CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3255 vulnerabilities reference this CWE, most recent first.
GHSA-CHFM-CM6H-Q5X7
Vulnerability from github – Published: 2026-05-22 00:31 – Updated: 2026-06-24 18:50Concrete CMS 9.5.0 and below is subject to Insecure Direct Object Reference (IDOR) in the Express Entry Detail block via the exEntryID parameter. This IDOR leads to unauthorized access to all Express form submissions. The Concrete CMS security team thanks Tristan Madani for reporting this issue.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "concrete5/concrete5"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.5.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-7881"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-24T18:50:44Z",
"nvd_published_at": "2026-05-21T22:16:48Z",
"severity": "MODERATE"
},
"details": "Concrete CMS 9.5.0 and below is subject to\u00a0Insecure Direct Object Reference\u00a0(IDOR) in the Express Entry Detail block via the exEntryID parameter. This IDOR leads to unauthorized access to all Express form submissions.\u00a0The Concrete CMS security team thanks\u00a0Tristan Madani for reporting this issue.",
"id": "GHSA-chfm-cm6h-q5x7",
"modified": "2026-06-24T18:50:44Z",
"published": "2026-05-22T00:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7881"
},
{
"type": "WEB",
"url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes"
},
{
"type": "PACKAGE",
"url": "https://github.com/concretecms/concretecms"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Concrete CMS is subject to\u00a0Insecure Direct Object Reference\u00a0(IDOR) in the Express Entry Detail block"
}
GHSA-CHH8-G4VH-2577
Vulnerability from github – Published: 2023-06-15 21:30 – Updated: 2024-04-04 04:52In checkKeyIntentParceledCorrectly() of ActivityManagerService.java, there is a possible bypass of Parcel Mismatch mitigations due to a logic error in the code. This could lead to local escalation of privilege and the ability to launch arbitrary activities in settings with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-265015796
{
"affected": [],
"aliases": [
"CVE-2023-21131"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-15T19:15:09Z",
"severity": "HIGH"
},
"details": "In checkKeyIntentParceledCorrectly() of ActivityManagerService.java, there is a possible bypass of Parcel Mismatch mitigations due to a logic error in the code. This could lead to local escalation of privilege and the ability to launch arbitrary activities in settings with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-265015796",
"id": "GHSA-chh8-g4vh-2577",
"modified": "2024-04-04T04:52:28Z",
"published": "2023-06-15T21:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21131"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2023-06-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CHJ8-VPXQ-7RVM
Vulnerability from github – Published: 2022-05-24 19:17 – Updated: 2024-05-14 21:34In Yellowfin before 9.6.1 it is possible to enumerate and download users profile pictures through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page "MIIAvatarImage.i4".
{
"affected": [],
"aliases": [
"CVE-2021-36388"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-14T19:15:00Z",
"severity": "HIGH"
},
"details": "In Yellowfin before 9.6.1 it is possible to enumerate and download users profile pictures through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page \"MIIAvatarImage.i4\".",
"id": "GHSA-chj8-vpxq-7rvm",
"modified": "2024-05-14T21:34:39Z",
"published": "2022-05-24T19:17:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36388"
},
{
"type": "WEB",
"url": "https://cyberaz0r.info/2021/10/yellowfin-multiple-vulnerabilities"
},
{
"type": "WEB",
"url": "https://github.com/cyberaz0r/Yellowfin-Multiple-Vulnerabilities/blob/main/README.md"
},
{
"type": "WEB",
"url": "https://packetstormsecurity.com/files/164515/Yellowfin-Cross-Site-Scripting-Insecure-Direct-Object-Reference.html"
},
{
"type": "WEB",
"url": "https://wiki.yellowfinbi.com/display/yfcurrent/Release+Notes+for+Yellowfin+9#ReleaseNotesforYellowfin9-Yellowfin9.6"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2021/Oct/15"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CHMF-M33P-PH8M
Vulnerability from github – Published: 2025-04-25 15:31 – Updated: 2025-04-25 16:52A flaw was found in Moodle. This vulnerability allows unauthorized users to access and view RSS feeds due to insufficient capability checks.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.18"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "4.3.0-beta"
},
{
"fixed": "4.3.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "4.4.0-beta"
},
{
"fixed": "4.4.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "4.5.0-beta"
},
{
"fixed": "4.5.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-3636"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-25T16:52:02Z",
"nvd_published_at": "2025-04-25T15:15:37Z",
"severity": "MODERATE"
},
"details": "A flaw was found in Moodle. This vulnerability allows unauthorized users to access and view RSS feeds due to insufficient capability checks.",
"id": "GHSA-chmf-m33p-ph8m",
"modified": "2025-04-25T16:52:03Z",
"published": "2025-04-25T15:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3636"
},
{
"type": "WEB",
"url": "https://github.com/moodle/moodle/commit/0bd97209ac5e217dbec236c73e4f6fdcaee1c737"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-3636"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359726"
},
{
"type": "PACKAGE",
"url": "https://github.com/moodle/moodle"
},
{
"type": "WEB",
"url": "https://moodle.org/mod/forum/discuss.php?d=467598"
},
{
"type": "WEB",
"url": "http://git.moodle.org/gw?p=moodle.git\u0026a=search\u0026h=HEAD\u0026st=commit\u0026s=MDL-84499"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Moodle allows IDOR in RSS block, which allows access to additional RSS feeds"
}
GHSA-CJ3H-CXQX-F7FW
Vulnerability from github – Published: 2026-07-09 21:31 – Updated: 2026-07-10 18:32An issue in docuForm GmbH Client v.11.11c allows a remote attacker to execute arbitrary code via the file upload and report.php component
{
"affected": [],
"aliases": [
"CVE-2026-51924"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-09T21:16:55Z",
"severity": "HIGH"
},
"details": "An issue in docuForm GmbH Client v.11.11c allows a remote attacker to execute arbitrary code via the file upload and report.php component",
"id": "GHSA-cj3h-cxqx-f7fw",
"modified": "2026-07-10T18:32:08Z",
"published": "2026-07-09T21:31:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-51924"
},
{
"type": "WEB",
"url": "https://docuform.de"
},
{
"type": "WEB",
"url": "https://gist.github.com/ZeroBreach-GmbH"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CJ87-VV3F-MMXJ
Vulnerability from github – Published: 2022-11-21 12:30 – Updated: 2022-11-21 12:30An API Endpoint used by Miele's "AppWash" MobileApp in all versions was vulnerable to an authorization bypass. A low privileged, remote attacker would have been able to gain read and partial write access to other users data by modifying a small part of a HTTP request sent to the API. Reading or changing the password of another user was not possible, thus no impact to Availability.
{
"affected": [],
"aliases": [
"CVE-2022-3589"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-21T10:15:00Z",
"severity": "HIGH"
},
"details": "An API Endpoint used by Miele\u0027s \"AppWash\" MobileApp in all versions was vulnerable to an authorization bypass. A low privileged, remote attacker would have been able to gain read and partial write access to other users data by modifying a small part of a HTTP request sent to the API. Reading or changing the password of another user was not possible, thus no impact to Availability.",
"id": "GHSA-cj87-vv3f-mmxj",
"modified": "2022-11-21T12:30:17Z",
"published": "2022-11-21T12:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3589"
},
{
"type": "WEB",
"url": "https://cert.vde.com/de/advisories/VDE-2022-052"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CJ8F-2FHF-826R
Vulnerability from github – Published: 2026-06-25 17:07 – Updated: 2026-06-25 17:07Summary
Description
An Authorization Bypass Through User-Controlled Key (CWE-639) exists in OpenAM's stateful OAuth2 token-read path. Under certain conditions, this may allow an attacker to forge OAuth2 bearer tokens and OIDC ID tokens with arbitrary subject, client, realm, and scope. This affects OpenAM Community Edition through version 16.0.6.
The OAuth2 token-read path reads caller-supplied token identifiers from the shared Core Token Store (CTS) without placing them in an OAuth-only namespace and without binding the row's trusted CTS type to the expected OAuth token family, so any CTS row whose BLOB claims to be an OAuth token is accepted on the read path with no integrity check.
Impact
OpenAM Community Edition deployments through version 16.0.6 with the OAuth2 Provider service enabled in a realm are potentially affected, but the vulnerable read path is only reachable once an attacker can place attacker-controlled JSON into the shared CTS under an identifier they know. For example, an anonymous Push Notification SNS callback handler, reachable by any low-privileged user in a Push Notification-enabled realm after a single legitimate Push registration can trigger the exploit.
In any deployment where such a primitive exists, an attacker can forge OAuth2 bearer tokens with attacker-chosen userName, clientID, realm, and scope. The compromise does not by itself create an OpenAM SSO session or grant admin-console access.
Patch
This has been patched in OpenAM Community Edition version 16.1.1. Users are encouraged to update to the latest release.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.openidentityplatform.openam:openam-oauth2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "16.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-46498"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-25T17:07:58Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\n**Description**\n\nAn Authorization Bypass Through User-Controlled Key (CWE-639) exists in OpenAM\u0027s stateful OAuth2 token-read path. Under certain conditions, this may allow an attacker to forge OAuth2 bearer tokens and OIDC ID tokens with arbitrary subject, client, realm, and scope. This affects OpenAM Community Edition through version 16.0.6.\n\nThe OAuth2 token-read path reads caller-supplied token identifiers from the shared Core Token Store (CTS) without placing them in an OAuth-only namespace and without binding the row\u0027s trusted CTS type to the expected OAuth token family, so any CTS row whose BLOB claims to be an OAuth token is accepted on the read path with no integrity check.\n\n## Impact\n\nOpenAM Community Edition deployments through version 16.0.6 with the OAuth2 Provider service enabled in a realm are potentially affected, but the vulnerable read path is only reachable once an attacker can place attacker-controlled JSON into the shared CTS under an identifier they know. For example, an anonymous Push Notification SNS callback handler, reachable by any low-privileged user in a Push Notification-enabled realm after a single legitimate Push registration can trigger the exploit.\n\nIn any deployment where such a primitive exists, an attacker can forge OAuth2 bearer tokens with attacker-chosen userName, clientID, realm, and scope. The compromise does not by itself create an OpenAM SSO session or grant admin-console access.\n\n## Patch\n\nThis has been patched in OpenAM Community Edition version 16.1.1. Users are encouraged to update to the latest release.",
"id": "GHSA-cj8f-2fhf-826r",
"modified": "2026-06-25T17:07:58Z",
"published": "2026-06-25T17:07:58Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-cj8f-2fhf-826r"
},
{
"type": "PACKAGE",
"url": "https://github.com/OpenIdentityPlatform/OpenAM"
},
{
"type": "WEB",
"url": "https://github.com/OpenIdentityPlatform/OpenAM/releases/tag/16.1.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenAM Arbitrary OAuth Token Minting via Push Registration"
}
GHSA-CJHC-275V-R97H
Vulnerability from github – Published: 2022-05-13 01:19 – Updated: 2022-05-13 01:19Wisetail Learning Ecosystem (LE) through v4.11.6 allows insecure direct object reference (IDOR) attacks to access non-purchased course contents (quiz / test) via a modified id parameter.
{
"affected": [],
"aliases": [
"CVE-2018-16971"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-09-12T20:29:00Z",
"severity": "MODERATE"
},
"details": "Wisetail Learning Ecosystem (LE) through v4.11.6 allows insecure direct object reference (IDOR) attacks to access non-purchased course contents (quiz / test) via a modified id parameter.",
"id": "GHSA-cjhc-275v-r97h",
"modified": "2022-05-13T01:19:19Z",
"published": "2022-05-13T01:19:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16971"
},
{
"type": "WEB",
"url": "https://blog.ziaurrashid.com/wisetail-learning-ecosystem-multiple-idor-vunlerability"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CMVG-6592-4MFP
Vulnerability from github – Published: 2024-11-13 06:30 – Updated: 2024-11-13 06:30The WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.6.13 via the 'Abstract_Permission' class due to missing validation on the 'user_id' user controlled key. This makes it possible for unauthenticated attackers to spoof their identity to that of an administrator and access all of the plugins REST routes.
{
"affected": [],
"aliases": [
"CVE-2024-10174"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-13T04:15:03Z",
"severity": "HIGH"
},
"details": "The WP Project Manager \u2013 Task, team, and project management plugin featuring kanban board and gantt charts plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.6.13 via the \u0027Abstract_Permission\u0027 class due to missing validation on the \u0027user_id\u0027 user controlled key. This makes it possible for unauthenticated attackers to spoof their identity to that of an administrator and access all of the plugins REST routes.",
"id": "GHSA-cmvg-6592-4mfp",
"modified": "2024-11-13T06:30:29Z",
"published": "2024-11-13T06:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10174"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/wedevs-project-manager/trunk/core/Permissions/Abstract_Permission.php#L32"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3185807/wedevs-project-manager/trunk/core/Permissions/Abstract_Permission.php"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dea2d045-d3b4-4b55-8b4f-5baa82a18834?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-CP43-7GJW-VJ3H
Vulnerability from github – Published: 2023-01-03 00:30 – Updated: 2023-01-09 21:30The WP Cerber Security, Anti-spam & Malware Scan WordPress plugin before 9.3.3 does not properly block access to the REST API users endpoint when the blog is in a subdirectory, which could allow attackers to bypass the restriction in place and list users
{
"affected": [],
"aliases": [
"CVE-2022-4417"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-02T22:15:00Z",
"severity": "MODERATE"
},
"details": "The WP Cerber Security, Anti-spam \u0026 Malware Scan WordPress plugin before 9.3.3 does not properly block access to the REST API users endpoint when the blog is in a subdirectory, which could allow attackers to bypass the restriction in place and list users",
"id": "GHSA-cp43-7gjw-vj3h",
"modified": "2023-01-09T21:30:21Z",
"published": "2023-01-03T00:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4417"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/a8c6b077-ff93-4c7b-970f-3be4d7971aa5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.