CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3255 vulnerabilities reference this CWE, most recent first.
GHSA-M355-GFJX-99W5
Vulnerability from github – Published: 2022-05-24 19:18 – Updated: 2022-05-24 19:18Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view private project and filter names via an Insecure Direct Object References (IDOR) vulnerability in the Average Time in Status Gadget. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.0.
{
"affected": [],
"aliases": [
"CVE-2021-41306"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-26T05:15:00Z",
"severity": "HIGH"
},
"details": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view private project and filter names via an Insecure Direct Object References (IDOR) vulnerability in the Average Time in Status Gadget. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.0.",
"id": "GHSA-m355-gfjx-99w5",
"modified": "2022-05-24T19:18:52Z",
"published": "2022-05-24T19:18:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41306"
},
{
"type": "WEB",
"url": "https://jira.atlassian.com/browse/JRASERVER-72915"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M3G2-FXC2-5839
Vulnerability from github – Published: 2022-10-17 19:00 – Updated: 2022-10-21 12:00The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.5 does not properly check for the upload size limit set in forms, taking the value from user input sent when submitting the form. As a result, attackers could control the file length limit and bypass the limit set by admins in the contact form.
{
"affected": [],
"aliases": [
"CVE-2022-3282"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-17T12:15:00Z",
"severity": "MODERATE"
},
"details": "The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.5 does not properly check for the upload size limit set in forms, taking the value from user input sent when submitting the form. As a result, attackers could control the file length limit and bypass the limit set by admins in the contact form.",
"id": "GHSA-m3g2-fxc2-5839",
"modified": "2022-10-21T12:00:22Z",
"published": "2022-10-17T19:00:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3282"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/035dffef-4b4b-4afb-9776-7f6c5e56452c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M48W-79JH-F8W7
Vulnerability from github – Published: 2024-09-12 21:32 – Updated: 2024-09-13 18:31An issue in Mirapolis LMS 4.6.XX allows authenticated users to exploit an Insecure Direct Object Reference (IDOR) vulnerability by manipulating the ID parameter and increment STEP parameter, leading to the exposure of sensitive user data.
{
"affected": [],
"aliases": [
"CVE-2024-25270"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-12T19:15:03Z",
"severity": "MODERATE"
},
"details": "An issue in Mirapolis LMS 4.6.XX allows authenticated users to exploit an Insecure Direct Object Reference (IDOR) vulnerability by manipulating the ID parameter and increment STEP parameter, leading to the exposure of sensitive user data.",
"id": "GHSA-m48w-79jh-f8w7",
"modified": "2024-09-13T18:31:45Z",
"published": "2024-09-12T21:32:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25270"
},
{
"type": "WEB",
"url": "https://github.com/fbkcs/CVE-2024-25270"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M4JR-5R4G-W2VH
Vulnerability from github – Published: 2025-12-10 12:31 – Updated: 2025-12-10 12:31Direct Object Reference Vulnerability (IDOR) in i2A's CronosWeb, in versions prior to 25.00.00.12, inclusive. This vulnerability could allow an authenticated attacker to access other users' documents by manipulating the ‘documentCode’ parameter in '/CronosWeb/Modulos/Personas/DocumentosPersonales/AdjuntarDocumentosPersonas'.
{
"affected": [],
"aliases": [
"CVE-2025-41358"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-10T12:16:21Z",
"severity": "HIGH"
},
"details": "Direct Object Reference Vulnerability (IDOR) in i2A\u0027s CronosWeb, in versions prior to 25.00.00.12, inclusive. This vulnerability could allow an authenticated attacker to access other users\u0027 documents by manipulating the \u2018documentCode\u2019 parameter in \u0027/CronosWeb/Modulos/Personas/DocumentosPersonales/AdjuntarDocumentosPersonas\u0027.",
"id": "GHSA-m4jr-5r4g-w2vh",
"modified": "2025-12-10T12:31:27Z",
"published": "2025-12-10T12:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41358"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/direct-reference-insecure-objects-idor-cronosweb-cronosweb-i2a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-M4Q3-P5V6-4G9F
Vulnerability from github – Published: 2023-12-21 21:30 – Updated: 2026-04-28 21:33Authorization Bypass Through User-Controlled Key vulnerability in KaineLabs Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress.This issue affects Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress: from n/a through 1.2.2.
{
"affected": [],
"aliases": [
"CVE-2023-47191"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-21T19:15:11Z",
"severity": "MODERATE"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in KaineLabs Youzify \u2013 BuddyPress Community, User Profile, Social Network \u0026 Membership Plugin for WordPress.This issue affects Youzify \u2013 BuddyPress Community, User Profile, Social Network \u0026 Membership Plugin for WordPress: from n/a through 1.2.2.",
"id": "GHSA-m4q3-p5v6-4g9f",
"modified": "2026-04-28T21:33:33Z",
"published": "2023-12-21T21:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47191"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/youzify/wordpress-youzify-plugin-1-2-2-insecure-direct-object-reference-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M535-FQ8F-38FP
Vulnerability from github – Published: 2023-05-02 09:30 – Updated: 2023-05-02 09:30The Ruby Help Desk WordPress plugin before 1.3.4 does not ensure that the ticket being modified belongs to the user making the request, allowing an attacker to close and/or add files and replies to tickets other than their own.
{
"affected": [],
"aliases": [
"CVE-2023-1125"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-02T08:15:09Z",
"severity": null
},
"details": "The Ruby Help Desk WordPress plugin before 1.3.4 does not ensure that the ticket being modified belongs to the user making the request, allowing an attacker to close and/or add files and replies to tickets other than their own.",
"id": "GHSA-m535-fq8f-38fp",
"modified": "2023-05-02T09:30:17Z",
"published": "2023-05-02T09:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1125"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/e8a4b6ab-47f8-495d-a22c-dcf914dfb58c"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-M54M-46HR-W2R5
Vulnerability from github – Published: 2025-10-13 15:31 – Updated: 2026-06-05 12:31Authorization Bypass Through User-Controlled Key vulnerability in AKIN Software Computer Import Export Industry and Trade Co. Ltd. QRMenu allows Privilege Abuse.This issue affects QRMenu: from 1.05.12 before Version dated 05.09.2025.
{
"affected": [],
"aliases": [
"CVE-2025-9902"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-13T13:15:32Z",
"severity": "HIGH"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in AKIN Software Computer Import Export Industry and Trade Co. Ltd. QRMenu allows Privilege Abuse.This issue affects QRMenu: from 1.05.12 before Version dated 05.09.2025.",
"id": "GHSA-m54m-46hr-w2r5",
"modified": "2026-06-05T12:31:43Z",
"published": "2025-10-13T15:31:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9902"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0333"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-25-0333"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M5FR-6XW2-7R7F
Vulnerability from github – Published: 2026-04-30 15:30 – Updated: 2026-06-06 09:31Authorization bypass through User-Controlled key vulnerability in MeWare Software Development Inc. PDKS allows Privilege Abuse.
This issue affects PDKS: from V16.20200313 before VMYR_3.5.2025117.
{
"affected": [],
"aliases": [
"CVE-2026-7399"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-30T13:16:06Z",
"severity": "HIGH"
},
"details": "Authorization bypass through User-Controlled key vulnerability in MeWare Software Development Inc. PDKS allows Privilege Abuse.\n\nThis issue affects PDKS: from V16.20200313 before VMYR_3.5.2025117.",
"id": "GHSA-m5fr-6xw2-7r7f",
"modified": "2026-06-06T09:31:16Z",
"published": "2026-04-30T15:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7399"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0141"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-26-0141"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M5FR-QM38-X8F3
Vulnerability from github – Published: 2026-07-10 12:31 – Updated: 2026-07-10 12:31R-SOFT DMS is vulnerable to Insecure Direct Object Reference (IDOR) attack in multiple file download endpoints. The application fetches files from the database by ID and serves them to whoever requests them, relying only on session authentication, meaning any valid user can access any file.
This issue was fixed in version v3.19-2862 and v3.17-2580.
{
"affected": [],
"aliases": [
"CVE-2026-41878"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-10T10:16:23Z",
"severity": "HIGH"
},
"details": "R-SOFT DMS is vulnerable to\u00a0Insecure Direct Object Reference (IDOR) attack in multiple file download endpoints. The application fetches files from the database by ID and serves them to whoever requests them, relying only on session authentication, meaning any valid user can access any file.\n\nThis issue was fixed in version v3.19-2862\u00a0and v3.17-2580.",
"id": "GHSA-m5fr-qm38-x8f3",
"modified": "2026-07-10T12:31:43Z",
"published": "2026-07-10T12:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41878"
},
{
"type": "WEB",
"url": "https://cert.pl/posts/2026/07/CVE-2026-41876"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-M5HC-39FF-VM5G
Vulnerability from github – Published: 2023-06-09 06:30 – Updated: 2024-04-04 04:41The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf_last_name' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about arbitrary form submissions, specifically the submitter's last name.
{
"affected": [],
"aliases": [
"CVE-2023-0691"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-09T06:15:50Z",
"severity": "MODERATE"
},
"details": "The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the \u0027mf_last_name\u0027 shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about arbitrary form submissions, specifically the submitter\u0027s last name.",
"id": "GHSA-m5hc-39ff-vm5g",
"modified": "2024-04-04T04:41:04Z",
"published": "2023-06-09T06:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0691"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/metform/trunk/base/shortcode.php?rev=2845078"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/2910040"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8fc4b815-dc05-4270-bf7a-3b01622739d7?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.