CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3255 vulnerabilities reference this CWE, most recent first.
GHSA-C3V3-8WVP-5MG4
Vulnerability from github – Published: 2023-10-19 12:30 – Updated: 2024-04-04 08:47Adversary-induced keystream re-use on TETRA air-interface encrypted traffic using any TEA keystream generator. IV generation is based upon several TDMA frame counters, which are frequently broadcast by the infrastructure in an unauthenticated manner. An active adversary can manipulate the view of these counters in a mobile station, provoking keystream re-use. By sending crafted messages to the MS and analyzing MS responses, keystream for arbitrary frames can be recovered.
{
"affected": [],
"aliases": [
"CVE-2022-24401"
],
"database_specific": {
"cwe_ids": [
"CWE-323",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-19T10:15:09Z",
"severity": "HIGH"
},
"details": "Adversary-induced keystream re-use on TETRA air-interface encrypted traffic using any TEA keystream generator. IV generation is based upon several TDMA frame counters, which are frequently broadcast by the infrastructure in an unauthenticated manner. An active adversary can manipulate the view of these counters in a mobile station, provoking keystream re-use. By sending crafted messages to the MS and analyzing MS responses, keystream for arbitrary frames can be recovered.",
"id": "GHSA-c3v3-8wvp-5mg4",
"modified": "2024-04-04T08:47:15Z",
"published": "2023-10-19T12:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24401"
},
{
"type": "WEB",
"url": "https://tetraburst.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C4WM-H8MM-VR45
Vulnerability from github – Published: 2024-01-09 12:30 – Updated: 2024-01-09 12:30A vulnerability has been identified in SIMATIC CN 4100 (All versions < V2.7). The "intermediate installation" system state of the affected application allows an attacker to add their own login credentials to the device. This allows an attacker to remotely login as root and take control of the device even after the affected device is fully set up.
{
"affected": [],
"aliases": [
"CVE-2023-49251"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-09T10:15:19Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in SIMATIC CN 4100 (All versions \u003c V2.7). The \"intermediate installation\" system state of the affected application allows an attacker to add their own login credentials to the device. This allows an attacker to remotely login as root and take control of the device even after the affected device is fully set up.",
"id": "GHSA-c4wm-h8mm-vr45",
"modified": "2024-01-09T12:30:36Z",
"published": "2024-01-09T12:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49251"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-777015.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C538-9356-XGVR
Vulnerability from github – Published: 2023-10-03 15:30 – Updated: 2024-04-04 08:11Authorization bypass vulnerability in UPV PEIX, affecting the component "pdf_curri_new.php". Through a POST request, an authenticated user could change the ID parameter to retrieve all the stored information of other registered users.
{
"affected": [],
"aliases": [
"CVE-2023-2544"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-03T14:15:10Z",
"severity": "MODERATE"
},
"details": "Authorization bypass vulnerability in UPV PEIX, affecting the component \"pdf_curri_new.php\". Through a POST request, an authenticated user could change the ID parameter to retrieve all the stored information of other registered users.",
"id": "GHSA-c538-9356-xgvr",
"modified": "2024-04-04T08:11:08Z",
"published": "2023-10-03T15:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2544"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/authorization-bypass-upv-peix"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C572-8296-M5R9
Vulnerability from github – Published: 2024-12-18 06:30 – Updated: 2024-12-18 06:30The Events Addon for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.2.3 via the naevents_elementor_template shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created by Elementor that they should not have access to.
{
"affected": [],
"aliases": [
"CVE-2024-12061"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-18T04:15:07Z",
"severity": "MODERATE"
},
"details": "The Events Addon for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.2.3 via the naevents_elementor_template shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created by Elementor that they should not have access to.",
"id": "GHSA-c572-8296-m5r9",
"modified": "2024-12-18T06:30:49Z",
"published": "2024-12-18T06:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12061"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3208546%40events-addon-for-elementor\u0026new=3208546%40events-addon-for-elementor\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f59d9d8a-467a-4920-963a-da45f1f4462f?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C5CF-2XW6-JFPR
Vulnerability from github – Published: 2025-04-16 00:31 – Updated: 2025-04-16 00:31Unauthenticated attackers can rename arbitrary devices of arbitrary users (i.e., EV chargers).
{
"affected": [],
"aliases": [
"CVE-2025-26857"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-15T22:15:17Z",
"severity": "MODERATE"
},
"details": "Unauthenticated attackers can rename arbitrary devices of arbitrary users (i.e., EV chargers).",
"id": "GHSA-c5cf-2xw6-jfpr",
"modified": "2025-04-16T00:31:36Z",
"published": "2025-04-16T00:31:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26857"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-C67V-FPQG-F8J8
Vulnerability from github – Published: 2026-01-23 15:31 – Updated: 2026-01-23 22:35Authorization Bypass Through User-Controlled Key vulnerability in Rustaurius Ultimate Reviews ultimate-reviews allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Reviews: from n/a through <= 3.2.16.
{
"affected": [],
"aliases": [
"CVE-2026-24634"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-23T15:16:23Z",
"severity": "MODERATE"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in Rustaurius Ultimate Reviews ultimate-reviews allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Reviews: from n/a through \u003c= 3.2.16.",
"id": "GHSA-c67v-fpqg-f8j8",
"modified": "2026-01-23T22:35:53Z",
"published": "2026-01-23T15:31:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24634"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/ultimate-reviews/vulnerability/wordpress-ultimate-reviews-plugin-3-2-16-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C68J-5PRP-RC5R
Vulnerability from github – Published: 2022-08-06 00:00 – Updated: 2024-04-17 12:32Michlol - rashim web interface Insecure direct object references (IDOR). First of all, the attacker needs to login. After he performs log into the system there are some functionalities that the specific user is not allowed to perform. However all the attacker needs to do in order to achieve his goals is to change the value of the ptMsl parameter and then the attacker can access sensitive data that he not supposed to access because its belong to another user.
{
"affected": [],
"aliases": [
"CVE-2022-34769"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-78"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-05T16:15:00Z",
"severity": "MODERATE"
},
"details": "Michlol - rashim web interface Insecure direct object references (IDOR). First of all, the attacker needs to login. After he performs log into the system there are some functionalities that the specific user is not allowed to perform. However all the attacker needs to do in order to achieve his goals is to change the value of the ptMsl parameter and then the attacker can access sensitive data that he not supposed to access because its belong to another user.",
"id": "GHSA-c68j-5prp-rc5r",
"modified": "2024-04-17T12:32:02Z",
"published": "2022-08-06T00:00:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34769"
},
{
"type": "WEB",
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C6V2-3FFM-VCMC
Vulnerability from github – Published: 2026-06-26 21:29 – Updated: 2026-06-26 21:29Summary
The web UI (/ui/*) does not apply the per-operator CA scoping the JSON API received for GHSA-598g-h2vc-h5vg. Any authenticated non-admin operator (for example, one created via self-registration or OIDC) can access resources belonging to other operators.
Impact
A non-admin operator can:
- Block or delete any other operator's host.
POST /ui/hosts/{id}/blockandDELETE /ui/hosts/{id}act on the URLidwith no ownership check, so a non-admin can block (revoking the host's certificate via the blocklist) or delete any host in the deployment — a cross-operator denial of service. - Read every operator's hosts and networks. The dashboard,
/ui/hosts, the host detail page,/ui/networks(including the create-form error re-render), and the/ui/eventsstream all return data across all operators, exposing host names, Nebula IPs, public IPs, certificate fingerprints and expiry, and network names and CIDRs.
This is the same cross-operator class as GHSA-598g; that remediation covered the JSON API but not the web read/mutation surface. The host create/edit/mobile-bundle/network-create paths and all CA-management routes were already correctly scoped.
Affected handlers (internal/web): handleHostDetail, handleHostBlock, handleHostDelete, handleDashboard, handlePartialStats, handleHosts, handleNetworks, renderNetworksError, handleHostEvents.
Conditions
Exposure requires at least one non-admin operator to exist (self-registration enabled, OIDC, or an admin-created user). A single-admin deployment with no additional operators is not affected.
Fix
A complete candidate fix with regression tests is ready in a private repository shared with the maintainer (ak2k/nebula-mesh-ghsa-web, PR #1): scope these handlers to the session operator's owned CAs (admins keep the full view), mirroring the API's ownership checks.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/juev/nebula-mesh"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.3.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-49258"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-26T21:29:02Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\nThe web UI (`/ui/*`) does not apply the per-operator CA scoping the JSON API received for GHSA-598g-h2vc-h5vg. Any authenticated non-admin operator (for example, one created via self-registration or OIDC) can access resources belonging to other operators.\n\n## Impact\n\nA non-admin operator can:\n\n- **Block or delete any other operator\u0027s host.** `POST /ui/hosts/{id}/block` and `DELETE /ui/hosts/{id}` act on the URL `id` with no ownership check, so a non-admin can block (revoking the host\u0027s certificate via the blocklist) or delete any host in the deployment \u2014 a cross-operator denial of service.\n- **Read every operator\u0027s hosts and networks.** The dashboard, `/ui/hosts`, the host detail page, `/ui/networks` (including the create-form error re-render), and the `/ui/events` stream all return data across all operators, exposing host names, Nebula IPs, public IPs, certificate fingerprints and expiry, and network names and CIDRs.\n\nThis is the same cross-operator class as GHSA-598g; that remediation covered the JSON API but not the web read/mutation surface. The host create/edit/mobile-bundle/network-create paths and all CA-management routes were already correctly scoped.\n\nAffected handlers (`internal/web`): `handleHostDetail`, `handleHostBlock`, `handleHostDelete`, `handleDashboard`, `handlePartialStats`, `handleHosts`, `handleNetworks`, `renderNetworksError`, `handleHostEvents`.\n\n## Conditions\n\nExposure requires at least one non-admin operator to exist (self-registration enabled, OIDC, or an admin-created user). A single-admin deployment with no additional operators is not affected.\n\n## Fix\n\nA complete candidate fix with regression tests is ready in a private repository shared with the maintainer (`ak2k/nebula-mesh-ghsa-web`, PR #1): scope these handlers to the session operator\u0027s owned CAs (admins keep the full view), mirroring the API\u0027s ownership checks.",
"id": "GHSA-c6v2-3ffm-vcmc",
"modified": "2026-06-26T21:29:02Z",
"published": "2026-06-26T21:29:02Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/juev/nebula-mesh/security/advisories/GHSA-c6v2-3ffm-vcmc"
},
{
"type": "PACKAGE",
"url": "https://github.com/juev/nebula-mesh"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Nebula Mesh: Web UI lacks ownership checks, enabling cross-operator access to hosts and networks (read, block, delete)"
}
GHSA-C6WH-53MQ-4GR9
Vulnerability from github – Published: 2025-05-15 21:31 – Updated: 2025-05-16 18:31The buddyboss-platform WordPress plugin before 2.7.60 lacks proper access controls and allows a logged-in user to view comments on private posts
{
"affected": [],
"aliases": [
"CVE-2024-12767"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-15T20:15:37Z",
"severity": "HIGH"
},
"details": "The buddyboss-platform WordPress plugin before 2.7.60 lacks proper access controls and allows a logged-in user to view comments on private posts",
"id": "GHSA-c6wh-53mq-4gr9",
"modified": "2025-05-16T18:31:05Z",
"published": "2025-05-15T21:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12767"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/e8997f90-d8e9-4815-8808-aa0183443dae"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C6WW-CJ2Q-F8XM
Vulnerability from github – Published: 2026-01-07 12:31 – Updated: 2026-01-07 12:31The LearnPress – WordPress LMS Plugin for WordPress is vulnerable to unauthorized file deletion in versions up to, and including, 4.3.2.2 via the /wp-json/lp/v1/material/{file_id} REST API endpoint. This is due to a parameter mismatch between the DELETE operation and authorization check, where the endpoint uses file_id from the URL path but the permission callback validates item_id from the request body. This makes it possible for authenticated attackers, with teacher-level access, to delete arbitrary lesson material files uploaded by other teachers via sending a DELETE request with their own item_id (to pass authorization) while targeting another teacher's file_id.
{
"affected": [],
"aliases": [
"CVE-2025-14802"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-07T12:16:56Z",
"severity": "MODERATE"
},
"details": "The LearnPress \u2013 WordPress LMS Plugin for WordPress is vulnerable to unauthorized file deletion in versions up to, and including, 4.3.2.2 via the /wp-json/lp/v1/material/{file_id} REST API endpoint. This is due to a parameter mismatch between the DELETE operation and authorization check, where the endpoint uses file_id from the URL path but the permission callback validates item_id from the request body. This makes it possible for authenticated attackers, with teacher-level access, to delete arbitrary lesson material files uploaded by other teachers via sending a DELETE request with their own item_id (to pass authorization) while targeting another teacher\u0027s file_id.",
"id": "GHSA-c6ww-cj2q-f8xm",
"modified": "2026-01-07T12:31:23Z",
"published": "2026-01-07T12:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14802"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.1/inc/rest-api/v1/frontend/class-lp-rest-material-controller.php#L405"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.1/inc/rest-api/v1/frontend/class-lp-rest-material-controller.php#L527"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.1/inc/rest-api/v1/frontend/class-lp-rest-material-controller.php#L77"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.3/inc/rest-api/v1/frontend/class-lp-rest-material-controller.php#L403"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/884c4508-1ee1-4384-9fc2-29e2c9042426?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.