Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3251 vulnerabilities reference this CWE, most recent first.

GHSA-8C8G-7W32-WJ3X

Vulnerability from github – Published: 2025-10-06 09:30 – Updated: 2026-06-06 09:31
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in Logo Software Inc. Logo Cloud allows Forceful Browsing, Resource Leak Exposure.This issue affects Logo Cloud: before 0.67.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-0606"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-06T09:15:33Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Logo Software Inc. Logo Cloud allows Forceful Browsing, Resource Leak Exposure.This issue affects Logo Cloud: before 0.67.",
  "id": "GHSA-8c8g-7w32-wj3x",
  "modified": "2026-06-06T09:31:14Z",
  "published": "2025-10-06T09:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0606"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0318"
    },
    {
      "type": "WEB",
      "url": "https://www.usom.gov.tr/bildirim/tr-25-0318"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8C8V-R5JJ-4425

Vulnerability from github – Published: 2025-09-19 21:31 – Updated: 2025-09-19 23:04
VLAI
Summary
Liferay Contacts Center widget has insecure direct object reference
Details

Insecure direct object reference (IDOR) vulnerability in the Contacts Center widget in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.6, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote attackers to view contact information, including the contact’s name and email address, via the _com_liferay_contacts_web_portlet_ContactsCenterPortlet_entryId parameter.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.liferay:com.liferay.contacts.web"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.0.59"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-43803"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-19T23:04:20Z",
    "nvd_published_at": "2025-09-19T19:15:41Z",
    "severity": "MODERATE"
  },
  "details": "Insecure direct object reference (IDOR) vulnerability in the Contacts Center widget in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.6, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote attackers to view contact information, including the contact\u2019s name and email address, via the _com_liferay_contacts_web_portlet_ContactsCenterPortlet_entryId parameter.",
  "id": "GHSA-8c8v-r5jj-4425",
  "modified": "2025-09-19T23:04:20Z",
  "published": "2025-09-19T21:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43803"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/liferay/liferay-portal"
    },
    {
      "type": "WEB",
      "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43803"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Liferay Contacts Center widget has insecure direct object reference"
}

GHSA-8C93-42CQ-RFJJ

Vulnerability from github – Published: 2022-05-24 17:07 – Updated: 2024-04-04 02:47
VLAI
Details

An IDOR was discovered in GitLab CE/EE 11.5 and later that allowed new merge requests endpoint to disclose label names.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-5466"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-01-28T03:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An IDOR was discovered in GitLab CE/EE 11.5 and later that allowed new merge requests endpoint to disclose label names.",
  "id": "GHSA-8c93-42cq-rfjj",
  "modified": "2024-04-04T02:47:13Z",
  "published": "2022-05-24T17:07:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5466"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/507113"
    },
    {
      "type": "WEB",
      "url": "https://about.gitlab.com/releases/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/59809"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8CR2-HPC7-V23M

Vulnerability from github – Published: 2025-10-29 09:30 – Updated: 2026-01-20 15:31
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in Rometheme RTMKit rometheme-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RTMKit: from n/a through <= 1.6.7.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-64283"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-29T09:15:44Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Rometheme RTMKit rometheme-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RTMKit: from n/a through \u003c= 1.6.7.",
  "id": "GHSA-8cr2-hpc7-v23m",
  "modified": "2026-01-20T15:31:41Z",
  "published": "2025-10-29T09:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64283"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/rometheme-for-elementor/vulnerability/wordpress-rtmkit-plugin-1-6-7-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://vdp.patchstack.com/database/Wordpress/Plugin/rometheme-for-elementor/vulnerability/wordpress-rtmkit-plugin-1-6-7-insecure-direct-object-references-idor-vulnerability"
    },
    {
      "type": "WEB",
      "url": "https://vdp.patchstack.com/database/Wordpress/Plugin/rometheme-for-elementor/vulnerability/wordpress-rtmkit-plugin-1-6-7-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8CRG-FP2W-XQGV

Vulnerability from github – Published: 2025-10-27 15:30 – Updated: 2025-10-27 15:30
VLAI
Details

Honeywell S35 Series Cameras contains an authorization bypass Vulnerability through User controller key. An attacker could potentially exploit this vulnerability, leading to Privilege Escalation to admin privileged functionalities . Honeywell also recommends updating to the most recent version of this product, service or offering (S35 Pinhole/Kit Camera to version 2025.08.28, S35 AI Fisheye & Dual Sensor/Micro Dome/Full Color Eyeball & Bullet Camera to version 2025.08.22, S35 Thermal Camera to version 2025.08.26).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-12351"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-27T15:15:37Z",
    "severity": "MODERATE"
  },
  "details": "Honeywell S35 Series Cameras contains an authorization bypass Vulnerability through User controller key. An attacker could potentially exploit this vulnerability, leading to Privilege Escalation to admin privileged functionalities . Honeywell also recommends updating to the most recent version of this product, service or offering (S35 Pinhole/Kit Camera to version 2025.08.28, S35 AI Fisheye \u0026 Dual Sensor/Micro Dome/Full Color Eyeball \u0026 Bullet Camera to version 2025.08.22, S35 Thermal Camera to version 2025.08.26).",
  "id": "GHSA-8crg-fp2w-xqgv",
  "modified": "2025-10-27T15:30:42Z",
  "published": "2025-10-27T15:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12351"
    },
    {
      "type": "WEB",
      "url": "https://www.honeywell.com/us/en/product-security"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8CW6-53M5-4932

Vulnerability from github – Published: 2026-01-27 22:13 – Updated: 2026-01-29 03:43
VLAI
Summary
StudioCMS has Authorization Bypass Through User-Controlled Key
Details

Summary

StudioCMS contains a Broken Object Level Authorization (BOLA) vulnerability in the Content Management feature that allows users with the "Visitor" role to access draft content created by Editor/Admin/Owner users.

Details

The Issue: The endpoint /dashboard/content-management/edit?edit={UUID} validates user authentication but does NOT validate: 1. User role (should require Editor/Admin/Owner) 2. Content ownership (should verify the draft belongs to the user)

This allows users with "Visitor" role (lowest privilege) to access draft content created by Editor/Admin/Owner users by directly accessing the edit URL with the content UUID.

PoC

  • User A: Editor role (example username: dummy04)
  • User B: Visitor role (example username: dummy01)

Reproduction Steps:

Step 1 - Create draft as Editor:

  1. Login as User A (Editor role)
  2. Navigate to: http://localhost:4321/dashboard/content-management
  3. Create new content (it will stay as draft)
  4. After saving, note the UUID in the URL:
   http://localhost:4321/dashboard/content-management/edit?edit=bad87630-69a4-4cd6-bcb2-6965839dc148

Copy this UUID: bad87630-69a4-4cd6-bcb2-6965839dc148

Step 2 - Access draft as Visitor:

  1. Login as Visitor and get auth_session cookie
curl -X POST "http://127.0.0.1:4321/studiocms_api/auth/login" -F 'username=dummy01' -F 'password=dummy01pass$'

01

  1. Proof of Visitor permission 02

  2. Access Editor's draft using the UUID

curl "http://127.0.0.1:4321/dashboard/content-management/edit?edit=bad87630-69a4-4cd6-bcb2-6965839dc148" -H "Cookie: auth_session=qvawh6zv23hc2spu6xx7pzgrnn4rpd3q" -v

Result: Returns full HTML page with draft content (200 OK)

Impact

Impact Scenarios:

  1. Information Disclosure:
  2. Visitor users can read unpublished drafts containing sensitive information
  3. Drafts may contain confidential business information, unreleased announcements, or proprietary content
  4. Competitive intelligence could be gathered from draft content

  5. Privacy Violation:

  6. Personal notes, work-in-progress content, or internal communications in drafts exposed
  7. Violation of content creator privacy expectations

  8. Business Impact:

  9. Premature disclosure of marketing campaigns, product launches, or announcements
  10. Loss of competitive advantage if draft strategies are exposed
  11. Potential compliance issues if drafts contain regulated information

  12. Complete RBAC Bypass:

  13. The entire role-based access control system for draft content is bypassed
  14. "Visitor" role becomes equivalent to "Editor" for read access to drafts
  15. Undermines the trust model of multi-user content management
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "studiocms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-24134"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-27T22:13:52Z",
    "nvd_published_at": "2026-01-28T00:15:50Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nStudioCMS contains a Broken Object Level Authorization (BOLA) vulnerability in the Content Management feature that allows users with the \"Visitor\" role to access draft content created by Editor/Admin/Owner users.\n\n### Details\n**The Issue:**\nThe endpoint `/dashboard/content-management/edit?edit={UUID}` validates user authentication but does NOT validate:\n1. User role (should require Editor/Admin/Owner)\n2. Content ownership (should verify the draft belongs to the user)\n\nThis allows users with \"Visitor\" role (lowest privilege) to access draft content created by Editor/Admin/Owner users by directly accessing the edit URL with the content UUID.\n\n### PoC\n   - **User A:** Editor role (example username: `dummy04`)\n   - **User B:** Visitor role (example username: `dummy01`)\n\n**Reproduction Steps:**\n\n**Step 1 - Create draft as Editor:**\n\n1. Login as User A (Editor role)\n2. Navigate to: `http://localhost:4321/dashboard/content-management`\n3. Create new content (it will stay as draft)\n4. After saving, note the UUID in the URL:\n````\n   http://localhost:4321/dashboard/content-management/edit?edit=bad87630-69a4-4cd6-bcb2-6965839dc148\n````\n   Copy this UUID: `bad87630-69a4-4cd6-bcb2-6965839dc148`\n\n**Step 2 - Access draft as Visitor:**\n\n1. Login as Visitor and get auth_session cookie\n```\ncurl -X POST \"http://127.0.0.1:4321/studiocms_api/auth/login\" -F \u0027username=dummy01\u0027 -F \u0027password=dummy01pass$\u0027\n```\n\u003cimg width=\"1128\" height=\"376\" alt=\"01\" src=\"https://github.com/user-attachments/assets/86c5290e-e7a2-470e-bbf5-5f5247eddec1\" /\u003e\n\n2. Proof of Visitor permission\n\u003cimg width=\"1899\" height=\"450\" alt=\"02\" src=\"https://github.com/user-attachments/assets/aabd47d3-163f-4a56-8296-08bd40c5ccdc\" /\u003e\n\n3. Access Editor\u0027s draft using the UUID\n```\ncurl \"http://127.0.0.1:4321/dashboard/content-management/edit?edit=bad87630-69a4-4cd6-bcb2-6965839dc148\" -H \"Cookie: auth_session=qvawh6zv23hc2spu6xx7pzgrnn4rpd3q\" -v\n```\n\n**Result:** Returns full HTML page with draft content (200 OK)\n\n### Impact\n**Impact Scenarios:**\n\n1. **Information Disclosure:**\n   - Visitor users can read unpublished drafts containing sensitive information\n   - Drafts may contain confidential business information, unreleased announcements, or proprietary content\n   - Competitive intelligence could be gathered from draft content\n\n2. **Privacy Violation:**\n   - Personal notes, work-in-progress content, or internal communications in drafts exposed\n   - Violation of content creator privacy expectations\n\n3. **Business Impact:**\n   - Premature disclosure of marketing campaigns, product launches, or announcements\n   - Loss of competitive advantage if draft strategies are exposed\n   - Potential compliance issues if drafts contain regulated information\n\n4. **Complete RBAC Bypass:**\n   - The entire role-based access control system for draft content is bypassed\n   - \"Visitor\" role becomes equivalent to \"Editor\" for read access to drafts\n   - Undermines the trust model of multi-user content management",
  "id": "GHSA-8cw6-53m5-4932",
  "modified": "2026-01-29T03:43:54Z",
  "published": "2026-01-27T22:13:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/withstudiocms/studiocms/security/advisories/GHSA-8cw6-53m5-4932"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24134"
    },
    {
      "type": "WEB",
      "url": "https://github.com/withstudiocms/studiocms/commit/efc10bee20db090fdd75463622c30dda390c50ad"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/withstudiocms/studiocms"
    },
    {
      "type": "WEB",
      "url": "https://github.com/withstudiocms/studiocms/releases/tag/studiocms%400.2.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "StudioCMS has Authorization Bypass Through User-Controlled Key"
}

GHSA-8F4X-4R5C-HRM5

Vulnerability from github – Published: 2025-04-15 21:31 – Updated: 2025-04-15 21:31
VLAI
Details

An authenticated attacker can obtain any plant name by knowing the plant ID.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-31949"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-15T21:16:04Z",
    "severity": "MODERATE"
  },
  "details": "An authenticated attacker can obtain any plant name by knowing the plant ID.",
  "id": "GHSA-8f4x-4r5c-hrm5",
  "modified": "2025-04-15T21:31:49Z",
  "published": "2025-04-15T21:31:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31949"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-8FMR-V9G7-JCMF

Vulnerability from github – Published: 2026-05-27 12:31 – Updated: 2026-05-27 12:31
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in WP Wham Checkout Files Upload for WooCommerce checkout-files-upload-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Checkout Files Upload for WooCommerce: from n/a through <= 2.2.5.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-42725"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-27T11:16:18Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in WP Wham Checkout Files Upload for WooCommerce checkout-files-upload-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Checkout Files Upload for WooCommerce: from n/a through \u003c= 2.2.5.",
  "id": "GHSA-8fmr-v9g7-jcmf",
  "modified": "2026-05-27T12:31:22Z",
  "published": "2026-05-27T12:31:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42725"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/checkout-files-upload-woocommerce/vulnerability/wordpress-checkout-files-upload-for-woocommerce-plugin-2-2-5-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8FP3-P8FQ-633J

Vulnerability from github – Published: 2024-04-24 12:30 – Updated: 2026-04-28 21:34
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in FeedbackWP Rate my Post – WP Rating System.This issue affects Rate my Post – WP Rating System: from n/a through 3.4.4.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-32823"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-24T11:15:48Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in FeedbackWP Rate my Post \u2013 WP Rating System.This issue affects Rate my Post \u2013 WP Rating System: from n/a through 3.4.4.",
  "id": "GHSA-8fp3-p8fq-633j",
  "modified": "2026-04-28T21:34:53Z",
  "published": "2024-04-24T12:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32823"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/rate-my-post/wordpress-rate-my-post-plugin-3-4-4-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8FQ9-273G-6MRG

Vulnerability from github – Published: 2026-06-17 18:49 – Updated: 2026-06-17 18:49
VLAI
Summary
Avo: Missing Authorization in Avo Association Attach Endpoint Allows Unauthorized Relationship Manipulation and Privilege Escalation
Details

Summary

A critical missing authorization flaw exists in Avo's association attach workflow. The UI and GET /resources/:resource/:id/:related/new path can check attach_<association>?, but the actual write endpoint, POST /resources/:resource/:id/:related, does not run the same authorization check before mutating the association.

As a result, an authenticated low-privileged Avo user can bypass hidden/disabled attach controls and directly attach related records to a parent record by sending a crafted POST request. In applications where associations represent teams, tenants, roles, projects, users, memberships, ownership, or other authorization-bearing relationships, this can lead to privilege escalation and cross-tenant data exposure.

Details

The association attach route writes relationships through Avo::AssociationsController#create:

# config/routes.rb
post "/:resource_name/:id/:related_name", to: "associations#create", as: "associations_create"

The controller registers an attach authorization callback only for new, not for create:

# app/controllers/avo/associations_controller.rb
before_action :set_attachment_record, only: [:create, :destroy]
before_action :authorize_index_action, only: :index
before_action :authorize_attach_action, only: :new
before_action :authorize_detach_action, only: :destroy

The new action is only the form-rendering step. The actual mutation happens in create:

def create
  if create_association
    create_success_action
  else
    create_fail_action
  end
end

create_association then attaches the attacker-supplied related record to the parent:

def create_association
  association_name = BaseResource.valid_association_name(@record, association_from_params)

  perform_action_and_record_errors do
    if through_reflection? && additional_params.present?
      new_join_record.save
    elsif has_many_reflection? || through_reflection?
      @record.send(association_name) << @attachment_record
    else
      @record.send(:"#{association_name}=", @attachment_record)
      @record.save!
    end
  end
end

The only attach-specific authorization helper is:

def authorize_attach_action
  authorize_if_defined "attach_#{@field.id}?"
end

Because this helper is bound only to new, a policy that denies attach_users?, attach_teams?, attach_roles?, or similar methods blocks the UI/form path but does not protect the write path.

This is inconsistent with the detach path, which does authorize the mutating destroy action:

before_action :authorize_detach_action, only: :destroy

The bug is especially dangerous because Avo already treats association authorization as an access-control boundary in UI components:

# lib/avo/concerns/checks_assoc_authorization.rb
method_name = :"#{policy_method}_#{association_name}?".to_sym

if service.has_method?(method_name, raise_exception: false)
  service.authorize_action(method_name, record:, raise_exception: false)
else
  !Avo.configuration.explicit_authorization
end

However, server-side enforcement is missing on the actual attach POST endpoint.

Proof of Concept

Prerequisites:

  1. A Rails application mounts Avo, for example at /admin.
  2. Avo authorization is enabled.
  3. A low-privileged user can authenticate to Avo.
  4. A parent record and a related record are both reachable by ID.
  5. The relevant policy denies attaching the relationship, for example:
def attach_users?
  false
end

Example target scenario:

  • Parent resource: projects
  • Parent ID: 1
  • Related association: users
  • Related user ID to attach: 42
  • Expected policy: low-privileged users must not be able to attach users to projects.

The UI/form request may be blocked:

GET /admin/resources/projects/1/users/new

But the direct write endpoint can still be invoked:

POST /admin/resources/projects/1/users
Content-Type: application/x-www-form-urlencoded

authenticity_token=<CSRF>&fields[related_id]=42

Run the attached PoC:

python poc_avo_association_attach_bypass.py \
  --base-url http://localhost:3000 \
  --avo-root /admin \
  --cookie "_app_session=<LOW_PRIVILEGED_SESSION_COOKIE>" \
  --parent-resource projects \
  --parent-id 1 \
  --related-name users \
  --related-id 42 \
  --check-new

If GET /new is forbidden or redirected but the direct POST succeeds, the authorization bypass is confirmed.

To perform the actual attach:

python poc_avo_association_attach_bypass.py \
  --base-url http://localhost:3000 \
  --avo-root /admin \
  --cookie "_app_session=<LOW_PRIVILEGED_SESSION_COOKIE>" \
  --parent-resource projects \
  --parent-id 1 \
  --related-name users \
  --related-id 42 \
  --confirm-attach

Expected vulnerable result:

  • The low-privileged user can attach the related record despite attach_<association>? being denied.
  • The parent record now includes the related record.

Impact

This vulnerability allows unauthorized relationship manipulation through Avo.

Depending on the affected association, the impact can include:

  • Privilege escalation by attaching a user to an admin group, privileged project, tenant, organization, role, or membership record.
  • Cross-tenant data exposure when tenant/user/project membership determines record visibility.
  • Integrity loss by changing ownership, assignment, access-control relationships, or business workflow state.
  • Policy bypass even when Avo UI controls correctly hide the attach button or deny the attach form.

Recommended Fix

Enforce attach authorization on the mutating endpoint.

At minimum:

before_action :authorize_attach_action, only: [:new, :create]

Additionally:

  1. Authorize against the parent record and the selected related record before writing the relationship.
  2. Ensure create fails closed when attach_<association>? is missing and explicit_authorization is enabled.
  3. Add regression tests that directly POST to /resources/:resource_name/:id/:related_name while attach_<association>? returns false.
  4. Verify has_many, has_one, has_many :through, and has_and_belongs_to_many association paths all enforce the same server-side authorization.
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.32.0"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "avo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.32.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "avo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0.beta.1"
            },
            {
              "fixed": "4.0.0.beta.51"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-55518"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-862",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-17T18:49:11Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\nA critical missing authorization flaw exists in Avo\u0027s association attach workflow. The UI and `GET /resources/:resource/:id/:related/new` path can check `attach_\u003cassociation\u003e?`, but the actual write endpoint, `POST /resources/:resource/:id/:related`, does not run the same authorization check before mutating the association.\n\nAs a result, an authenticated low-privileged Avo user can bypass hidden/disabled attach controls and directly attach related records to a parent record by sending a crafted POST request. In applications where associations represent teams, tenants, roles, projects, users, memberships, ownership, or other authorization-bearing relationships, this can lead to privilege escalation and cross-tenant data exposure.\n\n## Details\n\nThe association attach route writes relationships through `Avo::AssociationsController#create`:\n\n```ruby\n# config/routes.rb\npost \"/:resource_name/:id/:related_name\", to: \"associations#create\", as: \"associations_create\"\n```\n\nThe controller registers an attach authorization callback only for `new`, not for `create`:\n\n```ruby\n# app/controllers/avo/associations_controller.rb\nbefore_action :set_attachment_record, only: [:create, :destroy]\nbefore_action :authorize_index_action, only: :index\nbefore_action :authorize_attach_action, only: :new\nbefore_action :authorize_detach_action, only: :destroy\n```\n\nThe `new` action is only the form-rendering step. The actual mutation happens in `create`:\n\n```ruby\ndef create\n  if create_association\n    create_success_action\n  else\n    create_fail_action\n  end\nend\n```\n\n`create_association` then attaches the attacker-supplied related record to the parent:\n\n```ruby\ndef create_association\n  association_name = BaseResource.valid_association_name(@record, association_from_params)\n\n  perform_action_and_record_errors do\n    if through_reflection? \u0026\u0026 additional_params.present?\n      new_join_record.save\n    elsif has_many_reflection? || through_reflection?\n      @record.send(association_name) \u003c\u003c @attachment_record\n    else\n      @record.send(:\"#{association_name}=\", @attachment_record)\n      @record.save!\n    end\n  end\nend\n```\n\nThe only attach-specific authorization helper is:\n\n```ruby\ndef authorize_attach_action\n  authorize_if_defined \"attach_#{@field.id}?\"\nend\n```\n\nBecause this helper is bound only to `new`, a policy that denies `attach_users?`, `attach_teams?`, `attach_roles?`, or similar methods blocks the UI/form path but does not protect the write path.\n\nThis is inconsistent with the detach path, which does authorize the mutating `destroy` action:\n\n```ruby\nbefore_action :authorize_detach_action, only: :destroy\n```\n\nThe bug is especially dangerous because Avo already treats association authorization as an access-control boundary in UI components:\n\n```ruby\n# lib/avo/concerns/checks_assoc_authorization.rb\nmethod_name = :\"#{policy_method}_#{association_name}?\".to_sym\n\nif service.has_method?(method_name, raise_exception: false)\n  service.authorize_action(method_name, record:, raise_exception: false)\nelse\n  !Avo.configuration.explicit_authorization\nend\n```\n\nHowever, server-side enforcement is missing on the actual attach POST endpoint.\n\n## Proof of Concept\n\nPrerequisites:\n\n1. A Rails application mounts Avo, for example at `/admin`.\n2. Avo authorization is enabled.\n3. A low-privileged user can authenticate to Avo.\n4. A parent record and a related record are both reachable by ID.\n5. The relevant policy denies attaching the relationship, for example:\n\n```ruby\ndef attach_users?\n  false\nend\n```\n\nExample target scenario:\n\n- Parent resource: `projects`\n- Parent ID: `1`\n- Related association: `users`\n- Related user ID to attach: `42`\n- Expected policy: low-privileged users must not be able to attach users to projects.\n\nThe UI/form request may be blocked:\n\n```http\nGET /admin/resources/projects/1/users/new\n```\n\nBut the direct write endpoint can still be invoked:\n\n```http\nPOST /admin/resources/projects/1/users\nContent-Type: application/x-www-form-urlencoded\n\nauthenticity_token=\u003cCSRF\u003e\u0026fields[related_id]=42\n```\n\nRun the attached PoC:\n\n```bash\npython poc_avo_association_attach_bypass.py \\\n  --base-url http://localhost:3000 \\\n  --avo-root /admin \\\n  --cookie \"_app_session=\u003cLOW_PRIVILEGED_SESSION_COOKIE\u003e\" \\\n  --parent-resource projects \\\n  --parent-id 1 \\\n  --related-name users \\\n  --related-id 42 \\\n  --check-new\n```\n\nIf `GET /new` is forbidden or redirected but the direct POST succeeds, the authorization bypass is confirmed.\n\nTo perform the actual attach:\n\n```bash\npython poc_avo_association_attach_bypass.py \\\n  --base-url http://localhost:3000 \\\n  --avo-root /admin \\\n  --cookie \"_app_session=\u003cLOW_PRIVILEGED_SESSION_COOKIE\u003e\" \\\n  --parent-resource projects \\\n  --parent-id 1 \\\n  --related-name users \\\n  --related-id 42 \\\n  --confirm-attach\n```\n\nExpected vulnerable result:\n\n- The low-privileged user can attach the related record despite `attach_\u003cassociation\u003e?` being denied.\n- The parent record now includes the related record.\n\n## Impact\n\nThis vulnerability allows unauthorized relationship manipulation through Avo.\n\nDepending on the affected association, the impact can include:\n\n- Privilege escalation by attaching a user to an admin group, privileged project, tenant, organization, role, or membership record.\n- Cross-tenant data exposure when tenant/user/project membership determines record visibility.\n- Integrity loss by changing ownership, assignment, access-control relationships, or business workflow state.\n- Policy bypass even when Avo UI controls correctly hide the attach button or deny the attach form.\n\n## Recommended Fix\n\nEnforce attach authorization on the mutating endpoint.\n\nAt minimum:\n\n```ruby\nbefore_action :authorize_attach_action, only: [:new, :create]\n```\n\nAdditionally:\n\n1. Authorize against the parent record and the selected related record before writing the relationship.\n2. Ensure `create` fails closed when `attach_\u003cassociation\u003e?` is missing and `explicit_authorization` is enabled.\n3. Add regression tests that directly POST to `/resources/:resource_name/:id/:related_name` while `attach_\u003cassociation\u003e?` returns `false`.\n4. Verify `has_many`, `has_one`, `has_many :through`, and `has_and_belongs_to_many` association paths all enforce the same server-side authorization.",
  "id": "GHSA-8fq9-273g-6mrg",
  "modified": "2026-06-17T18:49:11Z",
  "published": "2026-06-17T18:49:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/avo-hq/avo/security/advisories/GHSA-8fq9-273g-6mrg"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/avo-hq/avo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Avo: Missing Authorization in Avo Association Attach Endpoint Allows Unauthorized Relationship Manipulation and Privilege Escalation"
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.