1:admin}.\n- Internal Path Disclosure: Accessing methods that trigger errors (e.g., `{user:1:authKey}`) exposes full server stack traces in the GraphQL error response (e.g., Exception: No user session token exists with paths like `/var/www/html/...`).\n\n3. IDOR on Private Entries \u0026 Assets (Polymorphism)\n\nThe vulnerability is not limited to Users. Reference tags can target any element type.\n\n- Payload: `{entry:456:myConfidentialField}` (Bypasses canView checks).\n- Asset Path Leakage: `{volume:1:path}` can expose internal file system paths.\n\n4. Unauthenticated Exploitation (Public Schema)\n\nConfirmed locally. The `@parseRefs` directive is active in the Public Schema. By injecting a payload into a public-facing field (e.g., a \"News\" entry title), an unauthenticated guest can trigger the resolution and retrieve the sensitive output.\n\n## Steps to Reproduce\n\n1. Setup (Admin Panel):\n- Create a Section (e.g., \"News\") and an Entry Type.\n- Create a new Entry in that section. Set the Title to the payload: {user:1:username} or {user:1:email}.\n- Go to GraphQL \u003e Schemas \u003e Public Schema. Enable it, and ensure \"Query for elements in the Site\" and \"News\" section queries are checked.\n\n2. Execute Exploit (Unauthenticated):\n- Send a POST request to http://localhost:8000/index.php?action=graphql/api:\n```\ncurl -X POST \\\n-H \"Content-Type: application/json\" \\\n-d \u0027{\"query\": \"{ entries { title @parseRefs } }\"}\u0027\n```\n\n3. Observation:\n- The API returns `{\"data\":{\"entries\":[{\"title\":\"admin\"}]}}` (or the email).\n- Using `{user:1:authKey}` triggers an internal server error that leaks the full server path in string format.\n\n## Impact\n\n- Critical Information Disclosure: Full PII enumeration (emails, usernames).\n- System Information Leakage: Absolute server paths via stack traces.\n- Authentication Bypass: Guest accounts can effectively query the database as the system user.\n\n## Recommended Fix\n\nModify `Elements::parseRefs` to enforce `canView` permissions on the resolved element before extracting attributes.\n\n## References\n\nhttps://github.com/craftcms/cms/commit/4d98a07e47580f1712095825d3e3c4d67bc9f8b9",
"id": "GHSA-7x43-mpfg-r9wj",
"modified": "2026-03-04T18:38:55Z",
"published": "2026-03-03T20:38:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-7x43-mpfg-r9wj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28696"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/commit/4d98a07e47580f1712095825d3e3c4d67bc9f8b9"
},
{
"type": "PACKAGE",
"url": "https://github.com/craftcms/cms"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Craft CMS has IDOR via GraphQL @parseRefs"
}
GHSA-7XF5-P4G6-46V7
Vulnerability from github – Published: 2024-03-13 18:31 – Updated: 2026-04-08 18:32The FeedWordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2022.0222 due to missing validation on the user controlled 'guid' key. This makes it possible for unauthenticated attackers to view draft posts that may contain sensitive information.
{
"affected": [],
"aliases": [
"CVE-2024-0839"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-13T16:15:14Z",
"severity": "MODERATE"
},
"details": "The FeedWordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2022.0222 due to missing validation on the user controlled \u0027guid\u0027 key. This makes it possible for unauthenticated attackers to view draft posts that may contain sensitive information.",
"id": "GHSA-7xf5-p4g6-46v7",
"modified": "2026-04-08T18:32:44Z",
"published": "2024-03-13T18:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0839"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3078610%40feedwordpress%2Ftrunk\u0026old=3048697%40feedwordpress%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/feedwordpress"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1ead46fd-5744-4fbb-9efd-980f9216abbc?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-822C-PCP6-4R68
Vulnerability from github – Published: 2025-07-21 09:33 – Updated: 2026-06-06 09:31Authorization Bypass Through User-Controlled Key vulnerability in Turtek Software Eyotek allows Exploitation of Trusted Identifiers.This issue affects Eyotek: before 11.03.2025.
{
"affected": [],
"aliases": [
"CVE-2025-1469"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-21T09:15:24Z",
"severity": "HIGH"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in Turtek Software Eyotek allows Exploitation of Trusted Identifiers.This issue affects Eyotek: before 11.03.2025.",
"id": "GHSA-822c-pcp6-4r68",
"modified": "2026-06-06T09:31:12Z",
"published": "2025-07-21T09:33:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1469"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0163"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-25-0163"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-828G-2RQ8-F3HV
Vulnerability from github – Published: 2026-01-05 12:30 – Updated: 2026-04-01 18:36Authorization Bypass Through User-Controlled Key vulnerability in Rustaurius Five Star Restaurant Reservations allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Five Star Restaurant Reservations: from n/a through 2.7.8.
{
"affected": [],
"aliases": [
"CVE-2025-68044"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-05T11:17:41Z",
"severity": "HIGH"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in Rustaurius Five Star Restaurant Reservations allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Five Star Restaurant Reservations: from n/a through 2.7.8.",
"id": "GHSA-828g-2rq8-f3hv",
"modified": "2026-04-01T18:36:31Z",
"published": "2026-01-05T12:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68044"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/restaurant-reservations/vulnerability/wordpress-five-star-restaurant-reservations-plugin-2-7-7-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://vdp.patchstack.com/database/wordpress/plugin/restaurant-reservations/vulnerability/wordpress-five-star-restaurant-reservations-plugin-2-7-7-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-82G8-5XQH-RC4V
Vulnerability from github – Published: 2024-08-19 00:31 – Updated: 2026-04-01 18:31Authorization Bypass Through User-Controlled Key vulnerability in WP Job Portal.This issue affects WP Job Portal: from n/a through 2.1.6.
{
"affected": [],
"aliases": [
"CVE-2024-43266"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-18T22:15:09Z",
"severity": "MODERATE"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in WP Job Portal.This issue affects WP Job Portal: from n/a through 2.1.6.",
"id": "GHSA-82g8-5xqh-rc4v",
"modified": "2026-04-01T18:31:53Z",
"published": "2024-08-19T00:31:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43266"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/wp-job-portal/vulnerability/wordpress-wp-job-portal-a-complete-job-board-plugin-2-1-6-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/wp-job-portal/wordpress-wp-job-portal-a-complete-job-board-plugin-2-1-6-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-82M2-M9PG-5CPP
Vulnerability from github – Published: 2022-05-13 01:19 – Updated: 2022-05-13 01:19In ProConf before 6.1, an Insecure Direct Object Reference (IDOR) allows any author to view and grab all submitted papers (Title and Abstract) and their authors' personal information (Name, Email, Organization, and Position) by changing the value of Paper ID (the pid parameter).
{
"affected": [],
"aliases": [
"CVE-2018-16606"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-09-06T16:29:00Z",
"severity": "MODERATE"
},
"details": "In ProConf before 6.1, an Insecure Direct Object Reference (IDOR) allows any author to view and grab all submitted papers (Title and Abstract) and their authors\u0027 personal information (Name, Email, Organization, and Position) by changing the value of Paper ID (the pid parameter).",
"id": "GHSA-82m2-m9pg-5cpp",
"modified": "2022-05-13T01:19:16Z",
"published": "2022-05-13T01:19:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16606"
},
{
"type": "WEB",
"url": "https://blog.ziaurrashid.com/idor-on-proconf-peer-reviewand-conference-management-system"
},
{
"type": "WEB",
"url": "https://packetstormsecurity.com/files/149259/IDOR-On-ProConf-Peer-Review-And-Conference-Management-6.0-File-Disclosure.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-82MX-JRGC-3RXP
Vulnerability from github – Published: 2024-12-12 09:31 – Updated: 2024-12-12 09:31The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 9.9.9.3 via the 'wp_reusable_render' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to.
{
"affected": [],
"aliases": [
"CVE-2024-11181"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-12T07:15:08Z",
"severity": "MODERATE"
},
"details": "The Greenshift \u2013 animation and page builder blocks plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 9.9.9.3 via the \u0027wp_reusable_render\u0027 shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to.",
"id": "GHSA-82mx-jrgc-3rxp",
"modified": "2024-12-12T09:31:35Z",
"published": "2024-12-12T09:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11181"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/greenshift-animation-and-page-builder-blocks/trunk/settings.php#L1236"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/greenshift-animation-and-page-builder-blocks/trunk/settings.php#L43"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3203829/greenshift-animation-and-page-builder-blocks/trunk/settings.php"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/06047667-2a24-4e1c-9389-11daceff4d23?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-82PV-JQW9-HWX5
Vulnerability from github – Published: 2025-02-04 09:31 – Updated: 2025-02-04 09:31The Medical Addon for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.6.2 via the 'namedical_elementor_template' shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the content of draft, pending, and private posts.
{
"affected": [],
"aliases": [
"CVE-2024-12046"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-04T08:15:28Z",
"severity": "MODERATE"
},
"details": "The Medical Addon for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.6.2 via the \u0027namedical_elementor_template\u0027 shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the content of draft, pending, and private posts.",
"id": "GHSA-82pv-jqw9-hwx5",
"modified": "2025-02-04T09:31:07Z",
"published": "2025-02-04T09:31:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12046"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/medical-addon-for-elementor/trunk/elementor/lib/lib.php#L12"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/medical-addon-for-elementor/trunk/elementor/lib/lib.php#L24"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3230459"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d5f4c4ec-bdb5-4f27-8ee3-060de9b62502?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-832Q-9R5F-PPX5
Vulnerability from github – Published: 2026-03-16 15:30 – Updated: 2026-03-16 15:30Identity based authorization bypass vulnerability (IDOR) that allows an attacker to modify the data of a legitimate user account, such as changing the victim's email address, validating the new email address, and requesting a new password. This could allow them to take complete control of other users' legitimate accounts
{
"affected": [],
"aliases": [
"CVE-2026-3020"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-16T14:19:45Z",
"severity": "HIGH"
},
"details": "Identity based authorization bypass vulnerability (IDOR) that allows an attacker to modify the data of a legitimate user account, such as changing the victim\u0027s email address, validating the new email address, and requesting a new password. This could allow them to take complete control of other users\u0027 legitimate accounts",
"id": "GHSA-832q-9r5f-ppx5",
"modified": "2026-03-16T15:30:43Z",
"published": "2026-03-16T15:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3020"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-wakyma-application-web"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.