CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3245 vulnerabilities reference this CWE, most recent first.
GHSA-85CG-FG77-RRM5
Vulnerability from github – Published: 2026-07-01 00:34 – Updated: 2026-07-01 00:34Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attackers to delete videos from other users' playlists by supplying an arbitrary global video index in the remove_video action of the playlist endpoint. Attackers can obtain per-video index values from the public playlist JSON API and submit them to the playlist video deletion endpoint without ownership validation, permanently removing videos from playlists they do not own.
{
"affected": [],
"aliases": [
"CVE-2026-58447"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-30T22:16:58Z",
"severity": "HIGH"
},
"details": "Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attackers to delete videos from other users\u0027 playlists by supplying an arbitrary global video index in the remove_video action of the playlist endpoint. Attackers can obtain per-video index values from the public playlist JSON API and submit them to the playlist video deletion endpoint without ownership validation, permanently removing videos from playlists they do not own.",
"id": "GHSA-85cg-fg77-rrm5",
"modified": "2026-07-01T00:34:01Z",
"published": "2026-07-01T00:34:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58447"
},
{
"type": "WEB",
"url": "https://github.com/iv-org/invidious/issues/5777"
},
{
"type": "WEB",
"url": "https://github.com/iv-org/invidious/pull/5790"
},
{
"type": "WEB",
"url": "https://github.com/iv-org/invidious/commit/77ad41678b45c4f6815940123f1796fc51259f45"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/invidious-cross-user-playlist-video-deletion-via-missing-ownership-check"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-862X-3JQQ-F754
Vulnerability from github – Published: 2025-11-11 06:30 – Updated: 2026-04-08 21:33The The Total Book Project plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0 via several functions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform several actions like moving/deleting/creating chapters in books that do not belong to them.
{
"affected": [],
"aliases": [
"CVE-2025-12126"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-11T04:15:46Z",
"severity": "MODERATE"
},
"details": "The The Total Book Project plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0 via several functions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform several actions like moving/deleting/creating chapters in books that do not belong to them.",
"id": "GHSA-862x-3jqq-f754",
"modified": "2026-04-08T21:33:08Z",
"published": "2025-11-11T06:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12126"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3392629%40the-total-book-project\u0026new=3392629%40the-total-book-project"
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/the-total-book-project"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e1b473fd-2444-4a54-b558-4656634a6903?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-864Q-6X2V-WVG4
Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2022-05-13 01:23An issue was discovered in GitLab Community and Enterprise Edition 10.x (starting from 10.8) and 11.x before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control, a different vulnerability than CVE-2019-9732.
{
"affected": [],
"aliases": [
"CVE-2019-9756"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-17T17:29:00Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in GitLab Community and Enterprise Edition 10.x (starting from 10.8) and 11.x before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control, a different vulnerability than CVE-2019-9732.",
"id": "GHSA-864q-6x2v-wvg4",
"modified": "2022-05-13T01:23:05Z",
"published": "2022-05-13T01:23:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9756"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/2019/03/04/security-release-gitlab-11-dot-8-dot-1-released"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/blog/categories/releases"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/54243"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-86JQ-PWGX-6VRQ
Vulnerability from github – Published: 2023-03-17 12:30 – Updated: 2023-03-23 18:20Improper Authorization in GitHub repository nilsteampassnet/teampass prior to 3.0.0.23.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "nilsteampassnet/teampass"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.0.23"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-1463"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-17T18:23:40Z",
"nvd_published_at": "2023-03-17T12:15:00Z",
"severity": "MODERATE"
},
"details": "Improper Authorization in GitHub repository nilsteampassnet/teampass prior to 3.0.0.23.",
"id": "GHSA-86jq-pwgx-6vrq",
"modified": "2023-03-23T18:20:49Z",
"published": "2023-03-17T12:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1463"
},
{
"type": "WEB",
"url": "https://github.com/nilsteampassnet/teampass/commit/4e06fbaf2b78c3615d0599855a72ba7e31157516"
},
{
"type": "PACKAGE",
"url": "https://github.com/nilsteampassnet/TeamPass"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/f6683c3b-a0f2-4615-b639-1920c8ae12e6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Improper Authorization in nilsteampassnet/teampass"
}
GHSA-86VQ-CCWF-RM62
Vulnerability from github – Published: 2026-02-27 18:35 – Updated: 2026-03-19 16:13Description
A vulnerability has been identified in Umbraco Engage where certain API endpoints are exposed without enforcing authentication or authorization checks. The affected endpoints can be accessed directly over the network without requiring a valid session or user credentials. By supplying a user-controlled identifier parameter (e.g., ?id=), an attacker can retrieve sensitive data associated with arbitrary records.
Because no access control validation is performed, the endpoints are vulnerable to enumeration attacks, allowing attackers to iterate over identifiers and extract data at scale.
Impact
An unauthenticated attacker can retrieve sensitive Engage-related data by directly querying the affected API endpoints. The vulnerability allows arbitrary record access through predictable or enumerable identifiers.
The confidentiality impact is considered high. No direct integrity or availability impact has been identified.
The scope of exposed data depends on the deployment but may include analytics data, tracking data, customer-related information, or other Engage-managed content.
Patches
The vulnerability affects both v16 and v17. Patches have already been released. Users are advised to update to 16.2.1 or 17.1.1
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
References
Are there any links users can visit to find out more?
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "Umbraco.Engage.Forms"
},
"ranges": [
{
"events": [
{
"introduced": "16.0.0"
},
{
"fixed": "16.2.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Umbraco.Engage.Forms"
},
"ranges": [
{
"events": [
{
"introduced": "17.0.0"
},
{
"fixed": "17.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27449"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-306",
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-27T18:35:57Z",
"nvd_published_at": "2026-02-26T22:20:47Z",
"severity": "HIGH"
},
"details": "### Description\nA vulnerability has been identified in Umbraco Engage where certain API endpoints are exposed without enforcing authentication or authorization checks. The affected endpoints can be accessed directly over the network without requiring a valid session or user credentials. By supplying a user-controlled identifier parameter (e.g., ?id=), an attacker can retrieve sensitive data associated with arbitrary records.\n\nBecause no access control validation is performed, the endpoints are vulnerable to enumeration attacks, allowing attackers to iterate over identifiers and extract data at scale.\n\n### Impact\nAn unauthenticated attacker can retrieve sensitive Engage-related data by directly querying the affected API endpoints. The vulnerability allows arbitrary record access through predictable or enumerable identifiers.\n\nThe confidentiality impact is considered high. No direct integrity or availability impact has been identified.\n\nThe scope of exposed data depends on the deployment but may include analytics data, tracking data, customer-related information, or other Engage-managed content.\n\n### Patches\nThe vulnerability affects both v16 and v17. Patches have already been released. Users are advised to update to 16.2.1 or 17.1.1\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\n### References\n_Are there any links users can visit to find out more?_",
"id": "GHSA-86vq-ccwf-rm62",
"modified": "2026-03-19T16:13:28Z",
"published": "2026-02-27T18:35:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/umbraco/Umbraco.Engage.Issues/security/advisories/GHSA-86vq-ccwf-rm62"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27449"
},
{
"type": "PACKAGE",
"url": "https://github.com/umbraco/Umbraco.Engage.Issues"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Umbraco.Engage.Forms Allows Unauthorized Access to Multiple API Endpoints"
}
GHSA-872Q-6CM2-XCC6
Vulnerability from github – Published: 2026-01-21 18:30 – Updated: 2026-01-31 00:30D-Link D-View 8 versions 2.0.1.107 and below contain an improper access control vulnerability in backend API endpoints. Any authenticated user can supply an arbitrary user_id value to retrieve sensitive credential data belonging to other users, including super administrators. The exposed credential material can be reused directly as a valid authentication secret, allowing full impersonation of the targeted account. This results in complete account takeover and full administrative control over the D-View system.
{
"affected": [],
"aliases": [
"CVE-2026-23754"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-21T18:16:25Z",
"severity": "HIGH"
},
"details": "D-Link D-View 8 versions 2.0.1.107 and below contain an improper access control vulnerability in backend API endpoints. Any authenticated user can supply an arbitrary user_id value to retrieve sensitive credential data belonging to other users, including super administrators. The exposed credential material can be reused directly as a valid authentication secret, allowing full impersonation of the targeted account. This results in complete account takeover and full administrative control over the D-View system.",
"id": "GHSA-872q-6cm2-xcc6",
"modified": "2026-01-31T00:30:28Z",
"published": "2026-01-21T18:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23754"
},
{
"type": "WEB",
"url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10471"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/dlink-dview-8-idor-allows-credential-disclosure-and-account-takeover"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-873Q-GR5F-JJ67
Vulnerability from github – Published: 2026-06-04 09:30 – Updated: 2026-06-04 21:31The summary service endpoint suffers from an IDOR vulnerability where it fails to verify user ownership of hardware serial numbers, exposing device data to scraping.
{
"affected": [],
"aliases": [
"CVE-2026-49192"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-04T07:16:27Z",
"severity": "MODERATE"
},
"details": "The summary service endpoint suffers from an IDOR vulnerability where it fails to verify user ownership of hardware serial numbers, exposing device data to scraping.",
"id": "GHSA-873q-gr5f-jj67",
"modified": "2026-06-04T21:31:20Z",
"published": "2026-06-04T09:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49192"
},
{
"type": "WEB",
"url": "https://community.acer.com/en/kb/articles/19707"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-877V-W3F5-3PCQ
Vulnerability from github – Published: 2026-04-02 20:59 – Updated: 2026-05-06 02:40Summary
Feishu thread history and quoted messages bypass sender allowlist
Current Maintainer Triage
- Status: open
- Normalized severity: medium
- Assessment: Real in shipped v2026.3.28 Feishu because fetched quoted/root/thread context bypasses sender allowlists, and SECURITY.md does not exempt remote sender-allowlist bypasses.
Affected Packages / Versions
- Package:
openclaw(npm) - Latest published npm version:
2026.3.31 - Vulnerable version range:
<=2026.3.28 - Patched versions:
>= 2026.3.31 - First stable tag containing the fix:
v2026.3.31
Fix Commit(s)
f45e5a6569aab1d58cc6de25b19f1dc4c8779b85— 2026-03-31T19:43:54+09:00
Release Process Note
- The fix is already present in released version
2026.3.31. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work.
OpenClaw thanks @AntAISecurityLab for reporting.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.3.28"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.31"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41406"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-02T20:59:49Z",
"nvd_published_at": "2026-04-28T19:37:44Z",
"severity": "MODERATE"
},
"details": "## Summary\nFeishu thread history and quoted messages bypass sender allowlist\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: medium\n- Assessment: Real in shipped v2026.3.28 Feishu because fetched quoted/root/thread context bypasses sender allowlists, and SECURITY.md does not exempt remote sender-allowlist bypasses.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `\u003c=2026.3.28`\n- Patched versions: `\u003e= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `f45e5a6569aab1d58cc6de25b19f1dc4c8779b85` \u2014 2026-03-31T19:43:54+09:00\n\n## Release Process Note\n- The fix is already present in released version `2026.3.31`.\n- This draft looks ready for final maintainer disposition or publication, not additional code-fix work.\n\nOpenClaw thanks @AntAISecurityLab for reporting.",
"id": "GHSA-877v-w3f5-3pcq",
"modified": "2026-05-06T02:40:24Z",
"published": "2026-04-02T20:59:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-877v-w3f5-3pcq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41406"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/f45e5a6569aab1d58cc6de25b19f1dc4c8779b85"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-sender-allowlist-bypass-via-thread-history-and-quoted-messages"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: Feishu thread history and quoted messages bypass sender allowlist"
}
GHSA-87FH-RC96-6FR6
Vulnerability from github – Published: 2026-02-05 21:19 – Updated: 2026-02-13 17:16Summary
A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID parameters. This enables unauthorized access to other guests' personally identifiable information (PII) including names, addresses and phone numbers. The vulnerability bypasses existing ownership validation checks and affects all guest checkout transactions.
Impact
This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers).
Unauthenticated users can access all guest addresses (GHSL-2026-027)
The vulnerability stems from incomplete authorization validation in Spree's checkout address assignment logic. While nested address attributes (bill_address_attributes[id] and ship_address_attributes[id]) are properly validated through validate_address_ownership, plain ID parameters (bill_address_id and ship_address_id) bypass this check entirely. Since Spree's address IDs are sequential numbers, an attacker might get all guest addresses by simply enumerating over them.
Affected Code Components
- Permitted Attributes (
core/lib/spree/permitted_attributes.rb:92–96) -
Allows
bill_address_idandship_address_idas permitted parameters without validation -
Checkout Update (
core/app/models/spree/order/checkout.rb:241–254) -
Applies permitted parameters directly to the Order model via
update_from_params -
Incomplete Ownership Validation (
core/app/services/spree/checkout/update.rb:33–48) validate_address_ownershiponly validates nested attributes structure-
Does NOT validate plain
bill_address_id/ship_address_idfields -
Vulnerable Assignment Logic (
core/app/models/spree/order/address_book.rb:16–23, 31–38) bill_address_id=settership_address_id=setter
Both setters check that: address.user_id == order.user_id. For guest orders: nil == nil → TRUE ✓ (bypass!)
Proof of Concept
Precondition: One guest address has to exist in Spree's database. (E.g. Create an order with a guest account and note the ID from the spree_addresses table. E.g. 3)
As a guest user: 1. Put one product in the cart and go to checkout. 2. Fill in some address/phone number and continue. 3. Modify this script containing a curl request with current values.
#!/bin/bash
ATTACKER_ORDER_TOKEN="" # Taken from the URL
VICTIM_ADDRESS_ID="3" # As noted from the database
CSRF_TOKEN="" # From page source; `content` value from meta param `csrf-token`.
SESSION_COOKIE="token=...; _my_store_session=..." # from the browsers cookie store.
curl -i -X POST \
-H "x-csrf-token: ${CSRF_TOKEN}" \
-H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" \
-b "${SESSION_COOKIE}" \
--data-urlencode "_method=patch" \
--data-urlencode "authenticity_token=${CSRF_TOKEN}" \
--data-urlencode "order[ship_address_id]=${VICTIM_ADDRESS_ID}" \
"http://localhost:3000/checkout/${ATTACKER_ORDER_TOKEN}/update/address"
Expected Result: Attacker's order now references victim's address. Through that the attacker has all address details in full display.
This can be verified by accessing /checkout/${ATTACKER_ORDER_TOKEN}/delivery in the same browser where you created the new guest cart.
Impact
This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers).
CWEs
- CWE-639: Authorization Bypass Through User-Controlled Key
- CWE-284: Improper Access Control
Credit
This issue was discovered with the GitHub Security Lab Taskflow Agent and manually verified by GHSL team members @p- (Peter Stöckli) and @m-y-mo (Man Yue Mo).
Disclosure Policy
This report is subject to a 90-day disclosure deadline, as described in more detail in our coordinated disclosure policy.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "spree_api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.10.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "spree_api"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.0.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "spree_api"
},
"ranges": [
{
"events": [
{
"introduced": "5.1.0"
},
{
"fixed": "5.1.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "spree_api"
},
"ranges": [
{
"events": [
{
"introduced": "5.2.0"
},
{
"fixed": "5.2.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "spree_api"
},
"ranges": [
{
"events": [
{
"introduced": "5.3.0"
},
{
"fixed": "5.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25758"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-05T21:19:30Z",
"nvd_published_at": "2026-02-06T22:16:12Z",
"severity": "HIGH"
},
"details": "### Summary\nA critical IDOR vulnerability exists in Spree Commerce\u0027s guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID parameters. This enables unauthorized access to other guests\u0027 personally identifiable information (PII) including names, addresses and phone numbers. The vulnerability bypasses existing ownership validation checks and affects all guest checkout transactions.\n\n### Impact\nThis issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers).\n\n### Unauthenticated users can access all guest addresses (`GHSL-2026-027`)\n\nThe vulnerability stems from incomplete authorization validation in Spree\u0027s checkout address assignment logic. While nested address attributes (`bill_address_attributes[id]` and `ship_address_attributes[id]`) are properly validated through `validate_address_ownership`, plain ID parameters (`bill_address_id` and `ship_address_id`) bypass this check entirely. Since Spree\u0027s address IDs are sequential numbers, an attacker might get all guest addresses by simply enumerating over them.\n\n### Affected Code Components\n\n1. **Permitted Attributes** ([`core/lib/spree/permitted_attributes.rb:92\u201396`](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/lib/spree/permitted_attributes.rb#L92-L96))\n - Allows `bill_address_id` and `ship_address_id` as permitted parameters without validation\n\n2. **Checkout Update** ([`core/app/models/spree/order/checkout.rb:241\u2013254`](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/models/spree/order/checkout.rb#L241-L254))\n - Applies permitted parameters directly to the Order model via `update_from_params`\n\n3. **Incomplete Ownership Validation** ([`core/app/services/spree/checkout/update.rb:33\u201348`](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/services/spree/checkout/update.rb#L33-L48))\n - `validate_address_ownership` only validates nested attributes structure\n - Does NOT validate plain `bill_address_id`/`ship_address_id` fields\n\n4. **Vulnerable Assignment Logic** ([`core/app/models/spree/order/address_book.rb:16\u201323, 31\u201338`](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/models/spree/order/address_book.rb#L16-L38))\n * [`bill_address_id=` setter](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/models/spree/order/address_book.rb#L16-L24)\n * [`ship_address_id=` setter](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/models/spree/order/address_book.rb#L31-L39)\n\nBoth setters check that: `address.user_id == order.user_id`. For guest orders: nil == nil \u2192 TRUE \u2713 (bypass!)\n\n#### Proof of Concept\n\nPrecondition: One guest address has to exist in Spree\u0027s database. (E.g. Create an order with a guest account and note the ID from the `spree_addresses` table. E.g. `3`)\n\nAs a guest user:\n1. Put one product in the cart and go to checkout.\n2. Fill in some address/phone number and continue.\n3. Modify this script containing a curl request with current values.\n\n```bash\n#!/bin/bash\n\nATTACKER_ORDER_TOKEN=\"\" # Taken from the URL\nVICTIM_ADDRESS_ID=\"3\" # As noted from the database\nCSRF_TOKEN=\"\" # From page source; `content` value from meta param `csrf-token`.\nSESSION_COOKIE=\"token=...; _my_store_session=...\" # from the browsers cookie store.\n\ncurl -i -X POST \\\n -H \"x-csrf-token: ${CSRF_TOKEN}\" \\\n -H \"Content-Type: application/x-www-form-urlencoded;charset=UTF-8\" \\\n -b \"${SESSION_COOKIE}\" \\\n --data-urlencode \"_method=patch\" \\\n --data-urlencode \"authenticity_token=${CSRF_TOKEN}\" \\\n --data-urlencode \"order[ship_address_id]=${VICTIM_ADDRESS_ID}\" \\\n \"http://localhost:3000/checkout/${ATTACKER_ORDER_TOKEN}/update/address\"\n```\n\nExpected Result: Attacker\u0027s order now references victim\u0027s address. Through that the attacker has all address details in full display.\nThis can be verified by accessing `/checkout/${ATTACKER_ORDER_TOKEN}/delivery` in the same browser where you created the new guest cart.\n\n#### Impact\n\nThis issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers).\n\n#### CWEs\n\n- CWE-639: Authorization Bypass Through User-Controlled Key\n- CWE-284: Improper Access Control\n\n### Credit\n\nThis issue was discovered with the [GitHub Security Lab Taskflow Agent](https://github.com/GitHubSecurityLab/seclab-taskflow-agent) and manually verified by GHSL team members [@p- (Peter St\u00f6ckli)](https://github.com/p-) and [@m-y-mo (Man Yue Mo)](https://github.com/m-y-mo).\n\n### Disclosure Policy\n\nThis report is subject to a 90-day disclosure deadline, as described in more detail in our [coordinated disclosure policy](https://securitylab.github.com/advisories#policy).",
"id": "GHSA-87fh-rc96-6fr6",
"modified": "2026-02-13T17:16:07Z",
"published": "2026-02-05T21:19:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/spree/spree/security/advisories/GHSA-87fh-rc96-6fr6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25758"
},
{
"type": "WEB",
"url": "https://github.com/spree/spree/commit/15619618e43b367617ec8d2d4aafc5e54fa7b734"
},
{
"type": "WEB",
"url": "https://github.com/spree/spree/commit/29282d1565ba4f7bc2bbc47d550e2c0c6d0ae59f"
},
{
"type": "WEB",
"url": "https://github.com/spree/spree/commit/6650f96356faa0d16c05bcb516f1ffd5641741b8"
},
{
"type": "WEB",
"url": "https://github.com/spree/spree/commit/902d301ac83fd2047db1b9a3a99545162860f748"
},
{
"type": "WEB",
"url": "https://github.com/spree/spree/commit/ff7cfcfcfe0c40c60d03317e1d0ee361c6a6b054"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_api/CVE-2026-25758.yml"
},
{
"type": "PACKAGE",
"url": "https://github.com/spree/spree"
},
{
"type": "WEB",
"url": "https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/models/spree/order/address_book.rb#L16-L38"
},
{
"type": "WEB",
"url": "https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/models/spree/order/checkout.rb#L241-L254"
},
{
"type": "WEB",
"url": "https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/services/spree/checkout/update.rb#L33-L48"
},
{
"type": "WEB",
"url": "https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/lib/spree/permitted_attributes.rb#L92-L96"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Unauthenticated Spree Commerce users can access all guest addresses"
}
GHSA-8823-566R-4PQV
Vulnerability from github – Published: 2024-05-16 06:30 – Updated: 2026-04-08 18:33The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference to Arbitrary Course Deletion in versions up to, and including, 2.7.0 via the 'tutor_course_delete' function due to missing validation on a user controlled key. This can allow authenticated attackers, with Instructor-level permissions and above, to delete any course.
{
"affected": [],
"aliases": [
"CVE-2024-4279"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-16T06:15:10Z",
"severity": "MODERATE"
},
"details": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference to Arbitrary Course Deletion in versions up to, and including, 2.7.0 via the \u0027tutor_course_delete\u0027 function due to missing validation on a user controlled key. This can allow authenticated attackers, with Instructor-level permissions and above, to delete any course.",
"id": "GHSA-8823-566r-4pqv",
"modified": "2026-04-08T18:33:12Z",
"published": "2024-05-16T06:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4279"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course_List.php#L357"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3086489"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/45d04643-e43a-4732-91bf-e4af7b622e33?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.