CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3257 vulnerabilities reference this CWE, most recent first.
GHSA-F423-79C7-G4MQ
Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-05-24 22:28The employee management page of Flygo contains an Insecure Direct Object Reference (IDOR) vulnerability. After being authenticated as a general user, remote attacker can manipulate the user data and then over-write another employee’s user data by specifying that employee’s ID in the API parameter.
{
"affected": [],
"aliases": [
"CVE-2021-37215"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-706"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-09T10:15:00Z",
"severity": "MODERATE"
},
"details": "The employee management page of Flygo contains an Insecure Direct Object Reference (IDOR) vulnerability. After being authenticated as a general user, remote attacker can manipulate the user data and then over-write another employee\u2019s user data by specifying that employee\u2019s ID in the API parameter.",
"id": "GHSA-f423-79c7-g4mq",
"modified": "2022-05-24T22:28:35Z",
"published": "2022-05-24T22:28:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37215"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-4992-dac66-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F44W-WXHF-F354
Vulnerability from github – Published: 2024-01-29 15:30 – Updated: 2025-05-29 18:31The Relevanssi WordPress plugin before 4.22.0, Relevanssi Premium WordPress plugin before 2.25.0 allows any unauthenticated user to read draft and private posts via a crafted request
{
"affected": [],
"aliases": [
"CVE-2023-7199"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-29T15:15:09Z",
"severity": "MODERATE"
},
"details": "The Relevanssi WordPress plugin before 4.22.0, Relevanssi Premium WordPress plugin before 2.25.0 allows any unauthenticated user to read draft and private posts via a crafted request",
"id": "GHSA-f44w-wxhf-f354",
"modified": "2025-05-29T18:31:10Z",
"published": "2024-01-29T15:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7199"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/0c96a128-4473-41f5-82ce-94bba33ca4a3"
},
{
"type": "WEB",
"url": "https://www.relevanssi.com/release-notes/premium-2-25-free-4-22-release-notes"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F4FF-RC49-G8HC
Vulnerability from github – Published: 2023-04-16 00:30 – Updated: 2024-04-04 03:29An issue was discovered in GitLab Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. Attackers could obtain sensitive information about group names, avatars, LDAP settings, and descriptions via an insecure direct object reference to the "merge request approvals" feature.
{
"affected": [],
"aliases": [
"CVE-2018-17455"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-15T23:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in GitLab Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. Attackers could obtain sensitive information about group names, avatars, LDAP settings, and descriptions via an insecure direct object reference to the \"merge request approvals\" feature.",
"id": "GHSA-f4ff-rc49-g8hc",
"modified": "2024-04-04T03:29:30Z",
"published": "2023-04-16T00:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17455"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/blog/categories/releases"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/releases/2018/10/01/security-release-gitlab-11-dot-3-dot-1-released"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F4H3-QHG5-J6MQ
Vulnerability from github – Published: 2026-06-21 15:31 – Updated: 2026-06-21 15:31Craft CMS versions >= 5.0.0-RC1, <= 5.9.13 and >= 4.0.0-RC1, <= 4.17.7 contain an authorization bypass in the assets/preview-file endpoint. The action does not enforce per-asset view authorization before returning preview content, allowing an authenticated low-privileged user to supply a controlled assetId for an asset they are not permitted to view and still receive preview response data (previewHtml), including a private preview image route containing the target private assetId. Fixed in 5.9.14 and 4.17.8.
{
"affected": [],
"aliases": [
"CVE-2026-56385"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-21T14:16:26Z",
"severity": "MODERATE"
},
"details": "Craft CMS versions \u003e= 5.0.0-RC1, \u003c= 5.9.13 and \u003e= 4.0.0-RC1, \u003c= 4.17.7 contain an authorization bypass in the assets/preview-file endpoint. The action does not enforce per-asset view authorization before returning preview content, allowing an authenticated low-privileged user to supply a controlled assetId for an asset they are not permitted to view and still receive preview response data (previewHtml), including a private preview image route containing the target private assetId. Fixed in 5.9.14 and 4.17.8.",
"id": "GHSA-f4h3-qhg5-j6mq",
"modified": "2026-06-21T15:31:24Z",
"published": "2026-06-21T15:31:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-44px-qjjc-xrhq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56385"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/craft-cms-authorization-bypass-in-assets-preview-file-endpoint"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-F4R5-Q63F-GCWW
Vulnerability from github – Published: 2023-09-06 13:49 – Updated: 2024-09-27 21:25Impact
A security issue was found in the Keylime registrar code which allows an attacker to effectively bypass the challenge-response protocol used to verify that an agent has indeed access to an AIK which in indeed related to the EK.
When an agent starts up, it will contact a registrar and provide a public EK and public AIK, in addition to the EK Certificate. This registrar will then challenge the agent to decrypt a challenge encrypted with the EK.
When receiving the wrong "auth_tag" back from the agent during activation, the registrar answers with an error message that contains the expected correct "auth_tag" (an HMAC which is calculated within the registrar for checking). An attacker could simply record the correct expected "auth_tag" from the HTTP error message and perform the activate call again with the correct expected "auth_tag" for the agent.
The security issue allows an attacker to pass the challenge-response protocol during registration with (almost) arbitrary registration data. In particular, the attacker can provide a valid EK Certificate and EK, which passes verification by the tenant (or registrar), while using a compromised AIK, which is stored unprotected outside the TPM and is unrelated to former two. The attacker then deliberately fails the initial activation call to get to know the correct "auth_tag" and then provides it in a subsequent activation call. This results in an agent which is (incorrectly) registered with a valid EK Certificate, but with a compromised/unrelated AIK.
Patches
Users should upgrade to release 7.5.0
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "keylime"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-38201"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2023-09-06T13:49:43Z",
"nvd_published_at": "2023-08-25T17:15:08Z",
"severity": "HIGH"
},
"details": "### Impact\n\nA security issue was found in the Keylime `registrar` code which allows an attacker to effectively bypass the challenge-response protocol used to verify that an `agent` has indeed access to an AIK which in indeed related to the EK.\n\nWhen an `agent` starts up, it will contact a `registrar` and provide a public EK and public AIK, in addition to the EK Certificate. This `registrar` will then challenge the `agent` to decrypt a challenge encrypted with the EK. \n\nWhen receiving the wrong \"auth_tag\" back from the `agent` during activation, the `registrar` answers with an error message that contains the expected correct \"auth_tag\" (an HMAC which is calculated within the `registrar` for checking). An attacker could simply record the correct expected \"auth_tag\" from the HTTP error message and perform the activate call again with the correct expected \"auth_tag\" for the `agent`.\n\nThe security issue allows an attacker to pass the challenge-response protocol during registration with (almost) arbitrary registration data. In particular, the attacker can provide a valid EK Certificate and EK, which passes verification by the `tenant` (or `registrar`), while using a compromised AIK, which is stored unprotected outside the TPM and is unrelated to former two. The attacker then deliberately fails the initial activation call to get to know the correct \"auth_tag\" and then provides it in a subsequent activation call. This results in an `agent` which is (incorrectly) registered with a valid EK Certificate, but with a compromised/unrelated AIK.\n\n### Patches\nUsers should upgrade to release 7.5.0",
"id": "GHSA-f4r5-q63f-gcww",
"modified": "2024-09-27T21:25:28Z",
"published": "2023-09-06T13:49:43Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/keylime/keylime/security/advisories/GHSA-f4r5-q63f-gcww"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38201"
},
{
"type": "WEB",
"url": "https://github.com/keylime/keylime/commit/9e5ac9f25cd400b16d5969f531cee28290543f2a"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:5080"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2023-38201"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2222693"
},
{
"type": "PACKAGE",
"url": "https://github.com/keylime/keylime"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/keylime/PYSEC-2023-160.yaml"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZIZZB5NHNCS5D2AEH3ZAO6OQC72IK7WS"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Keylime registrar and (untrusted) Agent can be bypassed by an attacker"
}
GHSA-F5FM-9JMP-C88R
Vulnerability from github – Published: 2026-04-28 00:31 – Updated: 2026-05-06 19:03Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-fh32-73r9-rgh5. This link is maintained to preserve external references.
Original Description
OpenClaw before 2026.4.2 fails to normalize trailing-dot localhost hosts in remote CDP discovery responses, allowing bypass of loopback protections. Attackers can craft hostile discovery responses returning localhost. to retarget authenticated browser control toward localhost endpoints and expose browser state.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-06T19:03:41Z",
"nvd_published_at": "2026-04-28T00:16:26Z",
"severity": "MODERATE"
},
"details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-fh32-73r9-rgh5. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.4.2 fails to normalize trailing-dot localhost hosts in remote CDP discovery responses, allowing bypass of loopback protections. Attackers can craft hostile discovery responses returning localhost. to retarget authenticated browser control toward localhost endpoints and expose browser state.",
"id": "GHSA-f5fm-9jmp-c88r",
"modified": "2026-05-06T19:03:41Z",
"published": "2026-04-28T00:31:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-fh32-73r9-rgh5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41372"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/9c22d636697336a6b22b0ae24798d8b8325d7828"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-loopback-protection-bypass-via-trailing-dot-localhost-in-cdp-discovery"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "Duplicate Advisory: OpenClaw: Trailing-dot localhost CDP hosts could bypass remote loopback protections",
"withdrawn": "2026-05-06T19:03:41Z"
}
GHSA-F5HM-5M7C-GMR8
Vulnerability from github – Published: 2024-06-19 06:30 – Updated: 2026-04-08 18:33The Replace Image plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.10 via the image replacement functionality due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to replace images uploaded by higher level users such as admins.
{
"affected": [],
"aliases": [
"CVE-2024-4873"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-19T04:15:12Z",
"severity": "MODERATE"
},
"details": "The Replace Image plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.10 via the image replacement functionality due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to replace images uploaded by higher level users such as admins.",
"id": "GHSA-f5hm-5m7c-gmr8",
"modified": "2026-04-08T18:33:25Z",
"published": "2024-06-19T06:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4873"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3117484%40replace-image\u0026new=3117484%40replace-image\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/replace-image"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5a5d3a62-f7e5-4776-bed9-7ff3f81da452?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F5VG-28W4-XMM6
Vulnerability from github – Published: 2023-05-24 15:30 – Updated: 2024-04-04 04:19Authorization Bypass Through User-Controlled Key vulnerability in Armoli Technology Cargo Tracking System allows Authentication Abuse, Authentication Bypass.This issue affects Cargo Tracking System: before 3558f28 .
{
"affected": [],
"aliases": [
"CVE-2023-2065"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-24T13:15:09Z",
"severity": "HIGH"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in Armoli Technology Cargo Tracking System allows Authentication Abuse, Authentication Bypass.This issue affects Cargo Tracking System: before 3558f28 .\n\n",
"id": "GHSA-f5vg-28w4-xmm6",
"modified": "2024-04-04T04:19:35Z",
"published": "2023-05-24T15:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2065"
},
{
"type": "WEB",
"url": "https://https://www.usom.gov.tr/bildirim/tr-23-0287"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F5WM-MX85-P6X2
Vulnerability from github – Published: 2025-08-22 18:31 – Updated: 2025-08-22 18:31An Insecure Direct Object Reference (IDOR) vulnerability in Reolink v4.54.0.4.20250526 allows unauthorized attackers to access and download other users' profile photos via a crafted URL.
{
"affected": [],
"aliases": [
"CVE-2025-55621"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-22T17:15:33Z",
"severity": "MODERATE"
},
"details": "An Insecure Direct Object Reference (IDOR) vulnerability in Reolink v4.54.0.4.20250526 allows unauthorized attackers to access and download other users\u0027 profile photos via a crafted URL.",
"id": "GHSA-f5wm-mx85-p6x2",
"modified": "2025-08-22T18:31:24Z",
"published": "2025-08-22T18:31:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55621"
},
{
"type": "WEB",
"url": "https://relieved-knuckle-264.notion.site/Reolink-Download-a-profile-due-to-IDOR-21a43700364280ef9fc1ffb9c484a03e?source=copy_link"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F5X4-57Q2-55JV
Vulnerability from github – Published: 2026-06-26 15:32 – Updated: 2026-06-26 15:32Unauthenticated Sensitive Data Exposure in Trinity Backup – Backup, Migrate, Restore, Clone & Schedule Backups <= 2.0.9 versions.
{
"affected": [],
"aliases": [
"CVE-2026-54839"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-26T15:16:41Z",
"severity": "HIGH"
},
"details": "Unauthenticated Sensitive Data Exposure in Trinity Backup \u0026#8211; Backup, Migrate, Restore, Clone \u0026amp; Schedule Backups \u003c= 2.0.9 versions.",
"id": "GHSA-f5x4-57q2-55jv",
"modified": "2026-06-26T15:32:15Z",
"published": "2026-06-26T15:32:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54839"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/trinity-backup/vulnerability/wordpress-trinity-backup-backup-migrate-restore-clone-schedule-backups-plugin-2-0-9-sensitive-data-exposure-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.