Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3257 vulnerabilities reference this CWE, most recent first.

GHSA-JRW3-H5Q4-RWXC

Vulnerability from github – Published: 2026-05-26 13:30 – Updated: 2026-05-26 13:30
VLAI
Details

OutSystems Lifetime is vulnerable to Authorization Bypass Through User-Controlled Key vulnerability in ApplicationID parameter. Any authenticated user, can read the Change Log containing actions performed by other users as well as application name of any application.

This issue was fixed in OutSystems Lifetime version 11.28.2.3955

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-40127"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-25T11:16:17Z",
    "severity": "MODERATE"
  },
  "details": "OutSystems Lifetime is vulnerable to Authorization Bypass Through User-Controlled Key vulnerability in ApplicationID parameter. Any authenticated user, can\u00a0read the Change Log containing actions performed by other users as well as application name of any application.\n\nThis issue was fixed in OutSystems Lifetime version\u00a011.28.2.3955",
  "id": "GHSA-jrw3-h5q4-rwxc",
  "modified": "2026-05-26T13:30:41Z",
  "published": "2026-05-26T13:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40127"
    },
    {
      "type": "WEB",
      "url": "https://cert.pl/en/posts/2026/05/CVE-2026-40126"
    },
    {
      "type": "WEB",
      "url": "https://www.outsystems.com/downloads/ScreenDetails?ReleaseId=22953\u0026MajorVersion=11\u0026ComponentName=LifeTime"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-JRWJ-FW3W-P28M

Vulnerability from github – Published: 2023-10-05 03:31 – Updated: 2024-04-04 08:19
VLAI
Details

An issue was discovered in WatchGuard EPDR 8.0.21.0002. It is possible to bypass the defensive capabilities by adding a registry key as SYSTEM.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-26237"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-05T01:15:10Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in WatchGuard EPDR 8.0.21.0002. It is possible to bypass the defensive capabilities by adding a registry key as SYSTEM.",
  "id": "GHSA-jrwj-fw3w-p28m",
  "modified": "2024-04-04T08:19:06Z",
  "published": "2023-10-05T03:31:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26237"
    },
    {
      "type": "WEB",
      "url": "https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2023-00005"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JV3F-QWF9-WVQ9

Vulnerability from github – Published: 2026-05-18 15:30 – Updated: 2026-06-22 18:34
VLAI
Details

Dify version 1.14.1 and prior contain an authorization bypass vulnerability in the file preview endpoint that allows any authenticated user to read up to 3,000 characters of any uploaded document across all tenants and workspaces using only the file's UUID. Attackers can access the /console/api/files/{file_id}/preview endpoint with an intercepted file UUID to extract sensitive content from documents without ownership or workspace permission verification. NOTE: Dify Cloud allows unauthenticated free self-registration, making account creation trivially accessible to any attacker.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-41949"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-18T15:16:26Z",
    "severity": "HIGH"
  },
  "details": "Dify version 1.14.1 and prior contain an authorization bypass vulnerability in the file preview endpoint that allows any authenticated user to read up to 3,000 characters of any uploaded document across all tenants and workspaces using only the file\u0027s UUID. Attackers can access the /console/api/files/{file_id}/preview endpoint with an intercepted file UUID to extract sensitive content from documents without ownership or workspace permission verification. NOTE: Dify Cloud allows unauthenticated free self-registration, making account creation trivially accessible to any attacker.",
  "id": "GHSA-jv3f-qwf9-wvq9",
  "modified": "2026-06-22T18:34:00Z",
  "published": "2026-05-18T15:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41949"
    },
    {
      "type": "WEB",
      "url": "https://github.com/langgenius/dify/pull/35797"
    },
    {
      "type": "WEB",
      "url": "https://github.com/langgenius/dify/commit/432a6412a3fdb30ce48003d699b90cc7d890df20"
    },
    {
      "type": "WEB",
      "url": "https://github.com/langgenius/dify/releases/tag/1.14.2"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/d50a0240-7951-4939-b989-9bded66c7682"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/dify-authorization-bypass-via-file-preview-endpoint"
    },
    {
      "type": "WEB",
      "url": "https://www.zafran.io/resources/difytap-zafran-discovers-how-attackers-can-silently-wiretap-ai-data-across-tenants-on-a-platform-powering-1m-apps"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-JVGV-XRF5-MP7H

Vulnerability from github – Published: 2026-07-14 12:31 – Updated: 2026-07-14 12:31
VLAI
Details

The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.8.0 via the 'save_lesson_note', 'get_lesson_note', and 'complete_lesson_video' AJAX handlers due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read, overwrite, or delete the private lesson notes of any other user (including administrators), and to falsify lesson-completion progress for arbitrary users.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-9341"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-14T12:17:14Z",
    "severity": "MODERATE"
  },
  "details": "The Academy LMS \u2013 WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.8.0 via the \u0027save_lesson_note\u0027, \u0027get_lesson_note\u0027, and \u0027complete_lesson_video\u0027 AJAX handlers due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read, overwrite, or delete the private lesson notes of any other user (including administrators), and to falsify lesson-completion progress for arbitrary users.",
  "id": "GHSA-jvgv-xrf5-mp7h",
  "modified": "2026-07-14T12:31:16Z",
  "published": "2026-07-14T12:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9341"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/academy/tags/3.7.4/includes/ajax/lesson.php#L253"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/academy/tags/3.7.4/includes/ajax/lesson.php#L258"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/academy/tags/3.7.4/includes/ajax/lesson.php#L300"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/academy/tags/3.7.4/includes/classes/abstract-ajax-handler.php#L46"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3573111"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1e9b094a-29ba-4be3-9033-fd915fae1820?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JVQ8-W7QV-HQP6

Vulnerability from github – Published: 2022-12-28 15:30 – Updated: 2023-01-10 15:46
VLAI
Summary
usememos/memos Improper Authentication vulnerability
Details

usememos/memos 0.9.0 and prior is vulnerable to Improper Authentication.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.9.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/usememos/memos"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-4799"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-30T19:57:32Z",
    "nvd_published_at": "2022-12-28T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "usememos/memos 0.9.0 and prior is vulnerable to Improper Authentication.",
  "id": "GHSA-jvq8-w7qv-hqp6",
  "modified": "2023-01-10T15:46:13Z",
  "published": "2022-12-28T15:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4799"
    },
    {
      "type": "WEB",
      "url": "https://github.com/usememos/memos/commit/3556ae4e651d9443dc3bb8a170dd3cc726517a53"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/usememos/memos"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/c5d70f9d-b7a7-4418-9368-4566a8143e79"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "usememos/memos Improper Authentication vulnerability"
}

GHSA-JW8W-84X3-C2R9

Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 12:32
VLAI
Details

An improper access control vulnerability in danny-avila/librechat versions prior to 0.7.6 allows authenticated users to delete other users' prompts via the groupid parameter. This issue occurs because the endpoint does not verify whether the provided prompt ID belongs to the current user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-11167"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-20T10:15:24Z",
    "severity": "CRITICAL"
  },
  "details": "An improper access control vulnerability in danny-avila/librechat versions prior to 0.7.6 allows authenticated users to delete other users\u0027 prompts via the groupid parameter. This issue occurs because the endpoint does not verify whether the provided prompt ID belongs to the current user.",
  "id": "GHSA-jw8w-84x3-c2r9",
  "modified": "2025-03-20T12:32:41Z",
  "published": "2025-03-20T12:32:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11167"
    },
    {
      "type": "WEB",
      "url": "https://github.com/danny-avila/librechat/commit/5071bdbf9ac621165f0e8d009818851f3951eee7"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/298f5760-5797-4432-8b9e-544609d612c0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JXF7-5G54-5CP4

Vulnerability from github – Published: 2023-07-06 21:14 – Updated: 2024-04-04 05:40
VLAI
Details

EasyTor Applications – Authorization Bypass - EasyTor Applications may allow authorization bypass via unspecified method.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-31182"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-08T21:15:12Z",
    "severity": "CRITICAL"
  },
  "details": "\n EasyTor Applications \u2013 Authorization Bypass - EasyTor Applications may allow authorization bypass via unspecified method.\n\n\n\n\n",
  "id": "GHSA-jxf7-5g54-5cp4",
  "modified": "2024-04-04T05:40:44Z",
  "published": "2023-07-06T21:14:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31182"
    },
    {
      "type": "WEB",
      "url": "https://www.gov.il/en/Departments/faq/cve_advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JXF8-G6GQ-M62F

Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2022-05-24 19:03
VLAI
Details

Two authorization bypass through user-controlled key vulnerabilities in the Fortinet FortiPresence 2.1.0 administration interface may allow an attacker to gain access to some user data via portal manager or portal users parameters.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-6641"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-02T11:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Two authorization bypass through user-controlled key vulnerabilities in the Fortinet FortiPresence 2.1.0 administration interface may allow an attacker to gain access to some user data via portal manager or portal users parameters.",
  "id": "GHSA-jxf8-g6gq-m62f",
  "modified": "2022-05-24T19:03:54Z",
  "published": "2022-05-24T19:03:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6641"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.com/advisory/FG-IR-19-258"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JXM3-PMM2-9GF6

Vulnerability from github – Published: 2026-03-03 21:05 – Updated: 2026-03-04 18:39
VLAI
Summary
Craft CMS has Permission Bypass and IDOR in Duplicate Entry Action
Details

Description

The "Duplicate" entry action does not properly verify if the user has permission to perform this action on the specific target elements. Even with only "View Entries" permission (where the "Duplicate" action is restricted in the UI), a user can bypass this restriction by sending a direct request.

Furthermore, this vulnerability allows duplicating other users' entries by specifying their Entry IDs. Since Entry IDs are incremental, an attacker can trivially brute-force these IDs to duplicate and access restricted content across the system.

Proof of Concept

Prerequisites

  • A user with "View Entries" permission on any section.

Steps to Reproduce

  1. Log in as a user with minimal permissions ("View Entries").
  2. Identify the target Entry ID (e.g., via brute-force 1 to N).
  3. Send the following cURL request:

    Replace craft.local, <Cookie>, <CSRF> and 6393 (which is the entry ID): bash curl --path-as-is -i -s -k -X $'POST' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:146.0) Gecko/20100101 Firefox/146.0' -H $'Accept: application/json' -H $'Content-Type: application/json' -H $'X-CSRF-Token: <CSRF>' -H $'Content-Length: 216' -b $'<Cookie>' --data-binary $'{\"context\":\"index\",\"elementType\":\"craft\\\\elements\\\\Entry\",\"source\":\"section:17da21e5-0cfe-41f5-8cd2-450a94f7989c\",\"viewState\":{\"static\":true},\"elementAction\":\"craft\\\\elements\\\\actions\\\\Duplicate\",\"elementIds\":[6393]}' $'http://craft.local/index.php?p=admin%2Factions%2Felement-indexes%2Fperform-action'

  4. Observe that a new entry is created with the attacker as the owner, granting full access to the content.

Resources

https://github.com/craftcms/cms/commit/fb61a91357f5761c852400185ba931f51d82783d

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0-RC1"
            },
            {
              "fixed": "5.9.0-beta.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0-RC1"
            },
            {
              "fixed": "4.17.0-beta.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28782"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-03T21:05:12Z",
    "nvd_published_at": "2026-03-04T17:16:21Z",
    "severity": "MODERATE"
  },
  "details": "## Description\nThe \"Duplicate\" entry action does not properly verify if the user has permission to perform this action on the specific target elements.\nEven with only \"View Entries\" permission (where the \"Duplicate\" action is restricted in the UI), a user can bypass this restriction by sending a direct request.\n\nFurthermore, this vulnerability allows duplicating **other users\u0027 entries** by specifying their Entry IDs. Since Entry IDs are incremental, an attacker can trivially brute-force these IDs to duplicate and access restricted content across the system.\n\n## Proof of Concept\n### Prerequisites\n- A user with \"View Entries\" permission on any section.\n\n### Steps to Reproduce\n1. Log in as a user with minimal permissions (\"View Entries\").\n1. Identify the target Entry ID (e.g., via brute-force `1` to `N`).\n1. Send the following cURL request:\n   \u003e Replace `craft.local`, `\u003cCookie\u003e`, `\u003cCSRF\u003e` and `6393` (which is the entry ID):\n   ```bash\n   curl --path-as-is -i -s -k -X $\u0027POST\u0027 -H $\u0027User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:146.0) Gecko/20100101 Firefox/146.0\u0027 -H $\u0027Accept: application/json\u0027 -H $\u0027Content-Type: application/json\u0027 -H $\u0027X-CSRF-Token: \u003cCSRF\u003e\u0027 -H $\u0027Content-Length: 216\u0027 -b $\u0027\u003cCookie\u003e\u0027 --data-binary $\u0027{\\\"context\\\":\\\"index\\\",\\\"elementType\\\":\\\"craft\\\\\\\\elements\\\\\\\\Entry\\\",\\\"source\\\":\\\"section:17da21e5-0cfe-41f5-8cd2-450a94f7989c\\\",\\\"viewState\\\":{\\\"static\\\":true},\\\"elementAction\\\":\\\"craft\\\\\\\\elements\\\\\\\\actions\\\\\\\\Duplicate\\\",\\\"elementIds\\\":[6393]}\u0027 $\u0027http://craft.local/index.php?p=admin%2Factions%2Felement-indexes%2Fperform-action\u0027\n   ```\n1. Observe that a new entry is created with the attacker as the owner, granting full access to the content.\n\n## Resources\n\nhttps://github.com/craftcms/cms/commit/fb61a91357f5761c852400185ba931f51d82783d",
  "id": "GHSA-jxm3-pmm2-9gf6",
  "modified": "2026-03-04T18:39:08Z",
  "published": "2026-03-03T21:05:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/security/advisories/GHSA-jxm3-pmm2-9gf6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28782"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/commit/fb61a91357f5761c852400185ba931f51d82783d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/craftcms/cms"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Craft CMS has Permission Bypass and IDOR in Duplicate Entry Action"
}

GHSA-JXPJ-9J24-W337

Vulnerability from github – Published: 2026-07-13 16:47 – Updated: 2026-07-13 16:47
VLAI
Summary
Apollo Portal: There is a risk of unauthorized access to the Apollo configuration center
Details

Summary

Apollo Portal versions before 2.5.0 do not verify application and namespace permissions when an authenticated user requests a release by ID through GET /envs/{env}/releases/{releaseId}.

When configView.memberOnly.envs is enabled for the requested environment, a low-privileged Portal user can supply a valid release ID belonging to an application or namespace they are not authorized to view. The endpoint returns the release data without calling UserPermissionValidator.shouldHideConfigToCurrentUser(...).

Impact

An authenticated attacker who obtains or guesses a valid release ID can read configuration data from other applications and namespaces. Exposed configuration may contain sensitive values such as credentials or service endpoints. The issue does not allow configuration modification and does not directly affect availability.

Affected versions

Apollo Portal versions earlier than 2.5.0 are affected when configView.memberOnly.envs is enabled.

Patches

The issue is fixed in Apollo 2.5.0. The fix adds the missing application and namespace permission check before returning release data.

  • Fix: https://github.com/apolloconfig/apollo/pull/5378
  • Fix commit: https://github.com/apolloconfig/apollo/commit/362735ded4f13b62f6ab9df135d7096066e8e291
  • Patched release: https://github.com/apolloconfig/apollo/releases/tag/v2.5.0

Workarounds

Upgrade to Apollo 2.5.0 or later. If an immediate upgrade is not possible, backport the permission check from PR #5378 and restrict Apollo Portal access to trusted users until the fix is deployed.

Credits

Apollo Portal thanks @lesignals for reporting this issue.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 2.5.0"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "com.ctrip.framework.apollo:apollo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-32781"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-13T16:47:09Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nApollo Portal versions before 2.5.0 do not verify application and namespace permissions when an authenticated user requests a release by ID through `GET /envs/{env}/releases/{releaseId}`.\n\nWhen `configView.memberOnly.envs` is enabled for the requested environment, a low-privileged Portal user can supply a valid release ID belonging to an application or namespace they are not authorized to view. The endpoint returns the release data without calling `UserPermissionValidator.shouldHideConfigToCurrentUser(...)`.\n\n### Impact\n\nAn authenticated attacker who obtains or guesses a valid release ID can read configuration data from other applications and namespaces. Exposed configuration may contain sensitive values such as credentials or service endpoints. The issue does not allow configuration modification and does not directly affect availability.\n\n### Affected versions\n\nApollo Portal versions earlier than 2.5.0 are affected when `configView.memberOnly.envs` is enabled.\n\n### Patches\n\nThe issue is fixed in Apollo 2.5.0. The fix adds the missing application and namespace permission check before returning release data.\n\n- Fix: https://github.com/apolloconfig/apollo/pull/5378\n- Fix commit: https://github.com/apolloconfig/apollo/commit/362735ded4f13b62f6ab9df135d7096066e8e291\n- Patched release: https://github.com/apolloconfig/apollo/releases/tag/v2.5.0\n\n### Workarounds\n\nUpgrade to Apollo 2.5.0 or later. If an immediate upgrade is not possible, backport the permission check from [PR #5378](https://github.com/apolloconfig/apollo/pull/5378) and restrict Apollo Portal access to trusted users until the fix is deployed.\n\n### Credits\n\nApollo Portal thanks [@lesignals](https://github.com/lesignals) for reporting this issue.",
  "id": "GHSA-jxpj-9j24-w337",
  "modified": "2026-07-13T16:47:09Z",
  "published": "2026-07-13T16:47:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/apolloconfig/apollo/security/advisories/GHSA-jxpj-9j24-w337"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apolloconfig/apollo/pull/5378"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apolloconfig/apollo/commit/362735ded4f13b62f6ab9df135d7096066e8e291"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apolloconfig/apollo"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apolloconfig/apollo/releases/tag/v2.5.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apollo Portal: There is a risk of unauthorized access to the Apollo configuration center"
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.