CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3255 vulnerabilities reference this CWE, most recent first.
GHSA-M5JH-XGPC-2H9R
Vulnerability from github – Published: 2022-09-17 00:00 – Updated: 2022-09-21 00:00The Titan Anti-spam & Security WordPress plugin before 7.3.1 does not properly checks HTTP headers in order to validate the origin IP address, allowing threat actors to bypass it's block feature by spoofing the headers.
{
"affected": [],
"aliases": [
"CVE-2022-2877"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-16T09:15:00Z",
"severity": "MODERATE"
},
"details": "The Titan Anti-spam \u0026 Security WordPress plugin before 7.3.1 does not properly checks HTTP headers in order to validate the origin IP address, allowing threat actors to bypass it\u0027s block feature by spoofing the headers.",
"id": "GHSA-m5jh-xgpc-2h9r",
"modified": "2022-09-21T00:00:46Z",
"published": "2022-09-17T00:00:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2877"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/f1af4267-3a43-4b88-a8b9-c1d5b2aa9d68"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M5PR-WM6Q-X4G2
Vulnerability from github – Published: 2022-12-28 15:30 – Updated: 2023-01-10 15:44Comparison of Object References Instead of Object Contents in GitHub repository usememos/memos 0.9.0 and prior.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.9.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/usememos/memos"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-4812"
],
"database_specific": {
"cwe_ids": [
"CWE-595",
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-30T22:11:56Z",
"nvd_published_at": "2022-12-28T14:15:00Z",
"severity": "MODERATE"
},
"details": "Comparison of Object References Instead of Object Contents in GitHub repository usememos/memos 0.9.0 and prior.",
"id": "GHSA-m5pr-wm6q-x4g2",
"modified": "2023-01-10T15:44:18Z",
"published": "2022-12-28T15:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4812"
},
{
"type": "WEB",
"url": "https://github.com/usememos/memos/commit/3556ae4e651d9443dc3bb8a170dd3cc726517a53"
},
{
"type": "PACKAGE",
"url": "https://github.com/usememos/memos"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/33924891-5c36-4b46-b417-98eaab688c4c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "usememos/memos vulnerable to Comparison of Object References Instead of Object Contents"
}
GHSA-M5Q6-M3R3-F79R
Vulnerability from github – Published: 2025-12-30 12:30 – Updated: 2026-01-20 15:32Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Backpack Traveler backpacktraveler allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Backpack Traveler: from n/a through <= 2.10.3.
{
"affected": [],
"aliases": [
"CVE-2025-69030"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-30T11:16:01Z",
"severity": "MODERATE"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Backpack Traveler backpacktraveler allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Backpack Traveler: from n/a through \u003c= 2.10.3.",
"id": "GHSA-m5q6-m3r3-f79r",
"modified": "2026-01-20T15:32:46Z",
"published": "2025-12-30T12:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69030"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Theme/backpacktraveler/vulnerability/wordpress-backpack-traveler-theme-2-10-3-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://vdp.patchstack.com/database/Wordpress/Theme/backpacktraveler/vulnerability/wordpress-backpack-traveler-theme-2-10-3-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M5Q8-F47R-2WGP
Vulnerability from github – Published: 2025-08-06 12:31 – Updated: 2025-08-06 12:31CWE-639 Authorization Bypass Through User-Controlled Key
{
"affected": [],
"aliases": [
"CVE-2025-46386"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-06T11:15:27Z",
"severity": "HIGH"
},
"details": "CWE-639 Authorization Bypass Through User-Controlled Key",
"id": "GHSA-m5q8-f47r-2wgp",
"modified": "2025-08-06T12:31:20Z",
"published": "2025-08-06T12:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46386"
},
{
"type": "WEB",
"url": "https://www.gov.il/en/departments/dynamiccollectors/cve_advisories_listing?skip=0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M63J-689W-3J35
Vulnerability from github – Published: 2026-03-25 21:08 – Updated: 2026-03-25 21:08Impact
An authenticated user with the global:member role could exploit chained authorization flaws in n8n's credential pipeline to steal plaintext secrets from generic HTTP credentials (httpBasicAuth, httpHeaderAuth, httpQueryAuth) belonging to other users on the same instance.
The attack abuses a name-based credential resolution path that does not enforce ownership or project scope, combined with a bypass in the credentials permission checker that causes generic HTTP credential types to be skipped during pre-execution validation. Together, these flaws allow a member-role user to resolve another user's credential ID and execute a workflow that decrypts and uses that credential without authorization.
Native integration credential types (e.g. slackApi, openAiApi, postgres) are not affected by this issue.
This vulnerability affects Community Edition only. Enterprise Edition has additional permission gates on workflow creation and execution that independently block this attack chain.
Patches
The issue has been fixed in n8n versions 1.123.27, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability.
Workarounds
If upgrading is not immediately possible, administrators should consider the following temporary mitigations:
- Restrict instance access to fully trusted users only.
- Audit credentials stored on the instance and rotate any generic HTTP credentials (httpBasicAuth, httpHeaderAuth, httpQueryAuth) that may have been exposed.
These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "n8n"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.123.27"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "n8n"
},
"ranges": [
{
"events": [
{
"introduced": "2.14.0"
},
{
"fixed": "2.14.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.14.0"
]
},
{
"package": {
"ecosystem": "npm",
"name": "n8n"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0-rc.0"
},
{
"fixed": "2.13.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33663"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-25T21:08:33Z",
"nvd_published_at": "2026-03-25T18:16:32Z",
"severity": "HIGH"
},
"details": "## Impact\nAn authenticated user with the `global:member` role could exploit chained authorization flaws in n8n\u0027s credential pipeline to steal plaintext secrets from generic HTTP credentials (`httpBasicAuth`, `httpHeaderAuth`, `httpQueryAuth`) belonging to other users on the same instance.\n\nThe attack abuses a name-based credential resolution path that does not enforce ownership or project scope, combined with a bypass in the credentials permission checker that causes generic HTTP credential types to be skipped during pre-execution validation. Together, these flaws allow a member-role user to resolve another user\u0027s credential ID and execute a workflow that decrypts and uses that credential without authorization.\n\nNative integration credential types (e.g. `slackApi`, `openAiApi`, `postgres`) are not affected by this issue.\n\nThis vulnerability affects Community Edition only. Enterprise Edition has additional permission gates on workflow creation and execution that independently block this attack chain.\n\n## Patches\nThe issue has been fixed in n8n versions 1.123.27, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability.\n\n## Workarounds\nIf upgrading is not immediately possible, administrators should consider the following temporary mitigations:\n- Restrict instance access to fully trusted users only.\n- Audit credentials stored on the instance and rotate any generic HTTP credentials (`httpBasicAuth`, `httpHeaderAuth`, `httpQueryAuth`) that may have been exposed.\n\nThese workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.",
"id": "GHSA-m63j-689w-3j35",
"modified": "2026-03-25T21:08:33Z",
"published": "2026-03-25T21:08:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-m63j-689w-3j35"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33663"
},
{
"type": "PACKAGE",
"url": "https://github.com/n8n-io/n8n"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "n8n is Vulnerable to Credential Theft via Name-Based Resolution and Permission Checker Bypass in Community Edition"
}
GHSA-M6FW-WP2G-JWWP
Vulnerability from github – Published: 2026-06-06 09:31 – Updated: 2026-06-06 09:31Authorization Bypass Through User-Controlled Key vulnerability in Akinsoft OctoCloud allows Resource Leak Exposure.
This issue affects OctoCloud: from s1.09.02 before v1.11.01.
{
"affected": [],
"aliases": [
"CVE-2025-0640"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-02T12:15:35Z",
"severity": "MODERATE"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in Akinsoft OctoCloud allows Resource Leak Exposure.\n\nThis issue affects OctoCloud: from s1.09.02 before v1.11.01.",
"id": "GHSA-m6fw-wp2g-jwwp",
"modified": "2026-06-06T09:31:12Z",
"published": "2026-06-06T09:31:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0640"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0203"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-25-0203"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-M6JM-F5RM-2629
Vulnerability from github – Published: 2023-09-20 21:31 – Updated: 2024-04-04 07:46An Indirect Object Reference (IDOR) in Fl3xx Dispatch 2.10.37 and fl3xx Crew 2.10.37 allows a remote attacker to escalate privileges via the user parameter.
{
"affected": [],
"aliases": [
"CVE-2023-42334"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-20T20:15:11Z",
"severity": "MODERATE"
},
"details": "An Indirect Object Reference (IDOR) in Fl3xx Dispatch 2.10.37 and fl3xx Crew 2.10.37 allows a remote attacker to escalate privileges via the user parameter.",
"id": "GHSA-m6jm-f5rm-2629",
"modified": "2024-04-04T07:46:58Z",
"published": "2023-09-20T21:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42334"
},
{
"type": "WEB",
"url": "https://0xhunter20.medium.com/an-idor-lead-to-viewing-other-users-files-cve-2023-42334-702de328c453"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M6M3-75J4-96WF
Vulnerability from github – Published: 2026-04-03 21:31 – Updated: 2026-04-03 21:31A specific endpoint allows authenticated users to pivot to other user profiles by modifying the id number in the API call.
{
"affected": [],
"aliases": [
"CVE-2026-25197"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-03T21:17:09Z",
"severity": "CRITICAL"
},
"details": "A specific endpoint allows authenticated users to pivot to other user profiles by modifying the id number in the API call.",
"id": "GHSA-m6m3-75j4-96wf",
"modified": "2026-04-03T21:31:42Z",
"published": "2026-04-03T21:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25197"
},
{
"type": "WEB",
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-055-03.json"
},
{
"type": "WEB",
"url": "https://mygardyn.com/security"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-M6PW-38Q3-7WRW
Vulnerability from github – Published: 2022-09-01 00:00 – Updated: 2022-09-07 00:01Doctor's Appointment System1.0 is vulnerable to Incorrect Access Control via edoc/patient/settings.php. The settings.php is affected by Broken Access Control (IDOR) via id= parameter.
{
"affected": [],
"aliases": [
"CVE-2022-36202"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-31T21:15:00Z",
"severity": "CRITICAL"
},
"details": "Doctor\u0027s Appointment System1.0 is vulnerable to Incorrect Access Control via edoc/patient/settings.php. The settings.php is affected by Broken Access Control (IDOR) via id= parameter.",
"id": "GHSA-m6pw-38q3-7wrw",
"modified": "2022-09-07T00:01:54Z",
"published": "2022-09-01T00:00:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36202"
},
{
"type": "WEB",
"url": "https://github.com/aznull/CVEs"
},
{
"type": "WEB",
"url": "https://www.sourcecodester.com/hashenudara/simple-doctors-appointment-project.html"
},
{
"type": "WEB",
"url": "http://hshnudr.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M6QJ-3MPP-57V8
Vulnerability from github – Published: 2026-05-20 18:31 – Updated: 2026-06-26 09:30A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId, idpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get linked to the victim's local account.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-services"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "26.6.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-9087"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-11T16:40:55Z",
"nvd_published_at": "2026-05-20T17:16:32Z",
"severity": "MODERATE"
},
"details": "A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId,\nidpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get linked to the victim\u0027s local account.",
"id": "GHSA-m6qj-3mpp-57v8",
"modified": "2026-06-26T09:30:45Z",
"published": "2026-05-20T18:31:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9087"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/commit/37dabf59d0b5ca3e5b3b272bcd3b2580e67b94dd"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25097"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25098"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30049"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30050"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-9087"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480172"
},
{
"type": "PACKAGE",
"url": "https://github.com/keycloak/keycloak"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/releases/tag/26.6.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Keycloak: Insufficient verification proof scoping enables identity provider account linking attack and account compromise"
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.