Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3254 vulnerabilities reference this CWE, most recent first.

GHSA-9559-P654-PM2C

Vulnerability from github – Published: 2025-09-02 15:31 – Updated: 2026-06-06 09:31
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in Akinsoft ProKuafor allows Resource Leak Exposure.This issue affects ProKuafor: from s1.02.07 before v1.02.08.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-0670"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-02T14:15:33Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Akinsoft ProKuafor allows Resource Leak Exposure.This issue affects ProKuafor: from s1.02.07 before v1.02.08.",
  "id": "GHSA-9559-p654-pm2c",
  "modified": "2026-06-06T09:31:12Z",
  "published": "2025-09-02T15:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0670"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0204"
    },
    {
      "type": "WEB",
      "url": "https://www.usom.gov.tr/bildirim/tr-25-0204"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-958H-QP3X-Q4GJ

Vulnerability from github – Published: 2026-05-05 22:16 – Updated: 2026-05-13 14:20
VLAI
Summary
AVideo: IDOR in PayPalYPT Plugin Allows Any Authenticated User to Cancel Arbitrary PayPal Subscription Agreements
Details

Summary

plugin/PayPalYPT/agreementCancel.json.php cancels a PayPal billing agreement using an attacker-supplied agreement parameter without verifying that the authenticated user owns the agreement. A low-privilege authenticated user who learns or obtains another user's PayPal billing agreement ID can silently suspend the victim's recurring subscription, causing revenue loss to the platform and loss of paid service to the victim.

Details

AVideo's PayPalYPT plugin ships two near-duplicate endpoints that cancel a PayPal billing agreement. Only one of them enforces ownership:

  • plugin/PayPalYPT/PayPalAgreementCancel.json.php:19 — correctly requires either admin or the agreement's owner: php if (!User::isAdmin() && !Subscription::isAgreementFromUser($_POST['agreement_id'], User::getId())) { $obj->msg = "Only the owner can delete his agreement"; die(json_encode($obj)); }

  • plugin/PayPalYPT/agreementCancel.json.php:9-26 — only checks User::isLogged() (in fact twice, redundantly) and then calls the cancellation directly:

php if (!User::isLogged()) { ... die; } // line 9 if (empty($_REQUEST['agreement'])) { ... die; } // line 14 if (!User::isLogged()) { ... die; } // line 19 — duplicate; no ownership check $plugin = AVideoPlugin::loadPluginIfEnabled("PayPalYPT"); $agreement = PayPalYPT::cancelAgreement($_REQUEST['agreement']); // line 26

PayPalYPT::cancelAgreement() at plugin/PayPalYPT/PayPalYPT.php:548-566 resolves the agreement ID against PayPal and calls $createdAgreement->suspend($agreementStateDescriptor, $apiContext) unconditionally — the server does not verify that the logged-in user's users_id matches the owner recorded in PayPalYPT_log (or wherever the agreement was registered):

public static function cancelAgreement($agreement_id)
{
    ...
    $createdAgreement = self::getBillingAgreement($agreement_id);
    try {
        $createdAgreement->suspend($agreementStateDescriptor, $apiContext);
        return Agreement::get($createdAgreement->getId(), $apiContext);
    } catch (Exception $ex) {
        return false;
    }
}

The intended UI caller is subscriptions_list.php:84 which posts the current user's own agreement IDs — but the server accepts any agreement parameter from any logged-in user. Agreement IDs can leak via _error_log entries written in agreementCancel.json.php:34 and webhook.php during normal operation, via PayPal receipt emails, or via other administrative and payment-log screens. No CSRF token is required, but the root defect is missing authorization, not CSRF.

PoC

  1. Log in as any low-privilege user (registered subscriber, commenter, free-tier account created via signUp).
  2. Obtain the target's PayPal agreement ID (e.g., I-ABCD1234XYZ). This may come from server error logs, email receipts, admin/payment screens, or other disclosures.
  3. Send the request with the victim's agreement ID:

bash curl -X POST 'https://target.example/plugin/PayPalYPT/agreementCancel.json.php' \ -b 'PHPSESSID=<attacker_session>' \ -d 'agreement=I-ABCD1234XYZ'

  1. Expected response: json {"error":false,"msg":""} The victim's billing agreement is suspended at PayPal via Agreement::suspend() (PayPalYPT.php:560). The victim stops being billed; AVideo subsequently reflects the subscription as inactive.

Impact

  • Any authenticated user can silently cancel another user's active PayPal recurring billing agreement.
  • Revenue disruption for the platform operator — any affected subscribers stop being billed.
  • Service disruption for the victim — their paid subscription lapses.
  • The defect is purely an authorization gap; the sister endpoint PayPalAgreementCancel.json.php demonstrates that the owner/admin check was intentional for this action but was not applied to this duplicate.

Recommended Fix

Port the ownership check from the sister endpoint into agreementCancel.json.php:

if (!User::isAdmin() && !Subscription::isAgreementFromUser($_REQUEST['agreement'], User::getId())) {
    $obj->msg = "Only the owner can cancel this agreement";
    die(json_encode($obj));
}

Alternative, preferred remediation: delete the duplicate agreementCancel.json.php entirely and point the cancelAgreement() JS helper in subscriptions_list.php:84 at the already-protected PayPalAgreementCancel.json.php endpoint (sending the expected agreement_id POST field). While patching, also remove the redundant second User::isLogged() branch at line 19.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "29.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-43883"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T22:16:12Z",
    "nvd_published_at": "2026-05-11T22:22:12Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\n`plugin/PayPalYPT/agreementCancel.json.php` cancels a PayPal billing agreement using an attacker-supplied `agreement` parameter without verifying that the authenticated user owns the agreement. A low-privilege authenticated user who learns or obtains another user\u0027s PayPal billing agreement ID can silently suspend the victim\u0027s recurring subscription, causing revenue loss to the platform and loss of paid service to the victim.\n\n## Details\n\nAVideo\u0027s PayPalYPT plugin ships two near-duplicate endpoints that cancel a PayPal billing agreement. Only one of them enforces ownership:\n\n- `plugin/PayPalYPT/PayPalAgreementCancel.json.php:19` \u2014 correctly requires either admin or the agreement\u0027s owner:\n  ```php\n  if (!User::isAdmin() \u0026\u0026 !Subscription::isAgreementFromUser($_POST[\u0027agreement_id\u0027], User::getId())) {\n      $obj-\u003emsg = \"Only the owner can delete his agreement\";\n      die(json_encode($obj));\n  }\n  ```\n\n- `plugin/PayPalYPT/agreementCancel.json.php:9-26` \u2014 only checks `User::isLogged()` (in fact twice, redundantly) and then calls the cancellation directly:\n\n  ```php\n  if (!User::isLogged()) { ... die; }              // line 9\n  if (empty($_REQUEST[\u0027agreement\u0027])) { ... die; }   // line 14\n  if (!User::isLogged()) { ... die; }              // line 19 \u2014 duplicate; no ownership check\n  $plugin = AVideoPlugin::loadPluginIfEnabled(\"PayPalYPT\");\n  $agreement = PayPalYPT::cancelAgreement($_REQUEST[\u0027agreement\u0027]);  // line 26\n  ```\n\n`PayPalYPT::cancelAgreement()` at `plugin/PayPalYPT/PayPalYPT.php:548-566` resolves the agreement ID against PayPal and calls `$createdAgreement-\u003esuspend($agreementStateDescriptor, $apiContext)` unconditionally \u2014 the server does not verify that the logged-in user\u0027s `users_id` matches the owner recorded in `PayPalYPT_log` (or wherever the agreement was registered):\n\n```php\npublic static function cancelAgreement($agreement_id)\n{\n    ...\n    $createdAgreement = self::getBillingAgreement($agreement_id);\n    try {\n        $createdAgreement-\u003esuspend($agreementStateDescriptor, $apiContext);\n        return Agreement::get($createdAgreement-\u003egetId(), $apiContext);\n    } catch (Exception $ex) {\n        return false;\n    }\n}\n```\n\nThe intended UI caller is `subscriptions_list.php:84` which posts the current user\u0027s own agreement IDs \u2014 but the server accepts any `agreement` parameter from any logged-in user. Agreement IDs can leak via `_error_log` entries written in `agreementCancel.json.php:34` and `webhook.php` during normal operation, via PayPal receipt emails, or via other administrative and payment-log screens. No CSRF token is required, but the root defect is missing authorization, not CSRF.\n\n## PoC\n\n1. Log in as any low-privilege user (registered subscriber, commenter, free-tier account created via `signUp`).\n2. Obtain the target\u0027s PayPal agreement ID (e.g., `I-ABCD1234XYZ`). This may come from server error logs, email receipts, admin/payment screens, or other disclosures.\n3. Send the request with the victim\u0027s agreement ID:\n\n   ```bash\n   curl -X POST \u0027https://target.example/plugin/PayPalYPT/agreementCancel.json.php\u0027 \\\n     -b \u0027PHPSESSID=\u003cattacker_session\u003e\u0027 \\\n     -d \u0027agreement=I-ABCD1234XYZ\u0027\n   ```\n\n4. Expected response:\n   ```json\n   {\"error\":false,\"msg\":\"\"}\n   ```\n   The victim\u0027s billing agreement is suspended at PayPal via `Agreement::suspend()` (PayPalYPT.php:560). The victim stops being billed; AVideo subsequently reflects the subscription as inactive.\n\n## Impact\n\n- Any authenticated user can silently cancel another user\u0027s active PayPal recurring billing agreement.\n- Revenue disruption for the platform operator \u2014 any affected subscribers stop being billed.\n- Service disruption for the victim \u2014 their paid subscription lapses.\n- The defect is purely an authorization gap; the sister endpoint `PayPalAgreementCancel.json.php` demonstrates that the owner/admin check was intentional for this action but was not applied to this duplicate.\n\n## Recommended Fix\n\nPort the ownership check from the sister endpoint into `agreementCancel.json.php`:\n\n```php\nif (!User::isAdmin() \u0026\u0026 !Subscription::isAgreementFromUser($_REQUEST[\u0027agreement\u0027], User::getId())) {\n    $obj-\u003emsg = \"Only the owner can cancel this agreement\";\n    die(json_encode($obj));\n}\n```\n\nAlternative, preferred remediation: delete the duplicate `agreementCancel.json.php` entirely and point the `cancelAgreement()` JS helper in `subscriptions_list.php:84` at the already-protected `PayPalAgreementCancel.json.php` endpoint (sending the expected `agreement_id` POST field). While patching, also remove the redundant second `User::isLogged()` branch at line 19.",
  "id": "GHSA-958h-qp3x-q4gj",
  "modified": "2026-05-13T14:20:37Z",
  "published": "2026-05-05T22:16:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-958h-qp3x-q4gj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43883"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/0da3dcff1eda2f497694bf82b559829471c292c2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo: IDOR in PayPalYPT Plugin Allows Any Authenticated User to Cancel Arbitrary PayPal Subscription Agreements"
}

GHSA-9672-4FH3-MCFG

Vulnerability from github – Published: 2022-11-10 12:01 – Updated: 2022-11-11 12:00
VLAI
Details

Incorrect authorization during display of Audit Events in GitLab EE affecting all versions from 14.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2, allowed Developers to view the project's Audit Events and Developers or Maintainers to view the group's Audit Events. These should have been restricted to Project Maintainers, Group Owners, and above.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3413"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-10T00:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Incorrect authorization during display of Audit Events in GitLab EE affecting all versions from 14.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2, allowed Developers to view the project\u0027s Audit Events and Developers or Maintainers to view the group\u0027s Audit Events. These should have been restricted to Project Maintainers, Group Owners, and above.",
  "id": "GHSA-9672-4fh3-mcfg",
  "modified": "2022-11-11T12:00:29Z",
  "published": "2022-11-10T12:01:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3413"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3413.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/374926"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-96C8-XGPW-CF29

Vulnerability from github – Published: 2022-05-13 01:48 – Updated: 2025-05-30 18:30
VLAI
Details

An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. There is improper authorization when listing the history of another user via a modified "vaultize_session_id" value in a cookie.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-10211"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-25T18:29:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. There is improper authorization when listing the history of another user via a modified \"vaultize_session_id\" value in a cookie.",
  "id": "GHSA-96c8-xgpw-cf29",
  "modified": "2025-05-30T18:30:33Z",
  "published": "2022-05-13T01:48:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10211"
    },
    {
      "type": "WEB",
      "url": "https://cds.thalesgroup.com/en/tcs-cert/CVE-2018-10211"
    },
    {
      "type": "WEB",
      "url": "https://www.excellium-services.com/cert-xlm-advisory/cve-2018-10211"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-96CQ-CJ7W-27G2

Vulnerability from github – Published: 2023-04-05 21:30 – Updated: 2023-04-12 21:30
VLAI
Details

An issue has been discovered in GitLab affecting all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. It was possible for an unauthorised user to add child epics linked to victim's epic in an unrelated group.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-1417"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-05T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue has been discovered in GitLab affecting all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. It was possible for an unauthorised user to add child epics linked to victim\u0027s epic in an unrelated group.",
  "id": "GHSA-96cq-cj7w-27g2",
  "modified": "2023-04-12T21:30:21Z",
  "published": "2023-04-05T21:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1417"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1892200"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-1417.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/396720"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-972W-3XCP-6VCV

Vulnerability from github – Published: 2022-05-24 17:40 – Updated: 2022-05-24 17:40
VLAI
Details

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view the metadata of boards they should not have access to via an Insecure Direct Object References (IDOR) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-36231"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-02-02T00:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view the metadata of boards they should not have access to via an Insecure Direct Object References (IDOR) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.2.",
  "id": "GHSA-972w-3xcp-6vcv",
  "modified": "2022-05-24T17:40:45Z",
  "published": "2022-05-24T17:40:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36231"
    },
    {
      "type": "WEB",
      "url": "https://jira.atlassian.com/browse/JRASERVER-72002"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-978C-95PR-X896

Vulnerability from github – Published: 2026-06-05 15:32 – Updated: 2026-06-05 15:32
VLAI
Details

Authorization bypass through User-Controlled key vulnerability in HAVELSAN Inc. Geographic Tracking System allows Exploitation of Trusted Identifiers.

This issue affects Geographic Tracking System: before v0.0.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-6208"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-05T15:16:53Z",
    "severity": "CRITICAL"
  },
  "details": "Authorization bypass through User-Controlled key vulnerability in HAVELSAN Inc. Geographic Tracking System allows Exploitation of Trusted Identifiers.\n\nThis issue affects Geographic Tracking System: before v0.0.2.",
  "id": "GHSA-978c-95pr-x896",
  "modified": "2026-06-05T15:32:26Z",
  "published": "2026-06-05T15:32:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6208"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0325"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-97F9-42CR-FPVX

Vulnerability from github – Published: 2025-08-05 18:30 – Updated: 2025-08-05 18:30
VLAI
Details

Insecure Direct Object Reference (IDOR) vulnerability in PdfHandler component in Agenzia Impresa Eccobook v2.81.1 and below allows unauthenticated attackers to read confidential documents via the DocumentoId parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-51628"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-05T18:15:34Z",
    "severity": "HIGH"
  },
  "details": "Insecure Direct Object Reference (IDOR) vulnerability in PdfHandler component in Agenzia Impresa Eccobook v2.81.1 and below allows unauthenticated attackers to read confidential documents via the DocumentoId parameter.",
  "id": "GHSA-97f9-42cr-fpvx",
  "modified": "2025-08-05T18:30:44Z",
  "published": "2025-08-05T18:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-51628"
    },
    {
      "type": "WEB",
      "url": "https://github.com/CapgeminiCisRedTeam/Disclosure/blob/main/CVE%20PoC/CVE-2025-51628%20%7C%20Eccobook.md"
    },
    {
      "type": "WEB",
      "url": "http://agenzia.com"
    },
    {
      "type": "WEB",
      "url": "http://eccobook.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-97R2-X6VV-3CX9

Vulnerability from github – Published: 2026-01-22 18:30 – Updated: 2026-01-26 21:30
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in Elated-Themes Sweet Jane sweetjane allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sweet Jane: from n/a through <= 1.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-22426"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-22T17:16:34Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Elated-Themes Sweet Jane sweetjane allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sweet Jane: from n/a through \u003c= 1.2.",
  "id": "GHSA-97r2-x6vv-3cx9",
  "modified": "2026-01-26T21:30:32Z",
  "published": "2026-01-22T18:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22426"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Theme/sweetjane/vulnerability/wordpress-sweet-jane-theme-1-2-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-985F-72MJ-8GF7

Vulnerability from github – Published: 2026-06-18 13:04 – Updated: 2026-06-18 13:04
VLAI
Summary
OpenClaw: Tool group policy callers could accept unvalidated group IDs
Details

Summary

Tool group policy callers could accept unvalidated group IDs. In affected versions, a caller that can supply a group id to the affected policy resolver could resolve policy for an unvalidated group id.

This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed.

Impact

When the affected feature is enabled and reachable, this could apply the wrong group-policy decision for a tool invocation. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path.

Patched Versions

The first stable patched version is 2026.4.25.

Mitigations

avoid exposing group-policy controlled tools to untrusted senders until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.4.24"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.4.25"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-53863"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T13:04:37Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nTool group policy callers could accept unvalidated group IDs. In affected versions, a caller that can supply a group id to the affected policy resolver could resolve policy for an unvalidated group id.\n\nThis advisory is scoped to the named feature and configuration. It does not change OpenClaw\u0027s trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed.\n\n### Impact\n\nWhen the affected feature is enabled and reachable, this could apply the wrong group-policy decision for a tool invocation. Practical impact depends on the operator\u0027s configuration and whether lower-trust input can reach that path.\n\n### Patched Versions\n\nThe first stable patched version is `2026.4.25`.\n\n### Mitigations\n\navoid exposing group-policy controlled tools to untrusted senders until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
  "id": "GHSA-985f-72mj-8gf7",
  "modified": "2026-06-18T13:04:37Z",
  "published": "2026-06-18T13:04:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-985f-72mj-8gf7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53863"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-unvalidated-group-id-acceptance-in-tool-group-policy"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: Tool group policy callers could accept unvalidated group IDs"
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.