CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3240 vulnerabilities reference this CWE, most recent first.
GHSA-84C8-QPCC-7WF9
Vulnerability from github – Published: 2023-07-17 15:30 – Updated: 2024-04-04 06:10Authorization Bypass Through User-Controlled Key vulnerability in Origin Software ATS Pro allows Authentication Abuse, Authentication Bypass.This issue affects ATS Pro: before 20230714.
{
"affected": [],
"aliases": [
"CVE-2023-2958"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-17T15:15:09Z",
"severity": "CRITICAL"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in Origin Software ATS Pro allows Authentication Abuse, Authentication Bypass.This issue affects ATS Pro: before 20230714.\n\n",
"id": "GHSA-84c8-qpcc-7wf9",
"modified": "2024-04-04T06:10:20Z",
"published": "2023-07-17T15:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2958"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-23-0410"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-84FW-WVQ7-7X27
Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2022-05-13 01:38Nextcloud Server before 11.0.7 and 12.0.5 suffers from an Authorization Bypass Through User-Controlled Key vulnerability. A missing ownership check allowed logged-in users to change the scope of app passwords of other users. Note that the app passwords themselves where neither disclosed nor could the error be misused to identify as another user.
{
"affected": [],
"aliases": [
"CVE-2017-0936"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-03-28T20:29:00Z",
"severity": "MODERATE"
},
"details": "Nextcloud Server before 11.0.7 and 12.0.5 suffers from an Authorization Bypass Through User-Controlled Key vulnerability. A missing ownership check allowed logged-in users to change the scope of app passwords of other users. Note that the app passwords themselves where neither disclosed nor could the error be misused to identify as another user.",
"id": "GHSA-84fw-wvq7-7x27",
"modified": "2022-05-13T01:38:23Z",
"published": "2022-05-13T01:38:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0936"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/297751"
},
{
"type": "WEB",
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2018-001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-84HJ-9C53-VJG2
Vulnerability from github – Published: 2024-03-29 18:30 – Updated: 2026-04-28 21:34Authorization Bypass Through User-Controlled Key vulnerability in Metagauss ProfileGrid.This issue affects ProfileGrid : from n/a through 5.7.2.
{
"affected": [],
"aliases": [
"CVE-2024-30513"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-29T16:15:10Z",
"severity": "MODERATE"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in Metagauss ProfileGrid.This issue affects ProfileGrid : from n/a through 5.7.2.",
"id": "GHSA-84hj-9c53-vjg2",
"modified": "2026-04-28T21:34:25Z",
"published": "2024-03-29T18:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30513"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/profilegrid-user-profiles-groups-and-communities/wordpress-profilegrid-plugin-5-7-2-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-84HM-49QM-GQ32
Vulnerability from github – Published: 2022-12-05 18:30 – Updated: 2022-12-06 21:30The Workreap WordPress theme before 2.6.3 has a vulnerability with the notifications feature as it's possible to read any user's notification (employer or freelancer) as the notification ID is brute-forceable.
{
"affected": [],
"aliases": [
"CVE-2022-3846"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-05T17:15:00Z",
"severity": "HIGH"
},
"details": "The Workreap WordPress theme before 2.6.3 has a vulnerability with the notifications feature as it\u0027s possible to read any user\u0027s notification (employer or freelancer) as the notification ID is brute-forceable.",
"id": "GHSA-84hm-49qm-gq32",
"modified": "2022-12-06T21:30:46Z",
"published": "2022-12-05T18:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3846"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/6220c7ef-69a6-49c4-9c56-156b945446af"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-84Q6-9HR7-2JH7
Vulnerability from github – Published: 2022-08-20 00:00 – Updated: 2022-08-24 00:00Mealie 1.0.0beta3 was discovered to contain an Insecure Direct Object Reference (IDOR) vulnerability which allows attackers to modify user passwords and other attributes via modification of the user_id parameter.
{
"affected": [],
"aliases": [
"CVE-2022-34621"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-19T14:15:00Z",
"severity": "MODERATE"
},
"details": "Mealie 1.0.0beta3 was discovered to contain an Insecure Direct Object Reference (IDOR) vulnerability which allows attackers to modify user passwords and other attributes via modification of the user_id parameter.",
"id": "GHSA-84q6-9hr7-2jh7",
"modified": "2022-08-24T00:00:29Z",
"published": "2022-08-20T00:00:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34621"
},
{
"type": "WEB",
"url": "https://cwe.mitre.org/data/definitions/639.html"
},
{
"type": "WEB",
"url": "https://docs.mealie.io/changelog/v0.5.6"
},
{
"type": "WEB",
"url": "https://gainsec.com/2022/08/19/cve-2022-34615-cve-2022-34621-cve-2022-34623-cve-2022-34624"
},
{
"type": "WEB",
"url": "https://hub.docker.com/r/hkotel/mealie"
},
{
"type": "WEB",
"url": "https://portswigger.net/web-security/access-control/idor"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-85CG-FG77-RRM5
Vulnerability from github – Published: 2026-07-01 00:34 – Updated: 2026-07-01 00:34Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attackers to delete videos from other users' playlists by supplying an arbitrary global video index in the remove_video action of the playlist endpoint. Attackers can obtain per-video index values from the public playlist JSON API and submit them to the playlist video deletion endpoint without ownership validation, permanently removing videos from playlists they do not own.
{
"affected": [],
"aliases": [
"CVE-2026-58447"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-30T22:16:58Z",
"severity": "HIGH"
},
"details": "Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attackers to delete videos from other users\u0027 playlists by supplying an arbitrary global video index in the remove_video action of the playlist endpoint. Attackers can obtain per-video index values from the public playlist JSON API and submit them to the playlist video deletion endpoint without ownership validation, permanently removing videos from playlists they do not own.",
"id": "GHSA-85cg-fg77-rrm5",
"modified": "2026-07-01T00:34:01Z",
"published": "2026-07-01T00:34:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58447"
},
{
"type": "WEB",
"url": "https://github.com/iv-org/invidious/issues/5777"
},
{
"type": "WEB",
"url": "https://github.com/iv-org/invidious/pull/5790"
},
{
"type": "WEB",
"url": "https://github.com/iv-org/invidious/commit/77ad41678b45c4f6815940123f1796fc51259f45"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/invidious-cross-user-playlist-video-deletion-via-missing-ownership-check"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-862X-3JQQ-F754
Vulnerability from github – Published: 2025-11-11 06:30 – Updated: 2026-04-08 21:33The The Total Book Project plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0 via several functions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform several actions like moving/deleting/creating chapters in books that do not belong to them.
{
"affected": [],
"aliases": [
"CVE-2025-12126"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-11T04:15:46Z",
"severity": "MODERATE"
},
"details": "The The Total Book Project plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0 via several functions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform several actions like moving/deleting/creating chapters in books that do not belong to them.",
"id": "GHSA-862x-3jqq-f754",
"modified": "2026-04-08T21:33:08Z",
"published": "2025-11-11T06:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12126"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3392629%40the-total-book-project\u0026new=3392629%40the-total-book-project"
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/the-total-book-project"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e1b473fd-2444-4a54-b558-4656634a6903?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-864Q-6X2V-WVG4
Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2022-05-13 01:23An issue was discovered in GitLab Community and Enterprise Edition 10.x (starting from 10.8) and 11.x before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control, a different vulnerability than CVE-2019-9732.
{
"affected": [],
"aliases": [
"CVE-2019-9756"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-17T17:29:00Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in GitLab Community and Enterprise Edition 10.x (starting from 10.8) and 11.x before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control, a different vulnerability than CVE-2019-9732.",
"id": "GHSA-864q-6x2v-wvg4",
"modified": "2022-05-13T01:23:05Z",
"published": "2022-05-13T01:23:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9756"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/2019/03/04/security-release-gitlab-11-dot-8-dot-1-released"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/blog/categories/releases"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/54243"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-86JQ-PWGX-6VRQ
Vulnerability from github – Published: 2023-03-17 12:30 – Updated: 2023-03-23 18:20Improper Authorization in GitHub repository nilsteampassnet/teampass prior to 3.0.0.23.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "nilsteampassnet/teampass"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.0.23"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-1463"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-17T18:23:40Z",
"nvd_published_at": "2023-03-17T12:15:00Z",
"severity": "MODERATE"
},
"details": "Improper Authorization in GitHub repository nilsteampassnet/teampass prior to 3.0.0.23.",
"id": "GHSA-86jq-pwgx-6vrq",
"modified": "2023-03-23T18:20:49Z",
"published": "2023-03-17T12:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1463"
},
{
"type": "WEB",
"url": "https://github.com/nilsteampassnet/teampass/commit/4e06fbaf2b78c3615d0599855a72ba7e31157516"
},
{
"type": "PACKAGE",
"url": "https://github.com/nilsteampassnet/TeamPass"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/f6683c3b-a0f2-4615-b639-1920c8ae12e6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Improper Authorization in nilsteampassnet/teampass"
}
GHSA-86VQ-CCWF-RM62
Vulnerability from github – Published: 2026-02-27 18:35 – Updated: 2026-03-19 16:13Description
A vulnerability has been identified in Umbraco Engage where certain API endpoints are exposed without enforcing authentication or authorization checks. The affected endpoints can be accessed directly over the network without requiring a valid session or user credentials. By supplying a user-controlled identifier parameter (e.g., ?id=), an attacker can retrieve sensitive data associated with arbitrary records.
Because no access control validation is performed, the endpoints are vulnerable to enumeration attacks, allowing attackers to iterate over identifiers and extract data at scale.
Impact
An unauthenticated attacker can retrieve sensitive Engage-related data by directly querying the affected API endpoints. The vulnerability allows arbitrary record access through predictable or enumerable identifiers.
The confidentiality impact is considered high. No direct integrity or availability impact has been identified.
The scope of exposed data depends on the deployment but may include analytics data, tracking data, customer-related information, or other Engage-managed content.
Patches
The vulnerability affects both v16 and v17. Patches have already been released. Users are advised to update to 16.2.1 or 17.1.1
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
References
Are there any links users can visit to find out more?
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "Umbraco.Engage.Forms"
},
"ranges": [
{
"events": [
{
"introduced": "16.0.0"
},
{
"fixed": "16.2.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Umbraco.Engage.Forms"
},
"ranges": [
{
"events": [
{
"introduced": "17.0.0"
},
{
"fixed": "17.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27449"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-306",
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-27T18:35:57Z",
"nvd_published_at": "2026-02-26T22:20:47Z",
"severity": "HIGH"
},
"details": "### Description\nA vulnerability has been identified in Umbraco Engage where certain API endpoints are exposed without enforcing authentication or authorization checks. The affected endpoints can be accessed directly over the network without requiring a valid session or user credentials. By supplying a user-controlled identifier parameter (e.g., ?id=), an attacker can retrieve sensitive data associated with arbitrary records.\n\nBecause no access control validation is performed, the endpoints are vulnerable to enumeration attacks, allowing attackers to iterate over identifiers and extract data at scale.\n\n### Impact\nAn unauthenticated attacker can retrieve sensitive Engage-related data by directly querying the affected API endpoints. The vulnerability allows arbitrary record access through predictable or enumerable identifiers.\n\nThe confidentiality impact is considered high. No direct integrity or availability impact has been identified.\n\nThe scope of exposed data depends on the deployment but may include analytics data, tracking data, customer-related information, or other Engage-managed content.\n\n### Patches\nThe vulnerability affects both v16 and v17. Patches have already been released. Users are advised to update to 16.2.1 or 17.1.1\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\n### References\n_Are there any links users can visit to find out more?_",
"id": "GHSA-86vq-ccwf-rm62",
"modified": "2026-03-19T16:13:28Z",
"published": "2026-02-27T18:35:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/umbraco/Umbraco.Engage.Issues/security/advisories/GHSA-86vq-ccwf-rm62"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27449"
},
{
"type": "PACKAGE",
"url": "https://github.com/umbraco/Umbraco.Engage.Issues"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Umbraco.Engage.Forms Allows Unauthorized Access to Multiple API Endpoints"
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.