Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3238 vulnerabilities reference this CWE, most recent first.

CVE-2026-40043 (GCVE-0-2026-40043)

Vulnerability from cvelistv5 – Published: 2026-04-13 18:11 – Updated: 2026-04-13 20:49
VLAI
Title
Pachno 1.0.6 Authentication Bypass via runSwitchUser()
Summary
Pachno 1.0.6 contains an authentication bypass vulnerability in the runSwitchUser() action that allows authenticated low-privilege users to escalate privileges by manipulating the original_username cookie. Attackers can set the client-controlled original_username cookie to any value and request a switch to user ID 1 to obtain session tokens or password hashes belonging to administrator accounts.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Vendor Product Version
pancho Pachno Affected: 1.0.6
Create a notification for this product.
Date Public
2026-04-12 00:00
Credits
LiquidWorm as Gjoko Krstic of Zero Science Lab
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-40043",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-13T20:49:56.370304Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-13T20:49:59.051Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://www.zeroscience.mk/#/advisories/ZSL-2026-5985"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Pachno",
          "vendor": "pancho",
          "versions": [
            {
              "status": "affected",
              "version": "1.0.6"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:pachno:pachno:1.0.6:*:*:*:*:*:*:*",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "LiquidWorm as Gjoko Krstic of Zero Science Lab"
        }
      ],
      "datePublic": "2026-04-12T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Pachno 1.0.6 contains an authentication bypass vulnerability in the runSwitchUser() action that allows authenticated low-privilege users to escalate privileges by manipulating the original_username cookie. Attackers can set the client-controlled original_username cookie to any value and request a switch to user ID 1 to obtain session tokens or password hashes belonging to administrator accounts."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS"
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-13T18:11:00.288Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "name": "Zero Science Lab Disclosure",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5985.php"
        },
        {
          "name": "VulnCheck Advisory: Pachno 1.0.6 Authentication Bypass via runSwitchUser()",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/pachno-authentication-bypass-via-runswitchuser"
        }
      ],
      "title": "Pachno 1.0.6 Authentication Bypass via runSwitchUser()",
      "x_generator": {
        "engine": "vulncheck"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2026-40043",
    "datePublished": "2026-04-13T18:11:00.288Z",
    "dateReserved": "2026-04-08T13:39:22.100Z",
    "dateUpdated": "2026-04-13T20:49:59.051Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-39968 (GCVE-0-2026-39968)

Vulnerability from cvelistv5 – Published: 2026-05-22 18:26 – Updated: 2026-05-26 13:08
VLAI
Title
TypeBot: Cross-Workspace Credential Theft via Bot-Engine Preview Endpoint
Summary
TypeBot is a chatbot builder tool. In versions 3.15.2 and prior, the fix for GHSA-4xc5-wfwc-jw47 ("Credential Theft via Client-Side Script Execution and API Authorization Bypass") is incomplete. While the builder's getCredentials tRPC endpoint was patched with workspace membership checks, the bot-engine runtime still allows any authenticated user to use credentials from any workspace via the preview chat endpoint. The bot-engine's getCredentials() utility function uses a falsy check (if (workspaceId && ...)) for workspace ownership validation. Since the preview endpoint accepts a client-controlled workspaceId field and the Zod schema allows empty strings, an attacker can supply workspaceId: "" to bypass credential ownership verification entirely. Exploitation can result in credential exfiltration, external service abuse, financial damage and a data breach.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-284 - Improper Access Control
  • CWE-522 - Insufficiently Protected Credentials
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Vendor Product Version
baptisteArno typebot.io Affected: < 3.16.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-39968",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-26T13:08:55.483789Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-26T13:08:58.498Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-cq66-9cwr-x8jr"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "typebot.io",
          "vendor": "baptisteArno",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.16.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "TypeBot is a chatbot builder tool. In versions 3.15.2 and prior, the fix for GHSA-4xc5-wfwc-jw47 (\"Credential Theft via Client-Side Script Execution and API Authorization Bypass\") is incomplete. While the builder\u0027s getCredentials tRPC endpoint was patched with workspace membership checks, the bot-engine runtime still allows any authenticated user to use credentials from any workspace via the preview chat endpoint. The bot-engine\u0027s getCredentials() utility function uses a falsy check (if (workspaceId \u0026\u0026 ...)) for workspace ownership validation. Since the preview endpoint accepts a client-controlled workspaceId field and the Zod schema allows empty strings, an attacker can supply workspaceId: \"\" to bypass credential ownership verification entirely. Exploitation can result in credential exfiltration, external service abuse, financial damage and a data breach."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284: Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-522",
              "description": "CWE-522: Insufficiently Protected Credentials",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-22T18:26:55.446Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-cq66-9cwr-x8jr",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-cq66-9cwr-x8jr"
        },
        {
          "name": "https://github.com/baptisteArno/typebot.io/commit/d96f572e6099c5f622c05ba7b8634e6477dcf052",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/baptisteArno/typebot.io/commit/d96f572e6099c5f622c05ba7b8634e6477dcf052"
        },
        {
          "name": "https://github.com/baptisteArno/typebot.io/releases/tag/v3.16.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/baptisteArno/typebot.io/releases/tag/v3.16.0"
        }
      ],
      "source": {
        "advisory": "GHSA-cq66-9cwr-x8jr",
        "discovery": "UNKNOWN"
      },
      "title": "TypeBot: Cross-Workspace Credential Theft via Bot-Engine Preview Endpoint"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-39968",
    "datePublished": "2026-05-22T18:26:55.446Z",
    "dateReserved": "2026-04-08T00:01:47.627Z",
    "dateUpdated": "2026-05-26T13:08:58.498Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-39967 (GCVE-0-2026-39967)

Vulnerability from cvelistv5 – Published: 2026-05-22 18:36 – Updated: 2026-05-26 19:05
VLAI
Title
TypeBot: Cross-Typebot Result Data Access via Missing typebotId Filter
Summary
TypeBot is a chatbot builder tool. In versions 3.15.2 and prior, the bot engine's the findResult query does not filter results by typebotId, allowing an authenticated user to load result data (user answers, variable values) from a different typebot by supplying a foreign resultId to the startChat endpoint. Exploitation is constrained by CUID2's cryptographically random 24-character IDs (making brute-force infeasible), the requirement that rememberUser be enabled, and the need for matching variable names in the current typebot. If successfully exploited, an attacker can access the original user's previous answers, session variable values, and hasStarted flag, potentially exposing PII like names, emails, and phone numbers. This issue has been fixed in version 3.16.0.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
  • CWE-862 - Missing Authorization
Assigner
Impacted products
Vendor Product Version
baptisteArno typebot.io Affected: < 3.16.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-39967",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-26T19:05:13.766138Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-26T19:05:32.122Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-f475-7m4x-m6mx"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "typebot.io",
          "vendor": "baptisteArno",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.16.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "TypeBot is a chatbot builder tool. In versions 3.15.2 and prior, the bot engine\u0027s the findResult query does not filter results by typebotId, allowing an authenticated user to load result data (user answers, variable values) from a different typebot by supplying a foreign resultId to the startChat endpoint. Exploitation is constrained by CUID2\u0027s cryptographically random 24-character IDs (making brute-force infeasible), the requirement that rememberUser be enabled, and the need for matching variable names in the current typebot. If successfully exploited, an attacker can access the original user\u0027s previous answers, session variable values, and hasStarted flag, potentially exposing PII like names, emails, and phone numbers. This issue has been fixed in version 3.16.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.1,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-22T18:36:23.724Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-f475-7m4x-m6mx",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-f475-7m4x-m6mx"
        },
        {
          "name": "https://github.com/baptisteArno/typebot.io/commit/73162634e6bdebd37a1a571db4062d30854e0400",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/baptisteArno/typebot.io/commit/73162634e6bdebd37a1a571db4062d30854e0400"
        },
        {
          "name": "https://github.com/baptisteArno/typebot.io/releases/tag/v3.16.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/baptisteArno/typebot.io/releases/tag/v3.16.0"
        }
      ],
      "source": {
        "advisory": "GHSA-f475-7m4x-m6mx",
        "discovery": "UNKNOWN"
      },
      "title": "TypeBot: Cross-Typebot Result Data Access via Missing typebotId Filter"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-39967",
    "datePublished": "2026-05-22T18:36:23.724Z",
    "dateReserved": "2026-04-08T00:01:47.627Z",
    "dateUpdated": "2026-05-26T19:05:32.122Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-39942 (GCVE-0-2026-39942)

Vulnerability from cvelistv5 – Published: 2026-04-09 16:07 – Updated: 2026-04-09 19:37
VLAI
Title
Directus has a Path Traversal and Broken Access Control in File Management API
Summary
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/{id} endpoint accepts a user-controlled filename_disk parameter. By setting this value to match the storage path of another user's file, an attacker can overwrite that file's content while manipulating metadata fields such as uploaded_by to obscure the tampering. This vulnerability is fixed in 11.17.0.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-284 - Improper Access Control
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
Vendor Product Version
directus directus Affected: < 11.17.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-39942",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-09T17:47:33.268680Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-09T19:37:24.389Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "directus",
          "vendor": "directus",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 11.17.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/{id} endpoint accepts a user-controlled filename_disk parameter. By setting this value to match the storage path of another user\u0027s file, an attacker can overwrite that file\u0027s content while manipulating metadata fields such as uploaded_by to obscure the tampering. This vulnerability is fixed in 11.17.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284: Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-09T16:07:54.100Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/directus/directus/security/advisories/GHSA-393c-p46r-7c95",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/directus/directus/security/advisories/GHSA-393c-p46r-7c95"
        },
        {
          "name": "https://github.com/directus/directus/releases/tag/v11.17.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/directus/directus/releases/tag/v11.17.0"
        }
      ],
      "source": {
        "advisory": "GHSA-393c-p46r-7c95",
        "discovery": "UNKNOWN"
      },
      "title": "Directus has a Path Traversal and Broken Access Control in File Management API"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-39942",
    "datePublished": "2026-04-09T16:07:54.100Z",
    "dateReserved": "2026-04-07T22:40:33.820Z",
    "dateUpdated": "2026-04-09T19:37:24.389Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-39616 (GCVE-0-2026-39616)

Vulnerability from cvelistv5 – Published: 2026-04-08 08:30 – Updated: 2026-04-29 09:52
VLAI
Title
WordPress Download Attachments plugin <= 1.4.0 - Insecure Direct Object References (IDOR) vulnerability
Summary
Authorization Bypass Through User-Controlled Key vulnerability in dFactory Download Attachments download-attachments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Download Attachments: from n/a through <= 1.4.0.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
Vendor Product Version
dFactory Download Attachments Affected: 0 , ≤ 1.4.0 (custom)
Create a notification for this product.
Date Public
2026-04-08 10:28
Credits
Jakub Herman | Patchstack Bug Bounty Program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-39616",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-14T14:04:33.745143Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-14T14:05:43.461Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "download-attachments",
          "product": "Download Attachments",
          "vendor": "dFactory",
          "versions": [
            {
              "lessThanOrEqual": "1.4.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Jakub Herman | Patchstack Bug Bounty Program"
        }
      ],
      "datePublic": "2026-04-08T10:28:37.746Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Authorization Bypass Through User-Controlled Key vulnerability in dFactory Download Attachments download-attachments allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Download Attachments: from n/a through \u003c= 1.4.0.\u003c/p\u003e"
            }
          ],
          "value": "Authorization Bypass Through User-Controlled Key vulnerability in dFactory Download Attachments download-attachments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Download Attachments: from n/a through \u003c= 1.4.0."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-180",
          "descriptions": [
            {
              "lang": "en",
              "value": "Exploiting Incorrectly Configured Access Control Security Levels"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-29T09:52:02.578Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Plugin/download-attachments/vulnerability/wordpress-download-attachments-plugin-1-4-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress Download Attachments plugin \u003c= 1.4.0 - Insecure Direct Object References (IDOR) vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2026-39616",
    "datePublished": "2026-04-08T08:30:25.169Z",
    "dateReserved": "2026-04-07T10:57:27.974Z",
    "dateUpdated": "2026-04-29T09:52:02.578Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-39526 (GCVE-0-2026-39526)

Vulnerability from cvelistv5 – Published: 2026-04-08 08:30 – Updated: 2026-04-29 09:52
VLAI
Title
WordPress WpStream plugin < 4.11.2 - Insecure Direct Object References (IDOR) vulnerability
Summary
Authorization Bypass Through User-Controlled Key vulnerability in wpstream WpStream wpstream allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WpStream: from n/a through < 4.11.2.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
Vendor Product Version
wpstream WpStream Affected: 0 , ≤ 4.11.2 (custom)
Create a notification for this product.
Date Public
2026-04-08 10:29
Credits
Muhammad Sharief | Patchstack Bug Bounty Program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 5.4,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "LOW",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-39526",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-14T14:48:41.322070Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-14T14:49:04.879Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "wpstream",
          "product": "WpStream",
          "vendor": "wpstream",
          "versions": [
            {
              "changes": [
                {
                  "at": "4.11.2",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "4.11.2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Muhammad Sharief | Patchstack Bug Bounty Program"
        }
      ],
      "datePublic": "2026-04-08T10:29:00.627Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Authorization Bypass Through User-Controlled Key vulnerability in wpstream WpStream wpstream allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects WpStream: from n/a through \u003c 4.11.2.\u003c/p\u003e"
            }
          ],
          "value": "Authorization Bypass Through User-Controlled Key vulnerability in wpstream WpStream wpstream allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WpStream: from n/a through \u003c 4.11.2."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-180",
          "descriptions": [
            {
              "lang": "en",
              "value": "Exploiting Incorrectly Configured Access Control Security Levels"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-29T09:52:01.932Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Plugin/wpstream/vulnerability/wordpress-wpstream-plugin-4-11-2-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress WpStream plugin \u003c 4.11.2 - Insecure Direct Object References (IDOR) vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2026-39526",
    "datePublished": "2026-04-08T08:30:16.335Z",
    "dateReserved": "2026-04-07T10:48:09.605Z",
    "dateUpdated": "2026-04-29T09:52:01.932Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-39518 (GCVE-0-2026-39518)

Vulnerability from cvelistv5 – Published: 2026-06-15 20:18 – Updated: 2026-06-16 17:11
VLAI
Title
WordPress EventPrime plugin <= 4.3.0.0 - Insecure Direct Object References (IDOR) vulnerability
Summary
Subscriber Insecure Direct Object References (IDOR) in EventPrime <= 4.3.0.0 versions.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
Vendor Product Version
EventPrime EventPrime Affected: n/a , ≤ 4.3.0.0 (custom)
Create a notification for this product.
Credits
James Pirstin | Patchstack Bug Bounty Program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-39518",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-16T13:29:54.973895Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-16T17:11:42.240Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "eventprime-event-calendar-management",
          "product": "EventPrime",
          "vendor": "EventPrime",
          "versions": [
            {
              "changes": [
                {
                  "at": "4.3.0.1",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "4.3.0.0",
              "status": "affected",
              "version": "n/a",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "James Pirstin | Patchstack Bug Bounty Program"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Subscriber Insecure Direct Object References (IDOR) in EventPrime \u003c= 4.3.0.0 versions."
            }
          ],
          "value": "Subscriber Insecure Direct Object References (IDOR) in EventPrime \u003c= 4.3.0.0 versions."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-180",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-15T20:18:00.857Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/wordpress/plugin/eventprime-event-calendar-management/vulnerability/wordpress-eventprime-plugin-4-3-0-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Update the WordPress EventPrime Plugin to the latest available version (at least 4.3.0.1)."
            }
          ],
          "value": "Update the WordPress EventPrime Plugin to the latest available version (at least 4.3.0.1)."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "WordPress EventPrime plugin \u003c= 4.3.0.0 - Insecure Direct Object References (IDOR) vulnerability",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2026-39518",
    "datePublished": "2026-06-15T20:18:00.857Z",
    "dateReserved": "2026-04-07T10:48:03.414Z",
    "dateUpdated": "2026-06-16T17:11:42.240Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-39510 (GCVE-0-2026-39510)

Vulnerability from cvelistv5 – Published: 2026-04-08 08:30 – Updated: 2026-04-29 09:52
VLAI
Title
WordPress Image Photo Gallery Final Tiles Grid plugin <= 3.6.11 - Insecure Direct Object References (IDOR) vulnerability
Summary
Authorization Bypass Through User-Controlled Key vulnerability in WP Chill Image Photo Gallery Final Tiles Grid final-tiles-grid-gallery-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Photo Gallery Final Tiles Grid: from n/a through <= 3.6.11.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
Vendor Product Version
WP Chill Image Photo Gallery Final Tiles Grid Affected: 0 , ≤ 3.6.11 (custom)
Create a notification for this product.
Date Public
2026-04-08 10:29
Credits
Jitlada | Patchstack Bug Bounty Program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 2.7,
              "baseSeverity": "LOW",
              "confidentialityImpact": "NONE",
              "integrityImpact": "LOW",
              "privilegesRequired": "HIGH",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-39510",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-13T16:01:39.278899Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-13T16:07:11.960Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "final-tiles-grid-gallery-lite",
          "product": "Image Photo Gallery Final Tiles Grid",
          "vendor": "WP Chill",
          "versions": [
            {
              "changes": [
                {
                  "at": "3.6.12",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "3.6.11",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Jitlada | Patchstack Bug Bounty Program"
        }
      ],
      "datePublic": "2026-04-08T10:29:00.851Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Authorization Bypass Through User-Controlled Key vulnerability in WP Chill Image Photo Gallery Final Tiles Grid final-tiles-grid-gallery-lite allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Image Photo Gallery Final Tiles Grid: from n/a through \u003c= 3.6.11.\u003c/p\u003e"
            }
          ],
          "value": "Authorization Bypass Through User-Controlled Key vulnerability in WP Chill Image Photo Gallery Final Tiles Grid final-tiles-grid-gallery-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Photo Gallery Final Tiles Grid: from n/a through \u003c= 3.6.11."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-180",
          "descriptions": [
            {
              "lang": "en",
              "value": "Exploiting Incorrectly Configured Access Control Security Levels"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 2.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-29T09:52:01.890Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Plugin/final-tiles-grid-gallery-lite/vulnerability/wordpress-image-photo-gallery-final-tiles-grid-plugin-3-6-11-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress Image Photo Gallery Final Tiles Grid plugin \u003c= 3.6.11 - Insecure Direct Object References (IDOR) vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2026-39510",
    "datePublished": "2026-04-08T08:30:14.471Z",
    "dateReserved": "2026-04-07T10:47:50.137Z",
    "dateUpdated": "2026-04-29T09:52:01.890Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-39386 (GCVE-0-2026-39386)

Vulnerability from cvelistv5 – Published: 2026-04-21 00:50 – Updated: 2026-04-22 03:56
VLAI
Title
Neko has Self-service Privilege Escalation for Authenticated Users
Summary
Neko is a a self-hosted virtual browser that runs in Docker and uses WebRTC In versions 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1, any authenticated user can immediately obtain full administrative control of the entire Neko instance (member management, room settings, broadcast control, session termination, etc.). This results in a complete compromise of the instance. The vulnerability has been patched in v3.0.11 and v3.1.2. If upgrading is not immediately possible, the following mitigations can reduce risk: Restrict access to trusted users only (avoid granting accounts to untrusted parties); ensure all user passwords are strong and only shared with trusted individuals; run the instance only when needed; avoid leaving it continuously exposed; place the instance behind authentication layers such as a reverse proxy with additional access controls; disable or restrict access to the /api/profile endpoint if feasible; and/or monitor for suspicious privilege changes or unexpected administrative actions. Note that these are temporary mitigations and do not fully eliminate the vulnerability. Upgrading is strongly recommended.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-20 - Improper Input Validation
  • CWE-269 - Improper Privilege Management
  • CWE-284 - Improper Access Control
  • CWE-639 - Authorization Bypass Through User-Controlled Key
  • CWE-862 - Missing Authorization
Assigner
Impacted products
Vendor Product Version
m1k1o neko Affected: >= 3.0.0, < 3.0.11
Affected: >= 3.1.0, < 3.1.2
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-39386",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-21T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-22T03:56:19.795Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "neko",
          "vendor": "m1k1o",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 3.0.0, \u003c 3.0.11"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.1.0, \u003c 3.1.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Neko is a a self-hosted virtual browser that runs in Docker and uses WebRTC In versions 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1, any authenticated user can immediately obtain full administrative control of the entire Neko instance (member management, room settings, broadcast control, session termination, etc.). This results in a complete compromise of the instance. The vulnerability has been patched in v3.0.11 and v3.1.2. If upgrading is not immediately possible, the following mitigations can reduce risk: Restrict access to trusted users only (avoid granting accounts to untrusted parties); ensure all user passwords are strong and only shared with trusted individuals; run the instance only when needed; avoid leaving it continuously exposed; place the instance behind authentication layers such as a reverse proxy with additional access controls; disable or restrict access to the /api/profile endpoint if feasible; and/or monitor for suspicious privilege changes or unexpected administrative actions. Note that these are temporary mitigations and do not fully eliminate the vulnerability. Upgrading is strongly recommended."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20: Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-269",
              "description": "CWE-269: Improper Privilege Management",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284: Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-21T00:50:34.656Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/m1k1o/neko/security/advisories/GHSA-2gw9-c2r2-f5qf",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/m1k1o/neko/security/advisories/GHSA-2gw9-c2r2-f5qf"
        },
        {
          "name": "https://github.com/m1k1o/neko/releases/tag/v3.0.11",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/m1k1o/neko/releases/tag/v3.0.11"
        },
        {
          "name": "https://github.com/m1k1o/neko/releases/tag/v3.1.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/m1k1o/neko/releases/tag/v3.1.2"
        }
      ],
      "source": {
        "advisory": "GHSA-2gw9-c2r2-f5qf",
        "discovery": "UNKNOWN"
      },
      "title": "Neko has Self-service Privilege Escalation for Authenticated Users"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-39386",
    "datePublished": "2026-04-21T00:50:34.656Z",
    "dateReserved": "2026-04-06T22:06:40.515Z",
    "dateUpdated": "2026-04-22T03:56:19.795Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-39384 (GCVE-0-2026-39384)

Vulnerability from cvelistv5 – Published: 2026-04-07 16:05 – Updated: 2026-04-09 16:18
VLAI
Title
FreeScout Customer Merge Cross-Mailbox Authorization Bypass
Summary
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.212, FreeScout does not take the limit_user_customer_visibility parameter into account when merging customers. This vulnerability is fixed in 1.8.212.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-39384",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-09T16:11:29.109236Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-09T16:18:45.817Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-j6v9-22vq-53vh"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "freescout",
          "vendor": "freescout-help-desk",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.8.212"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "FreeScout is a free help desk and shared inbox built with PHP\u0027s Laravel framework. Prior to 1.8.212, FreeScout does not take the limit_user_customer_visibility parameter into account when merging customers. This vulnerability is fixed in 1.8.212."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-07T16:05:16.793Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-j6v9-22vq-53vh",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-j6v9-22vq-53vh"
        },
        {
          "name": "https://github.com/freescout-help-desk/freescout/commit/b395a1179117af5e2df704c6bad71feeb301b4ce",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/freescout-help-desk/freescout/commit/b395a1179117af5e2df704c6bad71feeb301b4ce"
        }
      ],
      "source": {
        "advisory": "GHSA-j6v9-22vq-53vh",
        "discovery": "UNKNOWN"
      },
      "title": "FreeScout Customer Merge Cross-Mailbox Authorization Bypass"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-39384",
    "datePublished": "2026-04-07T16:05:16.793Z",
    "dateReserved": "2026-04-06T22:06:40.515Z",
    "dateUpdated": "2026-04-09T16:18:45.817Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.