Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3245 vulnerabilities reference this CWE, most recent first.

GHSA-882M-54CG-63Q7

Vulnerability from github – Published: 2024-04-10 18:30 – Updated: 2024-04-10 18:30
VLAI
Details

An Insecure Direct Object Reference (IDOR) vulnerability exists in the lunary-ai/lunary application version 0.3.0, allowing unauthorized deletion of any organization's project. The vulnerability is due to insufficient authorization checks in the project deletion endpoint, where the endpoint fails to verify if the project ID provided in the request belongs to the requesting user's organization. As a result, an attacker can delete projects belonging to any organization by sending a crafted DELETE request with the target project's ID. This issue affects the project deletion functionality implemented in the projects.delete route.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-1625"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-10T17:15:52Z",
    "severity": "HIGH"
  },
  "details": "An Insecure Direct Object Reference (IDOR) vulnerability exists in the lunary-ai/lunary application version 0.3.0, allowing unauthorized deletion of any organization\u0027s project. The vulnerability is due to insufficient authorization checks in the project deletion endpoint, where the endpoint fails to verify if the project ID provided in the request belongs to the requesting user\u0027s organization. As a result, an attacker can delete projects belonging to any organization by sending a crafted DELETE request with the target project\u0027s ID. This issue affects the project deletion functionality implemented in the projects.delete route.",
  "id": "GHSA-882m-54cg-63q7",
  "modified": "2024-04-10T18:30:48Z",
  "published": "2024-04-10T18:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1625"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lunary-ai/lunary/commit/88f98e29f19da9d1f5de45c5b163fd5b48e0bcec"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/cf6dd625-e6c9-44df-a072-13686816de21"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-896V-PH5W-379H

Vulnerability from github – Published: 2023-09-28 06:30 – Updated: 2023-10-03 21:13
VLAI
Summary
Economizzer Insecure Direct Object Reference vulnerability
Details

An Insecure Direct Object Reference (IDOR) vulnerability in gugoan Economizzer commit 3730880 (April 2023) and v.0.9-beta1 allows any unauthenticated attacker to access cash book entry attachments of any other user, if they know the Id of the attachment.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "gugoan/economizzer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.9-beta1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-38872"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-09-28T16:49:40Z",
    "nvd_published_at": "2023-09-28T04:15:12Z",
    "severity": "LOW"
  },
  "details": "An Insecure Direct Object Reference (IDOR) vulnerability in gugoan Economizzer commit 3730880 (April 2023) and v.0.9-beta1 allows any unauthenticated attacker to access cash book entry attachments of any other user, if they know the Id of the attachment.",
  "id": "GHSA-896v-ph5w-379h",
  "modified": "2023-10-03T21:13:36Z",
  "published": "2023-09-28T06:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38872"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gugoan/economizzer/commit/37308802dfe00d43df396a8afaa2096ece8b7b57"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dub-flow/vulnerability-research/tree/main/CVE-2023-38872"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gugoan/economizzer"
    },
    {
      "type": "WEB",
      "url": "https://www.economizzer.org"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Economizzer Insecure Direct Object Reference vulnerability"
}

GHSA-8C4J-F57C-35CF

Vulnerability from github – Published: 2026-03-27 19:36 – Updated: 2026-03-27 21:52
VLAI
Summary
Langflow: Authenticated Users Can Read, Modify, and Delete Any Flow via Missing Ownership Check
Details

Vulnerability

IDOR in GET/PATCH/DELETE /api/v1/flow/{flow_id}

The _read_flow helper in src/backend/base/langflow/api/v1/flows.py branched on the AUTO_LOGIN setting to decide whether to filter by user_id. When AUTO_LOGIN was False (i.e., authentication was enabled), neither branch enforced an ownership check — the query returned any flow matching the given UUID regardless of who owned it.

This exposed any authenticated user to:

  • Read any other user's flow, including embedded plaintext API keys
  • Modify the logic of another user's AI agents
  • Delete flows belonging to other users

The vulnerability was introduced by the conditional logic that was meant to accommodate public/example flows (those with user_id = NULL) under auto-login mode, but inadvertently left the authenticated path without an ownership filter.


Fix (PR #8956)

The fix removes the AUTO_LOGIN conditional entirely and unconditionally scopes the query to the requesting user:

-    auth_settings = settings_service.auth_settings
-    stmt = select(Flow).where(Flow.id == flow_id)
-    if auth_settings.AUTO_LOGIN:
-        stmt = stmt.where(
-            (Flow.user_id == user_id) | (Flow.user_id == None)  # noqa: E711
-        )
+    stmt = select(Flow).where(Flow.id == flow_id).where(Flow.user_id == user_id)

All three operations — read, update, and delete — route through _read_flow, so the single change covers the full attack surface. A cross-user isolation test (test_read_flows_user_isolation) was added to prevent regression.


Acknowledgements

Langflow thanks the security researcher who responsibly disclosed this vulnerability:

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.5.0"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "langflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.5.0"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "langflow-base"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34046"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-27T19:36:23Z",
    "nvd_published_at": "2026-03-27T21:17:27Z",
    "severity": "HIGH"
  },
  "details": "## Vulnerability\n\n### IDOR in `GET/PATCH/DELETE /api/v1/flow/{flow_id}`\n\nThe `_read_flow` helper in `src/backend/base/langflow/api/v1/flows.py` branched on the `AUTO_LOGIN` setting to decide whether to filter by `user_id`. When `AUTO_LOGIN` was `False` (i.e., authentication was enabled), neither branch enforced an ownership check \u2014 the query returned any flow matching the given UUID regardless of who owned it.\n\nThis exposed any authenticated user to:\n\n- **Read** any other user\u0027s flow, including embedded plaintext API keys\n- **Modify** the logic of another user\u0027s AI agents\n- **Delete** flows belonging to other users\n\nThe vulnerability was introduced by the conditional logic that was meant to accommodate public/example flows (those with `user_id = NULL`) under auto-login mode, but inadvertently left the authenticated path without an ownership filter.\n\n---\n\n## Fix (PR #8956)\n\nThe fix removes the `AUTO_LOGIN` conditional entirely and unconditionally scopes the query to the requesting user:\n\n```diff\n-    auth_settings = settings_service.auth_settings\n-    stmt = select(Flow).where(Flow.id == flow_id)\n-    if auth_settings.AUTO_LOGIN:\n-        stmt = stmt.where(\n-            (Flow.user_id == user_id) | (Flow.user_id == None)  # noqa: E711\n-        )\n+    stmt = select(Flow).where(Flow.id == flow_id).where(Flow.user_id == user_id)\n```\n\nAll three operations \u2014 read, update, and delete \u2014 route through `_read_flow`, so the single change covers the full attack surface. A cross-user isolation test (`test_read_flows_user_isolation`) was added to prevent regression.\n\n---\n\n## Acknowledgements\n\nLangflow thanks the security researcher who responsibly disclosed this vulnerability:\n\n- **[@chximn-dt](https://github.com/chximn-dt)**",
  "id": "GHSA-8c4j-f57c-35cf",
  "modified": "2026-03-27T21:52:39Z",
  "published": "2026-03-27T19:36:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-8c4j-f57c-35cf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34046"
    },
    {
      "type": "WEB",
      "url": "https://github.com/langflow-ai/langflow/pull/8956"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/langflow-ai/langflow"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Langflow: Authenticated Users Can Read, Modify, and Delete Any Flow via Missing Ownership Check"
}

GHSA-8C5F-QPCM-FGCV

Vulnerability from github – Published: 2024-02-27 09:31 – Updated: 2025-03-24 21:30
VLAI
Details

The WP Dashboard Notes WordPress plugin before 1.0.11 is vulnerable to Insecure Direct Object References (IDOR) in post_id= parameter. Authenticated users are able to delete private notes associated with different user accounts. This poses a significant security risk as it violates the principle of least privilege and compromises the integrity and privacy of user data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-7198"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-27T09:15:37Z",
    "severity": "MODERATE"
  },
  "details": "The WP Dashboard Notes WordPress plugin before 1.0.11 is vulnerable to Insecure Direct Object References (IDOR) in post_id= parameter. Authenticated users are able to delete private notes associated with different user accounts. This poses a significant security risk as it violates the principle of least privilege and compromises the integrity and privacy of user data.",
  "id": "GHSA-8c5f-qpcm-fgcv",
  "modified": "2025-03-24T21:30:28Z",
  "published": "2024-02-27T09:31:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7198"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/75fbee63-d622-441f-8675-082907b0b1e6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8C6Q-26W6-QWHG

Vulnerability from github – Published: 2023-07-17 09:30 – Updated: 2023-07-17 14:08
VLAI
Summary
Easy!Appointments Improper Access Control vulnerability
Details

Easy!Appointments 1.4.3 and prior has an Improper Access Control vulnerability. This issue is patched at commit b37b46019553089db4f22eb2fe998bca84b2cb64 and anticipated to be part of version 1.5.0.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.4.3"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "alextselegidis/easyappointments"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-3700"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-17T14:08:19Z",
    "nvd_published_at": "2023-07-17T07:15:09Z",
    "severity": "MODERATE"
  },
  "details": "Easy!Appointments 1.4.3 and prior has an Improper Access Control vulnerability. This issue is patched at commit b37b46019553089db4f22eb2fe998bca84b2cb64 and anticipated to be part of version 1.5.0.",
  "id": "GHSA-8c6q-26w6-qwhg",
  "modified": "2023-07-17T14:08:19Z",
  "published": "2023-07-17T09:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3700"
    },
    {
      "type": "WEB",
      "url": "https://github.com/alextselegidis/easyappointments/commit/b37b46019553089db4f22eb2fe998bca84b2cb64"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/alextselegidis/easyappointments"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/e8d530db-a6a7-4f79-a95d-b77654cc04f8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Easy!Appointments Improper Access Control vulnerability"
}

GHSA-8C8G-7W32-WJ3X

Vulnerability from github – Published: 2025-10-06 09:30 – Updated: 2026-06-06 09:31
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in Logo Software Inc. Logo Cloud allows Forceful Browsing, Resource Leak Exposure.This issue affects Logo Cloud: before 0.67.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-0606"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-06T09:15:33Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Logo Software Inc. Logo Cloud allows Forceful Browsing, Resource Leak Exposure.This issue affects Logo Cloud: before 0.67.",
  "id": "GHSA-8c8g-7w32-wj3x",
  "modified": "2026-06-06T09:31:14Z",
  "published": "2025-10-06T09:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0606"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0318"
    },
    {
      "type": "WEB",
      "url": "https://www.usom.gov.tr/bildirim/tr-25-0318"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8C8V-R5JJ-4425

Vulnerability from github – Published: 2025-09-19 21:31 – Updated: 2025-09-19 23:04
VLAI
Summary
Liferay Contacts Center widget has insecure direct object reference
Details

Insecure direct object reference (IDOR) vulnerability in the Contacts Center widget in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.6, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote attackers to view contact information, including the contact’s name and email address, via the _com_liferay_contacts_web_portlet_ContactsCenterPortlet_entryId parameter.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.liferay:com.liferay.contacts.web"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.0.59"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-43803"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-19T23:04:20Z",
    "nvd_published_at": "2025-09-19T19:15:41Z",
    "severity": "MODERATE"
  },
  "details": "Insecure direct object reference (IDOR) vulnerability in the Contacts Center widget in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.6, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote attackers to view contact information, including the contact\u2019s name and email address, via the _com_liferay_contacts_web_portlet_ContactsCenterPortlet_entryId parameter.",
  "id": "GHSA-8c8v-r5jj-4425",
  "modified": "2025-09-19T23:04:20Z",
  "published": "2025-09-19T21:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43803"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/liferay/liferay-portal"
    },
    {
      "type": "WEB",
      "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43803"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Liferay Contacts Center widget has insecure direct object reference"
}

GHSA-8C93-42CQ-RFJJ

Vulnerability from github – Published: 2022-05-24 17:07 – Updated: 2024-04-04 02:47
VLAI
Details

An IDOR was discovered in GitLab CE/EE 11.5 and later that allowed new merge requests endpoint to disclose label names.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-5466"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-01-28T03:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An IDOR was discovered in GitLab CE/EE 11.5 and later that allowed new merge requests endpoint to disclose label names.",
  "id": "GHSA-8c93-42cq-rfjj",
  "modified": "2024-04-04T02:47:13Z",
  "published": "2022-05-24T17:07:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5466"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/507113"
    },
    {
      "type": "WEB",
      "url": "https://about.gitlab.com/releases/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/59809"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8CR2-HPC7-V23M

Vulnerability from github – Published: 2025-10-29 09:30 – Updated: 2026-01-20 15:31
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in Rometheme RTMKit rometheme-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RTMKit: from n/a through <= 1.6.7.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-64283"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-29T09:15:44Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Rometheme RTMKit rometheme-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RTMKit: from n/a through \u003c= 1.6.7.",
  "id": "GHSA-8cr2-hpc7-v23m",
  "modified": "2026-01-20T15:31:41Z",
  "published": "2025-10-29T09:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64283"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/rometheme-for-elementor/vulnerability/wordpress-rtmkit-plugin-1-6-7-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://vdp.patchstack.com/database/Wordpress/Plugin/rometheme-for-elementor/vulnerability/wordpress-rtmkit-plugin-1-6-7-insecure-direct-object-references-idor-vulnerability"
    },
    {
      "type": "WEB",
      "url": "https://vdp.patchstack.com/database/Wordpress/Plugin/rometheme-for-elementor/vulnerability/wordpress-rtmkit-plugin-1-6-7-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8CRG-FP2W-XQGV

Vulnerability from github – Published: 2025-10-27 15:30 – Updated: 2025-10-27 15:30
VLAI
Details

Honeywell S35 Series Cameras contains an authorization bypass Vulnerability through User controller key. An attacker could potentially exploit this vulnerability, leading to Privilege Escalation to admin privileged functionalities . Honeywell also recommends updating to the most recent version of this product, service or offering (S35 Pinhole/Kit Camera to version 2025.08.28, S35 AI Fisheye & Dual Sensor/Micro Dome/Full Color Eyeball & Bullet Camera to version 2025.08.22, S35 Thermal Camera to version 2025.08.26).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-12351"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-27T15:15:37Z",
    "severity": "MODERATE"
  },
  "details": "Honeywell S35 Series Cameras contains an authorization bypass Vulnerability through User controller key. An attacker could potentially exploit this vulnerability, leading to Privilege Escalation to admin privileged functionalities . Honeywell also recommends updating to the most recent version of this product, service or offering (S35 Pinhole/Kit Camera to version 2025.08.28, S35 AI Fisheye \u0026 Dual Sensor/Micro Dome/Full Color Eyeball \u0026 Bullet Camera to version 2025.08.22, S35 Thermal Camera to version 2025.08.26).",
  "id": "GHSA-8crg-fp2w-xqgv",
  "modified": "2025-10-27T15:30:42Z",
  "published": "2025-10-27T15:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12351"
    },
    {
      "type": "WEB",
      "url": "https://www.honeywell.com/us/en/product-security"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.