CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3255 vulnerabilities reference this CWE, most recent first.
GHSA-9PGG-CP8M-QJGP
Vulnerability from github – Published: 2024-07-09 12:30 – Updated: 2024-07-09 12:30A BOLA vulnerability in GET, PUT, DELETE /services/{serviceId} allows a low privileged user to fetch, modify or delete the services of any user (including admin). This results in unauthorized access and unauthorized data manipulation.
{
"affected": [],
"aliases": [
"CVE-2023-38055"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-09T11:15:12Z",
"severity": "CRITICAL"
},
"details": "A BOLA vulnerability in GET, PUT, DELETE /services/{serviceId} allows a low privileged user to fetch, modify or delete the services of any user (including admin). This results in unauthorized access and unauthorized data manipulation.",
"id": "GHSA-9pgg-cp8m-qjgp",
"modified": "2024-07-09T12:30:56Z",
"published": "2024-07-09T12:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38055"
},
{
"type": "WEB",
"url": "https://github.com/alextselegidis/easyappointments"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9PGH-M953-MHJQ
Vulnerability from github – Published: 2025-11-20 21:30 – Updated: 2025-11-20 21:30Missing authorization check in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes users on the system to delete banners owned by other accounts
{
"affected": [],
"aliases": [
"CVE-2025-52670"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-20T20:16:23Z",
"severity": "HIGH"
},
"details": "Missing authorization check in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes users on the system to delete banners owned by other accounts",
"id": "GHSA-9pgh-m953-mhjq",
"modified": "2025-11-20T21:30:32Z",
"published": "2025-11-20T21:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52670"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/3401612"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-9PJC-WJHH-78C6
Vulnerability from github – Published: 2025-08-20 09:30 – Updated: 2026-06-05 15:32Authorization Bypass Through User-Controlled Key vulnerability in Pik Online Yazılım Çözümleri A.Ş. Pik Online allows Exploitation of Trusted Identifiers.This issue affects Pik Online: before 3.1.5.
{
"affected": [],
"aliases": [
"CVE-2025-5261"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-20T09:15:28Z",
"severity": "HIGH"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in Pik Online Yaz\u0131l\u0131m \u00c7\u00f6z\u00fcmleri A.\u015e. Pik Online allows Exploitation of Trusted Identifiers.This issue affects Pik Online: before 3.1.5.",
"id": "GHSA-9pjc-wjhh-78c6",
"modified": "2026-06-05T15:32:04Z",
"published": "2025-08-20T09:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5261"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0201"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-25-0201"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9PM8-VWC5-W2HM
Vulnerability from github – Published: 2026-04-14 01:07 – Updated: 2026-04-14 01:07Impact
Authenticated users can delete emails imported into the system assigned to another user; where the Email Dropbox is in use.
Patches
Fixed in v0.26.0
Workarounds
Disable use of email dropbox.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "fat_free_crm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.26.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-14T01:07:01Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Impact\n\nAuthenticated users can delete emails imported into the system assigned to another user; where the [Email Dropbox](https://github.com/fatfreecrm/fat_free_crm/wiki/Email-Dropbox) is in use.\n\n### Patches\n\nFixed in v0.26.0\n\n### Workarounds\n\nDisable use of email dropbox.",
"id": "GHSA-9pm8-vwc5-w2hm",
"modified": "2026-04-14T01:07:01Z",
"published": "2026-04-14T01:07:01Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/fatfreecrm/fat_free_crm/security/advisories/GHSA-9pm8-vwc5-w2hm"
},
{
"type": "PACKAGE",
"url": "https://github.com/fatfreecrm/fat_free_crm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Fat Free CRM has BOLA in DELETE /emails/:id - Any authenticated user can hit this endpoint and delete emails by ID"
}
GHSA-9Q2G-Q3M6-47RX
Vulnerability from github – Published: 2026-01-23 15:31 – Updated: 2026-01-23 21:30Authorization Bypass Through User-Controlled Key vulnerability in XLPlugins NextMove Lite woo-thank-you-page-nextmove-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects NextMove Lite: from n/a through <= 2.23.0.
{
"affected": [],
"aliases": [
"CVE-2026-24599"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-23T15:16:18Z",
"severity": "MODERATE"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in XLPlugins NextMove Lite woo-thank-you-page-nextmove-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects NextMove Lite: from n/a through \u003c= 2.23.0.",
"id": "GHSA-9q2g-q3m6-47rx",
"modified": "2026-01-23T21:30:43Z",
"published": "2026-01-23T15:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24599"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/woo-thank-you-page-nextmove-lite/vulnerability/wordpress-nextmove-lite-plugin-2-23-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9Q3F-683M-G467
Vulnerability from github – Published: 2025-09-17 15:30 – Updated: 2026-06-05 12:31Authorization Bypass Through User-Controlled Key vulnerability in Nebula Informatics SecHard allows Parameter Injection. This issue requires low privileges such as a user.This issue affects SecHard: before 3.6.2-20250805.
{
"affected": [],
"aliases": [
"CVE-2025-8463"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-17T13:15:34Z",
"severity": "MODERATE"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in Nebula Informatics SecHard allows Parameter Injection. This issue requires low privileges such as a user.This issue affects SecHard: before 3.6.2-20250805.",
"id": "GHSA-9q3f-683m-g467",
"modified": "2026-06-05T12:31:41Z",
"published": "2025-09-17T15:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8463"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0271"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-25-0271"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9Q42-6557-VQCF
Vulnerability from github – Published: 2025-01-03 09:30 – Updated: 2025-01-03 09:30The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.4 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create jobs for companies that are unaffiliated with the attacker.
{
"affected": [],
"aliases": [
"CVE-2024-12132"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-03T09:15:05Z",
"severity": "MODERATE"
},
"details": "The WP Job Portal \u2013 A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.4 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create jobs for companies that are unaffiliated with the attacker.",
"id": "GHSA-9q42-6557-vqcf",
"modified": "2025-01-03T09:30:47Z",
"published": "2025-01-03T09:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12132"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3210251"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d19ac6fc-029f-4f19-913e-e082acecc594?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9Q66-9QQ3-H395
Vulnerability from github – Published: 2026-06-09 09:32 – Updated: 2026-06-12 18:31An authorization bypass through user-controlled key vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to gain unintended privileges.
We have already fixed the vulnerability in the following version: QuMagie 2.9.1 and later
{
"affected": [],
"aliases": [
"CVE-2026-44083"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-09T08:16:28Z",
"severity": "HIGH"
},
"details": "An authorization bypass through user-controlled key vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to gain unintended privileges.\n\nWe have already fixed the vulnerability in the following version:\nQuMagie 2.9.1 and later",
"id": "GHSA-9q66-9qq3-h395",
"modified": "2026-06-12T18:31:48Z",
"published": "2026-06-09T09:32:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44083"
},
{
"type": "WEB",
"url": "https://www.qnap.com/en/security-advisory/qsa-26-35"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-9QGJ-R9FJ-454P
Vulnerability from github – Published: 2026-07-10 21:32 – Updated: 2026-07-10 21:32Krayin CRM through 2.2.3 contains an insecure direct object reference vulnerability in LeadController, PersonController, OrganizationController, QuoteController, and ActivityController that allows authenticated users to edit, update, or delete records owned by other users. Attackers can modify CRM records and reassign ownership by exploiting missing record-level ownership validation in edit, update, and destroy methods.
{
"affected": [],
"aliases": [
"CVE-2026-61460"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-10T19:17:27Z",
"severity": "HIGH"
},
"details": "Krayin CRM through 2.2.3 contains an insecure direct object reference vulnerability in LeadController, PersonController, OrganizationController, QuoteController, and ActivityController that allows authenticated users to edit, update, or delete records owned by other users. Attackers can modify CRM records and reassign ownership by exploiting missing record-level ownership validation in edit, update, and destroy methods.",
"id": "GHSA-9qgj-r9fj-454p",
"modified": "2026-07-10T21:32:32Z",
"published": "2026-07-10T21:32:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-61460"
},
{
"type": "WEB",
"url": "https://github.com/krayin/laravel-crm/issues/2559"
},
{
"type": "WEB",
"url": "https://github.com/krayin/laravel-crm/pull/2567"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/krayin-crm-insecure-direct-object-reference-via-controllers"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-9R26-5W88-QHP9
Vulnerability from github – Published: 2024-02-19 18:31 – Updated: 2025-01-23 22:27Insufficient checks in a web service made it possible to add comments to the comments block on another user's dashboard when it was not otherwise available (e.g., on their profile page).
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "4.3.0"
},
{
"fixed": "4.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "4.2.0"
},
{
"fixed": "4.2.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-25983"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-21T00:08:11Z",
"nvd_published_at": "2024-02-19T17:15:09Z",
"severity": "MODERATE"
},
"details": "Insufficient checks in a web service made it possible to add comments to the comments block on another user\u0027s dashboard when it was not otherwise available (e.g., on their profile page).",
"id": "GHSA-9r26-5w88-qhp9",
"modified": "2025-01-23T22:27:56Z",
"published": "2024-02-19T18:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25983"
},
{
"type": "WEB",
"url": "https://github.com/moodle/moodle/commit/4cae44dd0e9a7da47d08d9b75e0ebba0e4b422f4"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2264099"
},
{
"type": "PACKAGE",
"url": "https://github.com/moodle/moodle"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXGBYJ43BUEBUAQZU3DT5I5A3YLF47CB"
},
{
"type": "WEB",
"url": "https://moodle.org/mod/forum/discuss.php?d=455641"
},
{
"type": "WEB",
"url": "http://git.moodle.org/gw?p=moodle.git\u0026a=search\u0026h=HEAD\u0026st=commit\u0026s=MDL-78300"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Authorization Bypass in moodle"
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.