CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3257 vulnerabilities reference this CWE, most recent first.
GHSA-JRW3-H5Q4-RWXC
Vulnerability from github – Published: 2026-05-26 13:30 – Updated: 2026-05-26 13:30OutSystems Lifetime is vulnerable to Authorization Bypass Through User-Controlled Key vulnerability in ApplicationID parameter. Any authenticated user, can read the Change Log containing actions performed by other users as well as application name of any application.
This issue was fixed in OutSystems Lifetime version 11.28.2.3955
{
"affected": [],
"aliases": [
"CVE-2026-40127"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-25T11:16:17Z",
"severity": "MODERATE"
},
"details": "OutSystems Lifetime is vulnerable to Authorization Bypass Through User-Controlled Key vulnerability in ApplicationID parameter. Any authenticated user, can\u00a0read the Change Log containing actions performed by other users as well as application name of any application.\n\nThis issue was fixed in OutSystems Lifetime version\u00a011.28.2.3955",
"id": "GHSA-jrw3-h5q4-rwxc",
"modified": "2026-05-26T13:30:41Z",
"published": "2026-05-26T13:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40127"
},
{
"type": "WEB",
"url": "https://cert.pl/en/posts/2026/05/CVE-2026-40126"
},
{
"type": "WEB",
"url": "https://www.outsystems.com/downloads/ScreenDetails?ReleaseId=22953\u0026MajorVersion=11\u0026ComponentName=LifeTime"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-JRWJ-FW3W-P28M
Vulnerability from github – Published: 2023-10-05 03:31 – Updated: 2024-04-04 08:19An issue was discovered in WatchGuard EPDR 8.0.21.0002. It is possible to bypass the defensive capabilities by adding a registry key as SYSTEM.
{
"affected": [],
"aliases": [
"CVE-2023-26237"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-05T01:15:10Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in WatchGuard EPDR 8.0.21.0002. It is possible to bypass the defensive capabilities by adding a registry key as SYSTEM.",
"id": "GHSA-jrwj-fw3w-p28m",
"modified": "2024-04-04T08:19:06Z",
"published": "2023-10-05T03:31:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26237"
},
{
"type": "WEB",
"url": "https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2023-00005"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JV3F-QWF9-WVQ9
Vulnerability from github – Published: 2026-05-18 15:30 – Updated: 2026-06-22 18:34Dify version 1.14.1 and prior contain an authorization bypass vulnerability in the file preview endpoint that allows any authenticated user to read up to 3,000 characters of any uploaded document across all tenants and workspaces using only the file's UUID. Attackers can access the /console/api/files/{file_id}/preview endpoint with an intercepted file UUID to extract sensitive content from documents without ownership or workspace permission verification. NOTE: Dify Cloud allows unauthenticated free self-registration, making account creation trivially accessible to any attacker.
{
"affected": [],
"aliases": [
"CVE-2026-41949"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-18T15:16:26Z",
"severity": "HIGH"
},
"details": "Dify version 1.14.1 and prior contain an authorization bypass vulnerability in the file preview endpoint that allows any authenticated user to read up to 3,000 characters of any uploaded document across all tenants and workspaces using only the file\u0027s UUID. Attackers can access the /console/api/files/{file_id}/preview endpoint with an intercepted file UUID to extract sensitive content from documents without ownership or workspace permission verification. NOTE: Dify Cloud allows unauthenticated free self-registration, making account creation trivially accessible to any attacker.",
"id": "GHSA-jv3f-qwf9-wvq9",
"modified": "2026-06-22T18:34:00Z",
"published": "2026-05-18T15:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41949"
},
{
"type": "WEB",
"url": "https://github.com/langgenius/dify/pull/35797"
},
{
"type": "WEB",
"url": "https://github.com/langgenius/dify/commit/432a6412a3fdb30ce48003d699b90cc7d890df20"
},
{
"type": "WEB",
"url": "https://github.com/langgenius/dify/releases/tag/1.14.2"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/d50a0240-7951-4939-b989-9bded66c7682"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/dify-authorization-bypass-via-file-preview-endpoint"
},
{
"type": "WEB",
"url": "https://www.zafran.io/resources/difytap-zafran-discovers-how-attackers-can-silently-wiretap-ai-data-across-tenants-on-a-platform-powering-1m-apps"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-JVGV-XRF5-MP7H
Vulnerability from github – Published: 2026-07-14 12:31 – Updated: 2026-07-14 12:31The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.8.0 via the 'save_lesson_note', 'get_lesson_note', and 'complete_lesson_video' AJAX handlers due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read, overwrite, or delete the private lesson notes of any other user (including administrators), and to falsify lesson-completion progress for arbitrary users.
{
"affected": [],
"aliases": [
"CVE-2026-9341"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T12:17:14Z",
"severity": "MODERATE"
},
"details": "The Academy LMS \u2013 WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.8.0 via the \u0027save_lesson_note\u0027, \u0027get_lesson_note\u0027, and \u0027complete_lesson_video\u0027 AJAX handlers due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read, overwrite, or delete the private lesson notes of any other user (including administrators), and to falsify lesson-completion progress for arbitrary users.",
"id": "GHSA-jvgv-xrf5-mp7h",
"modified": "2026-07-14T12:31:16Z",
"published": "2026-07-14T12:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9341"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/academy/tags/3.7.4/includes/ajax/lesson.php#L253"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/academy/tags/3.7.4/includes/ajax/lesson.php#L258"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/academy/tags/3.7.4/includes/ajax/lesson.php#L300"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/academy/tags/3.7.4/includes/classes/abstract-ajax-handler.php#L46"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3573111"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1e9b094a-29ba-4be3-9033-fd915fae1820?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JVQ8-W7QV-HQP6
Vulnerability from github – Published: 2022-12-28 15:30 – Updated: 2023-01-10 15:46usememos/memos 0.9.0 and prior is vulnerable to Improper Authentication.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.9.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/usememos/memos"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-4799"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-30T19:57:32Z",
"nvd_published_at": "2022-12-28T14:15:00Z",
"severity": "MODERATE"
},
"details": "usememos/memos 0.9.0 and prior is vulnerable to Improper Authentication.",
"id": "GHSA-jvq8-w7qv-hqp6",
"modified": "2023-01-10T15:46:13Z",
"published": "2022-12-28T15:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4799"
},
{
"type": "WEB",
"url": "https://github.com/usememos/memos/commit/3556ae4e651d9443dc3bb8a170dd3cc726517a53"
},
{
"type": "PACKAGE",
"url": "https://github.com/usememos/memos"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/c5d70f9d-b7a7-4418-9368-4566a8143e79"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "usememos/memos Improper Authentication vulnerability"
}
GHSA-JW8W-84X3-C2R9
Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 12:32An improper access control vulnerability in danny-avila/librechat versions prior to 0.7.6 allows authenticated users to delete other users' prompts via the groupid parameter. This issue occurs because the endpoint does not verify whether the provided prompt ID belongs to the current user.
{
"affected": [],
"aliases": [
"CVE-2024-11167"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-20T10:15:24Z",
"severity": "CRITICAL"
},
"details": "An improper access control vulnerability in danny-avila/librechat versions prior to 0.7.6 allows authenticated users to delete other users\u0027 prompts via the groupid parameter. This issue occurs because the endpoint does not verify whether the provided prompt ID belongs to the current user.",
"id": "GHSA-jw8w-84x3-c2r9",
"modified": "2025-03-20T12:32:41Z",
"published": "2025-03-20T12:32:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11167"
},
{
"type": "WEB",
"url": "https://github.com/danny-avila/librechat/commit/5071bdbf9ac621165f0e8d009818851f3951eee7"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/298f5760-5797-4432-8b9e-544609d612c0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-JXF7-5G54-5CP4
Vulnerability from github – Published: 2023-07-06 21:14 – Updated: 2024-04-04 05:40EasyTor Applications – Authorization Bypass - EasyTor Applications may allow authorization bypass via unspecified method.
{
"affected": [],
"aliases": [
"CVE-2023-31182"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-08T21:15:12Z",
"severity": "CRITICAL"
},
"details": "\n EasyTor Applications \u2013 Authorization Bypass - EasyTor Applications may allow authorization bypass via unspecified method.\n\n\n\n\n",
"id": "GHSA-jxf7-5g54-5cp4",
"modified": "2024-04-04T05:40:44Z",
"published": "2023-07-06T21:14:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31182"
},
{
"type": "WEB",
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JXF8-G6GQ-M62F
Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2022-05-24 19:03Two authorization bypass through user-controlled key vulnerabilities in the Fortinet FortiPresence 2.1.0 administration interface may allow an attacker to gain access to some user data via portal manager or portal users parameters.
{
"affected": [],
"aliases": [
"CVE-2020-6641"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-02T11:15:00Z",
"severity": "MODERATE"
},
"details": "Two authorization bypass through user-controlled key vulnerabilities in the Fortinet FortiPresence 2.1.0 administration interface may allow an attacker to gain access to some user data via portal manager or portal users parameters.",
"id": "GHSA-jxf8-g6gq-m62f",
"modified": "2022-05-24T19:03:54Z",
"published": "2022-05-24T19:03:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6641"
},
{
"type": "WEB",
"url": "https://fortiguard.com/advisory/FG-IR-19-258"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JXM3-PMM2-9GF6
Vulnerability from github – Published: 2026-03-03 21:05 – Updated: 2026-03-04 18:39Description
The "Duplicate" entry action does not properly verify if the user has permission to perform this action on the specific target elements. Even with only "View Entries" permission (where the "Duplicate" action is restricted in the UI), a user can bypass this restriction by sending a direct request.
Furthermore, this vulnerability allows duplicating other users' entries by specifying their Entry IDs. Since Entry IDs are incremental, an attacker can trivially brute-force these IDs to duplicate and access restricted content across the system.
Proof of Concept
Prerequisites
- A user with "View Entries" permission on any section.
Steps to Reproduce
- Log in as a user with minimal permissions ("View Entries").
- Identify the target Entry ID (e.g., via brute-force
1toN). - Send the following cURL request:
Replace
craft.local,<Cookie>,<CSRF>and6393(which is the entry ID):bash curl --path-as-is -i -s -k -X $'POST' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:146.0) Gecko/20100101 Firefox/146.0' -H $'Accept: application/json' -H $'Content-Type: application/json' -H $'X-CSRF-Token: <CSRF>' -H $'Content-Length: 216' -b $'<Cookie>' --data-binary $'{\"context\":\"index\",\"elementType\":\"craft\\\\elements\\\\Entry\",\"source\":\"section:17da21e5-0cfe-41f5-8cd2-450a94f7989c\",\"viewState\":{\"static\":true},\"elementAction\":\"craft\\\\elements\\\\actions\\\\Duplicate\",\"elementIds\":[6393]}' $'http://craft.local/index.php?p=admin%2Factions%2Felement-indexes%2Fperform-action' - Observe that a new entry is created with the attacker as the owner, granting full access to the content.
Resources
https://github.com/craftcms/cms/commit/fb61a91357f5761c852400185ba931f51d82783d
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "craftcms/cms"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0-RC1"
},
{
"fixed": "5.9.0-beta.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "craftcms/cms"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0-RC1"
},
{
"fixed": "4.17.0-beta.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-28782"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-03T21:05:12Z",
"nvd_published_at": "2026-03-04T17:16:21Z",
"severity": "MODERATE"
},
"details": "## Description\nThe \"Duplicate\" entry action does not properly verify if the user has permission to perform this action on the specific target elements.\nEven with only \"View Entries\" permission (where the \"Duplicate\" action is restricted in the UI), a user can bypass this restriction by sending a direct request.\n\nFurthermore, this vulnerability allows duplicating **other users\u0027 entries** by specifying their Entry IDs. Since Entry IDs are incremental, an attacker can trivially brute-force these IDs to duplicate and access restricted content across the system.\n\n## Proof of Concept\n### Prerequisites\n- A user with \"View Entries\" permission on any section.\n\n### Steps to Reproduce\n1. Log in as a user with minimal permissions (\"View Entries\").\n1. Identify the target Entry ID (e.g., via brute-force `1` to `N`).\n1. Send the following cURL request:\n \u003e Replace `craft.local`, `\u003cCookie\u003e`, `\u003cCSRF\u003e` and `6393` (which is the entry ID):\n ```bash\n curl --path-as-is -i -s -k -X $\u0027POST\u0027 -H $\u0027User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:146.0) Gecko/20100101 Firefox/146.0\u0027 -H $\u0027Accept: application/json\u0027 -H $\u0027Content-Type: application/json\u0027 -H $\u0027X-CSRF-Token: \u003cCSRF\u003e\u0027 -H $\u0027Content-Length: 216\u0027 -b $\u0027\u003cCookie\u003e\u0027 --data-binary $\u0027{\\\"context\\\":\\\"index\\\",\\\"elementType\\\":\\\"craft\\\\\\\\elements\\\\\\\\Entry\\\",\\\"source\\\":\\\"section:17da21e5-0cfe-41f5-8cd2-450a94f7989c\\\",\\\"viewState\\\":{\\\"static\\\":true},\\\"elementAction\\\":\\\"craft\\\\\\\\elements\\\\\\\\actions\\\\\\\\Duplicate\\\",\\\"elementIds\\\":[6393]}\u0027 $\u0027http://craft.local/index.php?p=admin%2Factions%2Felement-indexes%2Fperform-action\u0027\n ```\n1. Observe that a new entry is created with the attacker as the owner, granting full access to the content.\n\n## Resources\n\nhttps://github.com/craftcms/cms/commit/fb61a91357f5761c852400185ba931f51d82783d",
"id": "GHSA-jxm3-pmm2-9gf6",
"modified": "2026-03-04T18:39:08Z",
"published": "2026-03-03T21:05:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-jxm3-pmm2-9gf6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28782"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/commit/fb61a91357f5761c852400185ba931f51d82783d"
},
{
"type": "PACKAGE",
"url": "https://github.com/craftcms/cms"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Craft CMS has Permission Bypass and IDOR in Duplicate Entry Action"
}
GHSA-JXPJ-9J24-W337
Vulnerability from github – Published: 2026-07-13 16:47 – Updated: 2026-07-13 16:47Summary
Apollo Portal versions before 2.5.0 do not verify application and namespace permissions when an authenticated user requests a release by ID through GET /envs/{env}/releases/{releaseId}.
When configView.memberOnly.envs is enabled for the requested environment, a low-privileged Portal user can supply a valid release ID belonging to an application or namespace they are not authorized to view. The endpoint returns the release data without calling UserPermissionValidator.shouldHideConfigToCurrentUser(...).
Impact
An authenticated attacker who obtains or guesses a valid release ID can read configuration data from other applications and namespaces. Exposed configuration may contain sensitive values such as credentials or service endpoints. The issue does not allow configuration modification and does not directly affect availability.
Affected versions
Apollo Portal versions earlier than 2.5.0 are affected when configView.memberOnly.envs is enabled.
Patches
The issue is fixed in Apollo 2.5.0. The fix adds the missing application and namespace permission check before returning release data.
- Fix: https://github.com/apolloconfig/apollo/pull/5378
- Fix commit: https://github.com/apolloconfig/apollo/commit/362735ded4f13b62f6ab9df135d7096066e8e291
- Patched release: https://github.com/apolloconfig/apollo/releases/tag/v2.5.0
Workarounds
Upgrade to Apollo 2.5.0 or later. If an immediate upgrade is not possible, backport the permission check from PR #5378 and restrict Apollo Portal access to trusted users until the fix is deployed.
Credits
Apollo Portal thanks @lesignals for reporting this issue.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c 2.5.0"
},
"package": {
"ecosystem": "Maven",
"name": "com.ctrip.framework.apollo:apollo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-32781"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-13T16:47:09Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n\nApollo Portal versions before 2.5.0 do not verify application and namespace permissions when an authenticated user requests a release by ID through `GET /envs/{env}/releases/{releaseId}`.\n\nWhen `configView.memberOnly.envs` is enabled for the requested environment, a low-privileged Portal user can supply a valid release ID belonging to an application or namespace they are not authorized to view. The endpoint returns the release data without calling `UserPermissionValidator.shouldHideConfigToCurrentUser(...)`.\n\n### Impact\n\nAn authenticated attacker who obtains or guesses a valid release ID can read configuration data from other applications and namespaces. Exposed configuration may contain sensitive values such as credentials or service endpoints. The issue does not allow configuration modification and does not directly affect availability.\n\n### Affected versions\n\nApollo Portal versions earlier than 2.5.0 are affected when `configView.memberOnly.envs` is enabled.\n\n### Patches\n\nThe issue is fixed in Apollo 2.5.0. The fix adds the missing application and namespace permission check before returning release data.\n\n- Fix: https://github.com/apolloconfig/apollo/pull/5378\n- Fix commit: https://github.com/apolloconfig/apollo/commit/362735ded4f13b62f6ab9df135d7096066e8e291\n- Patched release: https://github.com/apolloconfig/apollo/releases/tag/v2.5.0\n\n### Workarounds\n\nUpgrade to Apollo 2.5.0 or later. If an immediate upgrade is not possible, backport the permission check from [PR #5378](https://github.com/apolloconfig/apollo/pull/5378) and restrict Apollo Portal access to trusted users until the fix is deployed.\n\n### Credits\n\nApollo Portal thanks [@lesignals](https://github.com/lesignals) for reporting this issue.",
"id": "GHSA-jxpj-9j24-w337",
"modified": "2026-07-13T16:47:09Z",
"published": "2026-07-13T16:47:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/apolloconfig/apollo/security/advisories/GHSA-jxpj-9j24-w337"
},
{
"type": "WEB",
"url": "https://github.com/apolloconfig/apollo/pull/5378"
},
{
"type": "WEB",
"url": "https://github.com/apolloconfig/apollo/commit/362735ded4f13b62f6ab9df135d7096066e8e291"
},
{
"type": "PACKAGE",
"url": "https://github.com/apolloconfig/apollo"
},
{
"type": "WEB",
"url": "https://github.com/apolloconfig/apollo/releases/tag/v2.5.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apollo Portal: There is a risk of unauthorized access to the Apollo configuration center"
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.