Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3245 vulnerabilities reference this CWE, most recent first.

GHSA-85CG-FG77-RRM5

Vulnerability from github – Published: 2026-07-01 00:34 – Updated: 2026-07-01 00:34
VLAI
Details

Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attackers to delete videos from other users' playlists by supplying an arbitrary global video index in the remove_video action of the playlist endpoint. Attackers can obtain per-video index values from the public playlist JSON API and submit them to the playlist video deletion endpoint without ownership validation, permanently removing videos from playlists they do not own.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-58447"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-30T22:16:58Z",
    "severity": "HIGH"
  },
  "details": "Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attackers to delete videos from other users\u0027 playlists by supplying an arbitrary global video index in the remove_video action of the playlist endpoint. Attackers can obtain per-video index values from the public playlist JSON API and submit them to the playlist video deletion endpoint without ownership validation, permanently removing videos from playlists they do not own.",
  "id": "GHSA-85cg-fg77-rrm5",
  "modified": "2026-07-01T00:34:01Z",
  "published": "2026-07-01T00:34:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58447"
    },
    {
      "type": "WEB",
      "url": "https://github.com/iv-org/invidious/issues/5777"
    },
    {
      "type": "WEB",
      "url": "https://github.com/iv-org/invidious/pull/5790"
    },
    {
      "type": "WEB",
      "url": "https://github.com/iv-org/invidious/commit/77ad41678b45c4f6815940123f1796fc51259f45"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/invidious-cross-user-playlist-video-deletion-via-missing-ownership-check"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-862X-3JQQ-F754

Vulnerability from github – Published: 2025-11-11 06:30 – Updated: 2026-04-08 21:33
VLAI
Details

The The Total Book Project plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0 via several functions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform several actions like moving/deleting/creating chapters in books that do not belong to them.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-12126"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-11T04:15:46Z",
    "severity": "MODERATE"
  },
  "details": "The The Total Book Project plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0 via several functions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform several actions like moving/deleting/creating chapters in books that do not belong to them.",
  "id": "GHSA-862x-3jqq-f754",
  "modified": "2026-04-08T21:33:08Z",
  "published": "2025-11-11T06:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12126"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3392629%40the-total-book-project\u0026new=3392629%40the-total-book-project"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/the-total-book-project"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e1b473fd-2444-4a54-b558-4656634a6903?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-864Q-6X2V-WVG4

Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2022-05-13 01:23
VLAI
Details

An issue was discovered in GitLab Community and Enterprise Edition 10.x (starting from 10.8) and 11.x before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control, a different vulnerability than CVE-2019-9732.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-9756"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-04-17T17:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in GitLab Community and Enterprise Edition 10.x (starting from 10.8) and 11.x before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control, a different vulnerability than CVE-2019-9732.",
  "id": "GHSA-864q-6x2v-wvg4",
  "modified": "2022-05-13T01:23:05Z",
  "published": "2022-05-13T01:23:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9756"
    },
    {
      "type": "WEB",
      "url": "https://about.gitlab.com/2019/03/04/security-release-gitlab-11-dot-8-dot-1-released"
    },
    {
      "type": "WEB",
      "url": "https://about.gitlab.com/blog/categories/releases"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/54243"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-86JQ-PWGX-6VRQ

Vulnerability from github – Published: 2023-03-17 12:30 – Updated: 2023-03-23 18:20
VLAI
Summary
Improper Authorization in nilsteampassnet/teampass
Details

Improper Authorization in GitHub repository nilsteampassnet/teampass prior to 3.0.0.23.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "nilsteampassnet/teampass"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.0.23"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-1463"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-17T18:23:40Z",
    "nvd_published_at": "2023-03-17T12:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Improper Authorization in GitHub repository nilsteampassnet/teampass prior to 3.0.0.23.",
  "id": "GHSA-86jq-pwgx-6vrq",
  "modified": "2023-03-23T18:20:49Z",
  "published": "2023-03-17T12:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1463"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nilsteampassnet/teampass/commit/4e06fbaf2b78c3615d0599855a72ba7e31157516"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nilsteampassnet/TeamPass"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/f6683c3b-a0f2-4615-b639-1920c8ae12e6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Authorization in nilsteampassnet/teampass"
}

GHSA-86VQ-CCWF-RM62

Vulnerability from github – Published: 2026-02-27 18:35 – Updated: 2026-03-19 16:13
VLAI
Summary
Umbraco.Engage.Forms Allows Unauthorized Access to Multiple API Endpoints
Details

Description

A vulnerability has been identified in Umbraco Engage where certain API endpoints are exposed without enforcing authentication or authorization checks. The affected endpoints can be accessed directly over the network without requiring a valid session or user credentials. By supplying a user-controlled identifier parameter (e.g., ?id=), an attacker can retrieve sensitive data associated with arbitrary records.

Because no access control validation is performed, the endpoints are vulnerable to enumeration attacks, allowing attackers to iterate over identifiers and extract data at scale.

Impact

An unauthenticated attacker can retrieve sensitive Engage-related data by directly querying the affected API endpoints. The vulnerability allows arbitrary record access through predictable or enumerable identifiers.

The confidentiality impact is considered high. No direct integrity or availability impact has been identified.

The scope of exposed data depends on the deployment but may include analytics data, tracking data, customer-related information, or other Engage-managed content.

Patches

The vulnerability affects both v16 and v17. Patches have already been released. Users are advised to update to 16.2.1 or 17.1.1

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

References

Are there any links users can visit to find out more?

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Umbraco.Engage.Forms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "16.0.0"
            },
            {
              "fixed": "16.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Umbraco.Engage.Forms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "17.0.0"
            },
            {
              "fixed": "17.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27449"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-306",
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-27T18:35:57Z",
    "nvd_published_at": "2026-02-26T22:20:47Z",
    "severity": "HIGH"
  },
  "details": "### Description\nA vulnerability has been identified in Umbraco Engage where certain API endpoints are exposed without enforcing authentication or authorization checks. The affected endpoints can be accessed directly over the network without requiring a valid session or user credentials. By supplying a user-controlled identifier parameter (e.g., ?id=), an attacker can retrieve sensitive data associated with arbitrary records.\n\nBecause no access control validation is performed, the endpoints are vulnerable to enumeration attacks, allowing attackers to iterate over identifiers and extract data at scale.\n\n### Impact\nAn unauthenticated attacker can retrieve sensitive Engage-related data by directly querying the affected API endpoints. The vulnerability allows arbitrary record access through predictable or enumerable identifiers.\n\nThe confidentiality impact is considered high. No direct integrity or availability impact has been identified.\n\nThe scope of exposed data depends on the deployment but may include analytics data, tracking data, customer-related information, or other Engage-managed content.\n\n### Patches\nThe vulnerability affects both v16 and v17. Patches have already been released. Users are advised to update to 16.2.1 or 17.1.1\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\n### References\n_Are there any links users can visit to find out more?_",
  "id": "GHSA-86vq-ccwf-rm62",
  "modified": "2026-03-19T16:13:28Z",
  "published": "2026-02-27T18:35:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/umbraco/Umbraco.Engage.Issues/security/advisories/GHSA-86vq-ccwf-rm62"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27449"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/umbraco/Umbraco.Engage.Issues"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Umbraco.Engage.Forms Allows Unauthorized Access to Multiple API Endpoints"
}

GHSA-872Q-6CM2-XCC6

Vulnerability from github – Published: 2026-01-21 18:30 – Updated: 2026-01-31 00:30
VLAI
Details

D-Link D-View 8 versions 2.0.1.107 and below contain an improper access control vulnerability in backend API endpoints. Any authenticated user can supply an arbitrary user_id value to retrieve sensitive credential data belonging to other users, including super administrators. The exposed credential material can be reused directly as a valid authentication secret, allowing full impersonation of the targeted account. This results in complete account takeover and full administrative control over the D-View system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-23754"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-21T18:16:25Z",
    "severity": "HIGH"
  },
  "details": "D-Link D-View 8 versions 2.0.1.107 and below contain an improper access control vulnerability in backend API endpoints. Any authenticated user can supply an arbitrary user_id value to retrieve sensitive credential data belonging to other users, including super administrators. The exposed credential material can be reused directly as a valid authentication secret, allowing full impersonation of the targeted account. This results in complete account takeover and full administrative control over the D-View system.",
  "id": "GHSA-872q-6cm2-xcc6",
  "modified": "2026-01-31T00:30:28Z",
  "published": "2026-01-21T18:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23754"
    },
    {
      "type": "WEB",
      "url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10471"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/dlink-dview-8-idor-allows-credential-disclosure-and-account-takeover"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-873Q-GR5F-JJ67

Vulnerability from github – Published: 2026-06-04 09:30 – Updated: 2026-06-04 21:31
VLAI
Details

The summary service endpoint suffers from an IDOR vulnerability where it fails to verify user ownership of hardware serial numbers, exposing device data to scraping.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-49192"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-04T07:16:27Z",
    "severity": "MODERATE"
  },
  "details": "The summary service endpoint suffers from an IDOR vulnerability where it fails to verify user ownership of hardware serial numbers, exposing device data to scraping.",
  "id": "GHSA-873q-gr5f-jj67",
  "modified": "2026-06-04T21:31:20Z",
  "published": "2026-06-04T09:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49192"
    },
    {
      "type": "WEB",
      "url": "https://community.acer.com/en/kb/articles/19707"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-877V-W3F5-3PCQ

Vulnerability from github – Published: 2026-04-02 20:59 – Updated: 2026-05-06 02:40
VLAI
Summary
OpenClaw: Feishu thread history and quoted messages bypass sender allowlist
Details

Summary

Feishu thread history and quoted messages bypass sender allowlist

Current Maintainer Triage

  • Status: open
  • Normalized severity: medium
  • Assessment: Real in shipped v2026.3.28 Feishu because fetched quoted/root/thread context bypasses sender allowlists, and SECURITY.md does not exempt remote sender-allowlist bypasses.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Latest published npm version: 2026.3.31
  • Vulnerable version range: <=2026.3.28
  • Patched versions: >= 2026.3.31
  • First stable tag containing the fix: v2026.3.31

Fix Commit(s)

  • f45e5a6569aab1d58cc6de25b19f1dc4c8779b85 — 2026-03-31T19:43:54+09:00

Release Process Note

  • The fix is already present in released version 2026.3.31.
  • This draft looks ready for final maintainer disposition or publication, not additional code-fix work.

OpenClaw thanks @AntAISecurityLab for reporting.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.3.28"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.31"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41406"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-02T20:59:49Z",
    "nvd_published_at": "2026-04-28T19:37:44Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\nFeishu thread history and quoted messages bypass sender allowlist\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: medium\n- Assessment: Real in shipped v2026.3.28 Feishu because fetched quoted/root/thread context bypasses sender allowlists, and SECURITY.md does not exempt remote sender-allowlist bypasses.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `\u003c=2026.3.28`\n- Patched versions: `\u003e= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `f45e5a6569aab1d58cc6de25b19f1dc4c8779b85` \u2014 2026-03-31T19:43:54+09:00\n\n## Release Process Note\n- The fix is already present in released version `2026.3.31`.\n- This draft looks ready for final maintainer disposition or publication, not additional code-fix work.\n\nOpenClaw thanks @AntAISecurityLab for reporting.",
  "id": "GHSA-877v-w3f5-3pcq",
  "modified": "2026-05-06T02:40:24Z",
  "published": "2026-04-02T20:59:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-877v-w3f5-3pcq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41406"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/f45e5a6569aab1d58cc6de25b19f1dc4c8779b85"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-sender-allowlist-bypass-via-thread-history-and-quoted-messages"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: Feishu thread history and quoted messages bypass sender allowlist"
}

GHSA-87FH-RC96-6FR6

Vulnerability from github – Published: 2026-02-05 21:19 – Updated: 2026-02-13 17:16
VLAI
Summary
Unauthenticated Spree Commerce users can access all guest addresses
Details

Summary

A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID parameters. This enables unauthorized access to other guests' personally identifiable information (PII) including names, addresses and phone numbers. The vulnerability bypasses existing ownership validation checks and affects all guest checkout transactions.

Impact

This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers).

Unauthenticated users can access all guest addresses (GHSL-2026-027)

The vulnerability stems from incomplete authorization validation in Spree's checkout address assignment logic. While nested address attributes (bill_address_attributes[id] and ship_address_attributes[id]) are properly validated through validate_address_ownership, plain ID parameters (bill_address_id and ship_address_id) bypass this check entirely. Since Spree's address IDs are sequential numbers, an attacker might get all guest addresses by simply enumerating over them.

Affected Code Components

  1. Permitted Attributes (core/lib/spree/permitted_attributes.rb:92–96)
  2. Allows bill_address_id and ship_address_id as permitted parameters without validation

  3. Checkout Update (core/app/models/spree/order/checkout.rb:241–254)

  4. Applies permitted parameters directly to the Order model via update_from_params

  5. Incomplete Ownership Validation (core/app/services/spree/checkout/update.rb:33–48)

  6. validate_address_ownership only validates nested attributes structure
  7. Does NOT validate plain bill_address_id/ship_address_id fields

  8. Vulnerable Assignment Logic (core/app/models/spree/order/address_book.rb:16–23, 31–38)

  9. bill_address_id= setter
  10. ship_address_id= setter

Both setters check that: address.user_id == order.user_id. For guest orders: nil == nil → TRUE ✓ (bypass!)

Proof of Concept

Precondition: One guest address has to exist in Spree's database. (E.g. Create an order with a guest account and note the ID from the spree_addresses table. E.g. 3)

As a guest user: 1. Put one product in the cart and go to checkout. 2. Fill in some address/phone number and continue. 3. Modify this script containing a curl request with current values.

#!/bin/bash

ATTACKER_ORDER_TOKEN="" # Taken from the URL
VICTIM_ADDRESS_ID="3" # As noted from the database
CSRF_TOKEN="" # From page source; `content` value from meta param `csrf-token`.
SESSION_COOKIE="token=...; _my_store_session=..." # from the browsers cookie store.

curl -i -X POST \
  -H "x-csrf-token: ${CSRF_TOKEN}" \
  -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" \
  -b "${SESSION_COOKIE}" \
  --data-urlencode "_method=patch" \
  --data-urlencode "authenticity_token=${CSRF_TOKEN}" \
  --data-urlencode "order[ship_address_id]=${VICTIM_ADDRESS_ID}" \
  "http://localhost:3000/checkout/${ATTACKER_ORDER_TOKEN}/update/address"

Expected Result: Attacker's order now references victim's address. Through that the attacker has all address details in full display. This can be verified by accessing /checkout/${ATTACKER_ORDER_TOKEN}/delivery in the same browser where you created the new guest cart.

Impact

This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers).

CWEs

  • CWE-639: Authorization Bypass Through User-Controlled Key
  • CWE-284: Improper Access Control

Credit

This issue was discovered with the GitHub Security Lab Taskflow Agent and manually verified by GHSL team members @p- (Peter Stöckli) and @m-y-mo (Man Yue Mo).

Disclosure Policy

This report is subject to a 90-day disclosure deadline, as described in more detail in our coordinated disclosure policy.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "spree_api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.10.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "spree_api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.0.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "spree_api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.1.0"
            },
            {
              "fixed": "5.1.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "spree_api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.2.0"
            },
            {
              "fixed": "5.2.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "spree_api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.3.0"
            },
            {
              "fixed": "5.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25758"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-05T21:19:30Z",
    "nvd_published_at": "2026-02-06T22:16:12Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nA critical IDOR vulnerability exists in Spree Commerce\u0027s guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID parameters. This enables unauthorized access to other guests\u0027 personally identifiable information (PII) including names, addresses and phone numbers. The vulnerability bypasses existing ownership validation checks and affects all guest checkout transactions.\n\n### Impact\nThis issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers).\n\n### Unauthenticated users can access all guest addresses (`GHSL-2026-027`)\n\nThe vulnerability stems from incomplete authorization validation in Spree\u0027s checkout address assignment logic. While nested address attributes (`bill_address_attributes[id]` and `ship_address_attributes[id]`) are properly validated through `validate_address_ownership`, plain ID parameters (`bill_address_id` and `ship_address_id`) bypass this check entirely. Since Spree\u0027s address IDs are sequential numbers, an attacker might get all guest addresses by simply enumerating over them.\n\n### Affected Code Components\n\n1. **Permitted Attributes** ([`core/lib/spree/permitted_attributes.rb:92\u201396`](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/lib/spree/permitted_attributes.rb#L92-L96))\n   - Allows `bill_address_id` and `ship_address_id` as permitted parameters without validation\n\n2. **Checkout Update** ([`core/app/models/spree/order/checkout.rb:241\u2013254`](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/models/spree/order/checkout.rb#L241-L254))\n   - Applies permitted parameters directly to the Order model via `update_from_params`\n\n3. **Incomplete Ownership Validation** ([`core/app/services/spree/checkout/update.rb:33\u201348`](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/services/spree/checkout/update.rb#L33-L48))\n   - `validate_address_ownership` only validates nested attributes structure\n   - Does NOT validate plain `bill_address_id`/`ship_address_id` fields\n\n4. **Vulnerable Assignment Logic** ([`core/app/models/spree/order/address_book.rb:16\u201323, 31\u201338`](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/models/spree/order/address_book.rb#L16-L38))\n   * [`bill_address_id=` setter](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/models/spree/order/address_book.rb#L16-L24)\n   * [`ship_address_id=` setter](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/models/spree/order/address_book.rb#L31-L39)\n\nBoth setters check that: `address.user_id == order.user_id`. For guest orders: nil == nil \u2192 TRUE \u2713 (bypass!)\n\n#### Proof of Concept\n\nPrecondition: One guest address has to exist in Spree\u0027s database. (E.g. Create an order with a guest account and note the ID from the `spree_addresses` table. E.g. `3`)\n\nAs a guest user:\n1. Put one product in the cart and go to checkout.\n2. Fill in some address/phone number and continue.\n3. Modify this script containing a curl request with current values.\n\n```bash\n#!/bin/bash\n\nATTACKER_ORDER_TOKEN=\"\" # Taken from the URL\nVICTIM_ADDRESS_ID=\"3\" # As noted from the database\nCSRF_TOKEN=\"\" # From page source; `content` value from meta param `csrf-token`.\nSESSION_COOKIE=\"token=...; _my_store_session=...\" # from the browsers cookie store.\n\ncurl -i -X POST \\\n  -H \"x-csrf-token: ${CSRF_TOKEN}\" \\\n  -H \"Content-Type: application/x-www-form-urlencoded;charset=UTF-8\" \\\n  -b \"${SESSION_COOKIE}\" \\\n  --data-urlencode \"_method=patch\" \\\n  --data-urlencode \"authenticity_token=${CSRF_TOKEN}\" \\\n  --data-urlencode \"order[ship_address_id]=${VICTIM_ADDRESS_ID}\" \\\n  \"http://localhost:3000/checkout/${ATTACKER_ORDER_TOKEN}/update/address\"\n```\n\nExpected Result: Attacker\u0027s order now references victim\u0027s address. Through that the attacker has all address details in full display.\nThis can be verified by accessing  `/checkout/${ATTACKER_ORDER_TOKEN}/delivery` in the same browser where you created the new guest cart.\n\n#### Impact\n\nThis issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers).\n\n#### CWEs\n\n- CWE-639: Authorization Bypass Through User-Controlled Key\n- CWE-284: Improper Access Control\n\n### Credit\n\nThis issue was discovered with the [GitHub Security Lab Taskflow Agent](https://github.com/GitHubSecurityLab/seclab-taskflow-agent) and manually verified by GHSL team members [@p- (Peter St\u00f6ckli)](https://github.com/p-) and [@m-y-mo (Man Yue Mo)](https://github.com/m-y-mo).\n\n### Disclosure Policy\n\nThis report is subject to a 90-day disclosure deadline, as described in more detail in our [coordinated disclosure policy](https://securitylab.github.com/advisories#policy).",
  "id": "GHSA-87fh-rc96-6fr6",
  "modified": "2026-02-13T17:16:07Z",
  "published": "2026-02-05T21:19:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/spree/spree/security/advisories/GHSA-87fh-rc96-6fr6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25758"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spree/spree/commit/15619618e43b367617ec8d2d4aafc5e54fa7b734"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spree/spree/commit/29282d1565ba4f7bc2bbc47d550e2c0c6d0ae59f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spree/spree/commit/6650f96356faa0d16c05bcb516f1ffd5641741b8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spree/spree/commit/902d301ac83fd2047db1b9a3a99545162860f748"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spree/spree/commit/ff7cfcfcfe0c40c60d03317e1d0ee361c6a6b054"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_api/CVE-2026-25758.yml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/spree/spree"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/models/spree/order/address_book.rb#L16-L38"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/models/spree/order/checkout.rb#L241-L254"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/services/spree/checkout/update.rb#L33-L48"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/lib/spree/permitted_attributes.rb#L92-L96"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Unauthenticated Spree Commerce users can access all guest addresses"
}

GHSA-8823-566R-4PQV

Vulnerability from github – Published: 2024-05-16 06:30 – Updated: 2026-04-08 18:33
VLAI
Details

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference to Arbitrary Course Deletion in versions up to, and including, 2.7.0 via the 'tutor_course_delete' function due to missing validation on a user controlled key. This can allow authenticated attackers, with Instructor-level permissions and above, to delete any course.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-4279"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-16T06:15:10Z",
    "severity": "MODERATE"
  },
  "details": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference to Arbitrary Course Deletion in versions up to, and including, 2.7.0 via the \u0027tutor_course_delete\u0027 function due to missing validation on a user controlled key. This can allow authenticated attackers, with Instructor-level permissions and above, to delete any course.",
  "id": "GHSA-8823-566r-4pqv",
  "modified": "2026-04-08T18:33:12Z",
  "published": "2024-05-16T06:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4279"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course_List.php#L357"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3086489"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/45d04643-e43a-4732-91bf-e4af7b622e33?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.