Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3240 vulnerabilities reference this CWE, most recent first.

GHSA-84C8-QPCC-7WF9

Vulnerability from github – Published: 2023-07-17 15:30 – Updated: 2024-04-04 06:10
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in Origin Software ATS Pro allows Authentication Abuse, Authentication Bypass.This issue affects ATS Pro: before 20230714.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-2958"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-17T15:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Origin Software ATS Pro allows Authentication Abuse, Authentication Bypass.This issue affects ATS Pro: before 20230714.\n\n",
  "id": "GHSA-84c8-qpcc-7wf9",
  "modified": "2024-04-04T06:10:20Z",
  "published": "2023-07-17T15:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2958"
    },
    {
      "type": "WEB",
      "url": "https://www.usom.gov.tr/bildirim/tr-23-0410"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-84FW-WVQ7-7X27

Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2022-05-13 01:38
VLAI
Details

Nextcloud Server before 11.0.7 and 12.0.5 suffers from an Authorization Bypass Through User-Controlled Key vulnerability. A missing ownership check allowed logged-in users to change the scope of app passwords of other users. Note that the app passwords themselves where neither disclosed nor could the error be misused to identify as another user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-0936"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-03-28T20:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Nextcloud Server before 11.0.7 and 12.0.5 suffers from an Authorization Bypass Through User-Controlled Key vulnerability. A missing ownership check allowed logged-in users to change the scope of app passwords of other users. Note that the app passwords themselves where neither disclosed nor could the error be misused to identify as another user.",
  "id": "GHSA-84fw-wvq7-7x27",
  "modified": "2022-05-13T01:38:23Z",
  "published": "2022-05-13T01:38:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0936"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/297751"
    },
    {
      "type": "WEB",
      "url": "https://nextcloud.com/security/advisory/?id=nc-sa-2018-001"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-84HJ-9C53-VJG2

Vulnerability from github – Published: 2024-03-29 18:30 – Updated: 2026-04-28 21:34
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in Metagauss ProfileGrid.This issue affects ProfileGrid : from n/a through 5.7.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-30513"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-29T16:15:10Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Metagauss ProfileGrid.This issue affects ProfileGrid : from n/a through 5.7.2.",
  "id": "GHSA-84hj-9c53-vjg2",
  "modified": "2026-04-28T21:34:25Z",
  "published": "2024-03-29T18:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30513"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/profilegrid-user-profiles-groups-and-communities/wordpress-profilegrid-plugin-5-7-2-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-84HM-49QM-GQ32

Vulnerability from github – Published: 2022-12-05 18:30 – Updated: 2022-12-06 21:30
VLAI
Details

The Workreap WordPress theme before 2.6.3 has a vulnerability with the notifications feature as it's possible to read any user's notification (employer or freelancer) as the notification ID is brute-forceable.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3846"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-05T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "The Workreap WordPress theme before 2.6.3 has a vulnerability with the notifications feature as it\u0027s possible to read any user\u0027s notification (employer or freelancer) as the notification ID is brute-forceable.",
  "id": "GHSA-84hm-49qm-gq32",
  "modified": "2022-12-06T21:30:46Z",
  "published": "2022-12-05T18:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3846"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/6220c7ef-69a6-49c4-9c56-156b945446af"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-84Q6-9HR7-2JH7

Vulnerability from github – Published: 2022-08-20 00:00 – Updated: 2022-08-24 00:00
VLAI
Details

Mealie 1.0.0beta3 was discovered to contain an Insecure Direct Object Reference (IDOR) vulnerability which allows attackers to modify user passwords and other attributes via modification of the user_id parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-34621"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-19T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Mealie 1.0.0beta3 was discovered to contain an Insecure Direct Object Reference (IDOR) vulnerability which allows attackers to modify user passwords and other attributes via modification of the user_id parameter.",
  "id": "GHSA-84q6-9hr7-2jh7",
  "modified": "2022-08-24T00:00:29Z",
  "published": "2022-08-20T00:00:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34621"
    },
    {
      "type": "WEB",
      "url": "https://cwe.mitre.org/data/definitions/639.html"
    },
    {
      "type": "WEB",
      "url": "https://docs.mealie.io/changelog/v0.5.6"
    },
    {
      "type": "WEB",
      "url": "https://gainsec.com/2022/08/19/cve-2022-34615-cve-2022-34621-cve-2022-34623-cve-2022-34624"
    },
    {
      "type": "WEB",
      "url": "https://hub.docker.com/r/hkotel/mealie"
    },
    {
      "type": "WEB",
      "url": "https://portswigger.net/web-security/access-control/idor"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-85CG-FG77-RRM5

Vulnerability from github – Published: 2026-07-01 00:34 – Updated: 2026-07-01 00:34
VLAI
Details

Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attackers to delete videos from other users' playlists by supplying an arbitrary global video index in the remove_video action of the playlist endpoint. Attackers can obtain per-video index values from the public playlist JSON API and submit them to the playlist video deletion endpoint without ownership validation, permanently removing videos from playlists they do not own.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-58447"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-30T22:16:58Z",
    "severity": "HIGH"
  },
  "details": "Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attackers to delete videos from other users\u0027 playlists by supplying an arbitrary global video index in the remove_video action of the playlist endpoint. Attackers can obtain per-video index values from the public playlist JSON API and submit them to the playlist video deletion endpoint without ownership validation, permanently removing videos from playlists they do not own.",
  "id": "GHSA-85cg-fg77-rrm5",
  "modified": "2026-07-01T00:34:01Z",
  "published": "2026-07-01T00:34:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58447"
    },
    {
      "type": "WEB",
      "url": "https://github.com/iv-org/invidious/issues/5777"
    },
    {
      "type": "WEB",
      "url": "https://github.com/iv-org/invidious/pull/5790"
    },
    {
      "type": "WEB",
      "url": "https://github.com/iv-org/invidious/commit/77ad41678b45c4f6815940123f1796fc51259f45"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/invidious-cross-user-playlist-video-deletion-via-missing-ownership-check"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-862X-3JQQ-F754

Vulnerability from github – Published: 2025-11-11 06:30 – Updated: 2026-04-08 21:33
VLAI
Details

The The Total Book Project plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0 via several functions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform several actions like moving/deleting/creating chapters in books that do not belong to them.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-12126"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-11T04:15:46Z",
    "severity": "MODERATE"
  },
  "details": "The The Total Book Project plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0 via several functions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform several actions like moving/deleting/creating chapters in books that do not belong to them.",
  "id": "GHSA-862x-3jqq-f754",
  "modified": "2026-04-08T21:33:08Z",
  "published": "2025-11-11T06:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12126"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3392629%40the-total-book-project\u0026new=3392629%40the-total-book-project"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/the-total-book-project"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e1b473fd-2444-4a54-b558-4656634a6903?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-864Q-6X2V-WVG4

Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2022-05-13 01:23
VLAI
Details

An issue was discovered in GitLab Community and Enterprise Edition 10.x (starting from 10.8) and 11.x before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control, a different vulnerability than CVE-2019-9732.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-9756"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-04-17T17:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in GitLab Community and Enterprise Edition 10.x (starting from 10.8) and 11.x before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control, a different vulnerability than CVE-2019-9732.",
  "id": "GHSA-864q-6x2v-wvg4",
  "modified": "2022-05-13T01:23:05Z",
  "published": "2022-05-13T01:23:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9756"
    },
    {
      "type": "WEB",
      "url": "https://about.gitlab.com/2019/03/04/security-release-gitlab-11-dot-8-dot-1-released"
    },
    {
      "type": "WEB",
      "url": "https://about.gitlab.com/blog/categories/releases"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/54243"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-86JQ-PWGX-6VRQ

Vulnerability from github – Published: 2023-03-17 12:30 – Updated: 2023-03-23 18:20
VLAI
Summary
Improper Authorization in nilsteampassnet/teampass
Details

Improper Authorization in GitHub repository nilsteampassnet/teampass prior to 3.0.0.23.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "nilsteampassnet/teampass"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.0.23"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-1463"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-17T18:23:40Z",
    "nvd_published_at": "2023-03-17T12:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Improper Authorization in GitHub repository nilsteampassnet/teampass prior to 3.0.0.23.",
  "id": "GHSA-86jq-pwgx-6vrq",
  "modified": "2023-03-23T18:20:49Z",
  "published": "2023-03-17T12:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1463"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nilsteampassnet/teampass/commit/4e06fbaf2b78c3615d0599855a72ba7e31157516"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nilsteampassnet/TeamPass"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/f6683c3b-a0f2-4615-b639-1920c8ae12e6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Authorization in nilsteampassnet/teampass"
}

GHSA-86VQ-CCWF-RM62

Vulnerability from github – Published: 2026-02-27 18:35 – Updated: 2026-03-19 16:13
VLAI
Summary
Umbraco.Engage.Forms Allows Unauthorized Access to Multiple API Endpoints
Details

Description

A vulnerability has been identified in Umbraco Engage where certain API endpoints are exposed without enforcing authentication or authorization checks. The affected endpoints can be accessed directly over the network without requiring a valid session or user credentials. By supplying a user-controlled identifier parameter (e.g., ?id=), an attacker can retrieve sensitive data associated with arbitrary records.

Because no access control validation is performed, the endpoints are vulnerable to enumeration attacks, allowing attackers to iterate over identifiers and extract data at scale.

Impact

An unauthenticated attacker can retrieve sensitive Engage-related data by directly querying the affected API endpoints. The vulnerability allows arbitrary record access through predictable or enumerable identifiers.

The confidentiality impact is considered high. No direct integrity or availability impact has been identified.

The scope of exposed data depends on the deployment but may include analytics data, tracking data, customer-related information, or other Engage-managed content.

Patches

The vulnerability affects both v16 and v17. Patches have already been released. Users are advised to update to 16.2.1 or 17.1.1

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

References

Are there any links users can visit to find out more?

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Umbraco.Engage.Forms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "16.0.0"
            },
            {
              "fixed": "16.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Umbraco.Engage.Forms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "17.0.0"
            },
            {
              "fixed": "17.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27449"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-306",
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-27T18:35:57Z",
    "nvd_published_at": "2026-02-26T22:20:47Z",
    "severity": "HIGH"
  },
  "details": "### Description\nA vulnerability has been identified in Umbraco Engage where certain API endpoints are exposed without enforcing authentication or authorization checks. The affected endpoints can be accessed directly over the network without requiring a valid session or user credentials. By supplying a user-controlled identifier parameter (e.g., ?id=), an attacker can retrieve sensitive data associated with arbitrary records.\n\nBecause no access control validation is performed, the endpoints are vulnerable to enumeration attacks, allowing attackers to iterate over identifiers and extract data at scale.\n\n### Impact\nAn unauthenticated attacker can retrieve sensitive Engage-related data by directly querying the affected API endpoints. The vulnerability allows arbitrary record access through predictable or enumerable identifiers.\n\nThe confidentiality impact is considered high. No direct integrity or availability impact has been identified.\n\nThe scope of exposed data depends on the deployment but may include analytics data, tracking data, customer-related information, or other Engage-managed content.\n\n### Patches\nThe vulnerability affects both v16 and v17. Patches have already been released. Users are advised to update to 16.2.1 or 17.1.1\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\n### References\n_Are there any links users can visit to find out more?_",
  "id": "GHSA-86vq-ccwf-rm62",
  "modified": "2026-03-19T16:13:28Z",
  "published": "2026-02-27T18:35:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/umbraco/Umbraco.Engage.Issues/security/advisories/GHSA-86vq-ccwf-rm62"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27449"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/umbraco/Umbraco.Engage.Issues"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Umbraco.Engage.Forms Allows Unauthorized Access to Multiple API Endpoints"
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.