CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3255 vulnerabilities reference this CWE, most recent first.
GHSA-C739-F6XW-6PV2
Vulnerability from github – Published: 2026-05-19 12:31 – Updated: 2026-06-30 19:16Keycloak's Authorization Services feature exposes a User-Managed Access Protection API that include an Insecure Direct Object Reference (IDOR) vulnerability in the Authorization Services Protection API endpoint. By knowing or obtaining a resource's unique identifier (UUID) belonging to another Resource Server within the same realm, an authenticated client could bypass authorization checks. This allows the client to perform unauthorized GET, PUT, and DELETE operations on resources, leading to information disclosure and potential unauthorized modification or deletion of data.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-services"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "26.6.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-4630"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-30T19:16:10Z",
"nvd_published_at": "2026-05-19T12:16:19Z",
"severity": "MODERATE"
},
"details": "Keycloak\u0027s Authorization Services feature exposes a User-Managed Access Protection API that include an Insecure Direct Object Reference (IDOR) vulnerability in the Authorization Services Protection API endpoint. By knowing or obtaining a resource\u0027s unique identifier (UUID) belonging to another Resource Server within the same realm, an authenticated client could bypass authorization checks. This allows the client to perform unauthorized GET, PUT, and DELETE operations on resources, leading to information disclosure and potential unauthorized modification or deletion of data.",
"id": "GHSA-c739-f6xw-6pv2",
"modified": "2026-06-30T19:16:10Z",
"published": "2026-05-19T12:31:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4630"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/issues/49115"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/pull/49121"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/commit/0cea089bd19f5061f5fd47099fd6fb41a17d8c55"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/commit/1192267af8f16a7b722bdc2abbd3410c477388aa"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/commit/4e9b17cbedb828b4afc6b62399eee317d4735234"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19596"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19597"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-4630"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450245"
},
{
"type": "PACKAGE",
"url": "https://github.com/keycloak/keycloak"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Keycloak Protection API allows authenticated clients to access and modify resources owned by other Resource Servers"
}
GHSA-C73G-MX2W-CC93
Vulnerability from github – Published: 2025-11-09 21:30 – Updated: 2025-11-13 15:49A vulnerability was detected in EverShop up to 2.0.1. Affected is an unknown function of the file /src/modules/oms/graphql/types/Order/Order.resolvers.js of the component Order Handler. The manipulation of the argument uuid results in improper control of resource identifiers. The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@evershop/evershop"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-12919"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-99"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-13T15:49:51Z",
"nvd_published_at": "2025-11-09T20:15:34Z",
"severity": "LOW"
},
"details": "A vulnerability was detected in EverShop up to 2.0.1. Affected is an unknown function of the file /src/modules/oms/graphql/types/Order/Order.resolvers.js of the component Order Handler. The manipulation of the argument uuid results in improper control of resource identifiers. The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-c73g-mx2w-cc93",
"modified": "2025-11-13T15:49:51Z",
"published": "2025-11-09T21:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12919"
},
{
"type": "PACKAGE",
"url": "https://github.com/evershopcommerce/evershop"
},
{
"type": "WEB",
"url": "https://github.com/ictrun/Evershop-Order-leak/blob/main/README.md"
},
{
"type": "WEB",
"url": "https://github.com/ictrun/Evershop-Order-leak/blob/main/README.md#attack-steps"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.331639"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.331639"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.680788"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "EverShop is vulnerable to Unauthorized Order Information Access (IDOR)"
}
GHSA-C799-M99W-MPG7
Vulnerability from github – Published: 2025-12-03 06:31 – Updated: 2025-12-03 15:30The Timetable and Event Schedule by MotoPress WordPress plugin before 2.4.16 does not verify a user has access to a specific event when duplicating, leading to arbitrary event disclosure when to users with a role as low as Contributor.
{
"affected": [],
"aliases": [
"CVE-2025-12954"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-03T06:15:47Z",
"severity": "LOW"
},
"details": "The Timetable and Event Schedule by MotoPress WordPress plugin before 2.4.16 does not verify a user has access to a specific event when duplicating, leading to arbitrary event disclosure when to users with a role as low as Contributor.",
"id": "GHSA-c799-m99w-mpg7",
"modified": "2025-12-03T15:30:28Z",
"published": "2025-12-03T06:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12954"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/f15dd1ca-aa40-4d3b-9625-e3ace744374d"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C7FM-JX59-WJF6
Vulnerability from github – Published: 2022-01-21 18:50 – Updated: 2022-01-20 16:14Authorization Bypass Through User-Controlled Key in Packagist remdex/livehelperchat prior to 3.92v.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "remdex/livehelperchat"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.92"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-0266"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2022-01-20T16:14:41Z",
"nvd_published_at": "2022-01-19T06:15:00Z",
"severity": "MODERATE"
},
"details": "Authorization Bypass Through User-Controlled Key in Packagist remdex/livehelperchat prior to 3.92v.",
"id": "GHSA-c7fm-jx59-wjf6",
"modified": "2022-01-20T16:14:41Z",
"published": "2022-01-21T18:50:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0266"
},
{
"type": "WEB",
"url": "https://github.com/livehelperchat/livehelperchat/commit/cc1122aed0d1ad9f05757eaea2ab9e6a924776bd"
},
{
"type": "PACKAGE",
"url": "https://github.com/livehelperchat/livehelperchat"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/1ac267be-3af8-4774-89f2-77234d144d6b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Authorization Bypass Through User-Controlled Key in LiveHelperChat"
}
GHSA-C7M9-R72H-M8V2
Vulnerability from github – Published: 2023-10-10 18:31 – Updated: 2023-12-21 03:30An authorization bypass through user-controlled key [CWE-639] vulnerability in Fortinet FortiManager version 7.4.0 and before 7.2.3 and FortiAnalyzer version 7.4.0 and before 7.2.3 allows a remote attacker with low privileges to read sensitive information via crafted HTTP requests.
{
"affected": [],
"aliases": [
"CVE-2023-44249"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-10T17:15:13Z",
"severity": "MODERATE"
},
"details": "An authorization bypass through user-controlled key\u00a0[CWE-639] vulnerability in Fortinet FortiManager version 7.4.0 and before 7.2.3 and FortiAnalyzer version 7.4.0 and before 7.2.3 allows a remote attacker with low privileges to read sensitive information via crafted HTTP requests.",
"id": "GHSA-c7m9-r72h-m8v2",
"modified": "2023-12-21T03:30:33Z",
"published": "2023-10-10T18:31:32Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/orangecertcc/security-research/security/advisories/GHSA-x8rp-jfwc-gqqj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44249"
},
{
"type": "WEB",
"url": "https://fortiguard.com/psirt/FG-IR-23-201"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C7R3-XX63-QF62
Vulnerability from github – Published: 2026-07-07 09:37 – Updated: 2026-07-07 09:37Authorization bypass through User-Controlled key vulnerability in Idvlabs Software and Consulting Services Inc. Ontime allows Exploitation of Trusted Identifiers.
This issue affects Ontime: through 04052026.
{
"affected": [],
"aliases": [
"CVE-2026-5730"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-07T08:16:25Z",
"severity": "HIGH"
},
"details": "Authorization bypass through User-Controlled key vulnerability in Idvlabs Software and Consulting Services Inc. Ontime allows Exploitation of Trusted Identifiers.\n\nThis issue affects Ontime: through 04052026.",
"id": "GHSA-c7r3-xx63-qf62",
"modified": "2026-07-07T09:37:53Z",
"published": "2026-07-07T09:37:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5730"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0503"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C7VR-VPM2-822G
Vulnerability from github – Published: 2025-02-19 09:33 – Updated: 2026-04-08 18:33The PeproDev Ultimate Invoice plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.8 via the invoicing viewer due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view invoices for completed orders which can contain PII of users.
{
"affected": [],
"aliases": [
"CVE-2024-13719"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-19T08:15:20Z",
"severity": "MODERATE"
},
"details": "The PeproDev Ultimate Invoice plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.8 via the invoicing viewer due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view invoices for completed orders which can contain PII of users.",
"id": "GHSA-c7vr-vpm2-822g",
"modified": "2026-04-08T18:33:49Z",
"published": "2025-02-19T09:33:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13719"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3244844%40pepro-ultimate-invoice\u0026new=3244844%40pepro-ultimate-invoice\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/pepro-ultimate-invoice"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/46186f8d-e50c-476a-9480-b6121412474a?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C827-PF9P-24MM
Vulnerability from github – Published: 2026-01-16 12:30 – Updated: 2026-01-23 18:31The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 3.2.16 via the 'rcp_stripe_create_setup_intent_for_saved_card' function due to missing capability check. Additionally, the plugin does not check a user-controlled key, which makes it possible for unauthenticated attackers to leak Stripe SetupIntent client_secret values for any membership.
{
"affected": [],
"aliases": [
"CVE-2025-14844"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-16T10:16:04Z",
"severity": "HIGH"
},
"details": "The Membership Plugin \u2013 Restrict Content plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 3.2.16 via the \u0027rcp_stripe_create_setup_intent_for_saved_card\u0027 function due to missing capability check. Additionally, the plugin does not check a user-controlled key, which makes it possible for unauthenticated attackers to leak Stripe SetupIntent client_secret values for any membership.",
"id": "GHSA-c827-pf9p-24mm",
"modified": "2026-01-23T18:31:27Z",
"published": "2026-01-16T12:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14844"
},
{
"type": "WEB",
"url": "https://cwe.mitre.org/data/definitions/639.html"
},
{
"type": "WEB",
"url": "https://docs.stripe.com/api/setup_intents/object"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/gateways/stripe/functions.php#L848"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/gateways/stripe/functions.php#L987"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3438168/restrict-content/tags/3.2.17/core/includes/gateways/stripe/functions.php"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0c28545d-c7cd-469f-bccf-90e8b52fd4e7?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C8G9-CM5M-77PX
Vulnerability from github – Published: 2026-06-20 03:32 – Updated: 2026-06-20 03:32Capgo before 12.128.12 allows authenticated users to modify their mutable public.users.email to arbitrary addresses, which the SSO provisioning endpoint trusts as an account-merge key. Attackers can pre-position their account with a victim's corporate SSO email, causing the provision-user endpoint to merge the victim's SSO identity into the attacker-controlled account.
{
"affected": [],
"aliases": [
"CVE-2026-56215"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-20T01:16:16Z",
"severity": "HIGH"
},
"details": "Capgo before 12.128.12 allows authenticated users to modify their mutable public.users.email to arbitrary addresses, which the SSO provisioning endpoint trusts as an account-merge key. Attackers can pre-position their account with a victim\u0027s corporate SSO email, causing the provision-user endpoint to merge the victim\u0027s SSO identity into the attacker-controlled account.",
"id": "GHSA-c8g9-cm5m-77px",
"modified": "2026-06-20T03:32:30Z",
"published": "2026-06-20T03:32:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Cap-go/capgo/security/advisories/GHSA-wqc6-fhwf-qpww"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56215"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/capgo-account-merge-via-poisoned-public-users-email-in-sso-provisioning"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-C8HW-HM2H-46FP
Vulnerability from github – Published: 2026-07-17 06:30 – Updated: 2026-07-17 06:30The Ninja Forms - Excel Export plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.6 via the 'spreadsheet_export_form_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to enumerate any Ninja Forms form ID and download all stored submission data — including names, email addresses, phone numbers, physical addresses, and any other PII collected by site forms — as a downloadable XLSX file.
{
"affected": [],
"aliases": [
"CVE-2026-15159"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-17T04:16:50Z",
"severity": "MODERATE"
},
"details": "The Ninja Forms - Excel Export plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.6 via the \u0027spreadsheet_export_form_id\u0027 parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to enumerate any Ninja Forms form ID and download all stored submission data \u2014 including names, email addresses, phone numbers, physical addresses, and any other PII collected by site forms \u2014 as a downloadable XLSX file.",
"id": "GHSA-c8hw-hm2h-46fp",
"modified": "2026-07-17T06:30:59Z",
"published": "2026-07-17T06:30:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-15159"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/ninja-forms-excel-export/trunk/ninja-forms-excel-export.php#L187"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/783ccf21-db16-4aac-9a3c-992b3aac5526?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.