CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3255 vulnerabilities reference this CWE, most recent first.
GHSA-MRPF-HRPH-4GM4
Vulnerability from github – Published: 2024-10-29 15:32 – Updated: 2024-10-29 15:32An IDOR vulnerability exists in the 'Evaluations' function of the 'umgws datasets' section in lunary-ai/lunary versions 1.3.2. This vulnerability allows an authenticated user to update other users' prompts by manipulating the 'id' parameter in the request. The issue is fixed in version 1.4.3.
{
"affected": [],
"aliases": [
"CVE-2024-7473"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-29T13:15:09Z",
"severity": "HIGH"
},
"details": "An IDOR vulnerability exists in the \u0027Evaluations\u0027 function of the \u0027umgws datasets\u0027 section in lunary-ai/lunary versions 1.3.2. This vulnerability allows an authenticated user to update other users\u0027 prompts by manipulating the \u0027id\u0027 parameter in the request. The issue is fixed in version 1.4.3.",
"id": "GHSA-mrpf-hrph-4gm4",
"modified": "2024-10-29T15:32:05Z",
"published": "2024-10-29T15:32:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7473"
},
{
"type": "WEB",
"url": "https://github.com/lunary-ai/lunary/commit/88b55b01fcbab0fbbc5b8032a38d0345af98ecfa"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/afecd927-b5f6-44ba-9147-5c45091beda5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MRR6-VX89-9QJV
Vulnerability from github – Published: 2023-09-06 21:32 – Updated: 2024-04-04 07:32SearchBlox before Version 9.1 is vulnerable to business logic bypass where the user is able to create multiple super admin users in the system.
{
"affected": [],
"aliases": [
"CVE-2020-10130"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-06T19:15:43Z",
"severity": "HIGH"
},
"details": "SearchBlox before Version 9.1 is vulnerable to business logic bypass where the user is able to create multiple super admin users in the system.",
"id": "GHSA-mrr6-vx89-9qjv",
"modified": "2024-04-04T07:32:17Z",
"published": "2023-09-06T21:32:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10130"
},
{
"type": "WEB",
"url": "https://developer.searchblox.com/v9.2/changelog/version-91"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MRWR-HHWH-WJWQ
Vulnerability from github – Published: 2024-11-18 15:33 – Updated: 2024-11-18 15:33An IDOR (Insecure Direct Object Reference) vulnerability has been discovered in AbsysNet, affecting version 2.3.1. This vulnerability could allow a remote attacker to obtain the session of an unauthenticated user by brute-force attacking the session identifier on the "/cgi-bin/ocap/" endpoint.
{
"affected": [],
"aliases": [
"CVE-2024-11318"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-18T14:15:05Z",
"severity": "HIGH"
},
"details": "An IDOR (Insecure Direct Object Reference) vulnerability has been discovered in AbsysNet, affecting version 2.3.1. This vulnerability could allow a remote attacker to obtain the session of an unauthenticated user by brute-force attacking the session identifier on the \"/cgi-bin/ocap/\" endpoint.",
"id": "GHSA-mrwr-hhwh-wjwq",
"modified": "2024-11-18T15:33:20Z",
"published": "2024-11-18T15:33:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11318"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/idor-vulnerability-absysnet"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MV7X-27PC-8C96
Vulnerability from github – Published: 2023-05-30 15:30 – Updated: 2023-11-02 17:22A vulnerability was found in Abstrium Pydio Cells 4.2.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Change Subscription Handler. The manipulation leads to authorization bypass. Upgrading to version 4.2.1 is able to address this issue. It is recommended to upgrade the affected component. VDB-230210 is the identifier assigned to this vulnerability.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/pydio/cells"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-2978"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2023-05-31T18:26:17Z",
"nvd_published_at": "2023-05-30T14:15:09Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in Abstrium Pydio Cells 4.2.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Change Subscription Handler. The manipulation leads to authorization bypass. Upgrading to version 4.2.1 is able to address this issue. It is recommended to upgrade the affected component. VDB-230210 is the identifier assigned to this vulnerability.",
"id": "GHSA-mv7x-27pc-8c96",
"modified": "2023-11-02T17:22:33Z",
"published": "2023-05-30T15:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2978"
},
{
"type": "WEB",
"url": "https://popalltheshells.medium.com/multiple-cves-affecting-pydio-cells-4-2-0-321e7e4712be"
},
{
"type": "WEB",
"url": "https://pydio.com/en/community/releases/pydio-cells/pydio-cells-enterprise-421"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.230210"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.230210"
},
{
"type": "PACKAGE",
"url": "github.com/pydio/cells"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Go package pydio/cells vulnerable to authorization bypass"
}
GHSA-MVF5-QJMW-6P5M
Vulnerability from github – Published: 2022-05-13 01:43 – Updated: 2022-05-13 01:43In Kanboard before 1.0.47, by altering form data, an authenticated user can add automatic actions to a private project of another user.
{
"affected": [],
"aliases": [
"CVE-2017-15204"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-10-11T01:32:00Z",
"severity": "MODERATE"
},
"details": "In Kanboard before 1.0.47, by altering form data, an authenticated user can add automatic actions to a private project of another user.",
"id": "GHSA-mvf5-qjmw-6p5m",
"modified": "2022-05-13T01:43:40Z",
"published": "2022-05-13T01:43:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15204"
},
{
"type": "WEB",
"url": "https://github.com/kanboard/kanboard/commit/074f6c104f3e49401ef0065540338fc2d4be79f0"
},
{
"type": "WEB",
"url": "https://github.com/kanboard/kanboard/commit/3e0f14ae2b0b5a44bd038a472f17eac75f538524"
},
{
"type": "WEB",
"url": "https://kanboard.net/news/version-1.0.47"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2017/10/04/9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MVG7-8XH2-47RF
Vulnerability from github – Published: 2023-11-24 21:30 – Updated: 2025-11-03 21:30OpenZFS through 2.1.13 and 2.2.x through 2.2.1, in certain scenarios involving applications that try to rely on efficient copying of file data, can replace file contents with zero-valued bytes and thus potentially disable security mechanisms. NOTE: this issue is not always security related, but can be security related in realistic situations. A possible example is cp, from a recent GNU Core Utilities (coreutils) version, when attempting to preserve a rule set for denying unauthorized access. (One might use cp when configuring access control, such as with the /etc/hosts.deny file specified in the IBM Support reference.) NOTE: this issue occurs less often in version 2.2.1, and in versions before 2.1.4, because of the default configuration in those versions.
{
"affected": [],
"aliases": [
"CVE-2023-49298"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-24T19:15:07Z",
"severity": "HIGH"
},
"details": "OpenZFS through 2.1.13 and 2.2.x through 2.2.1, in certain scenarios involving applications that try to rely on efficient copying of file data, can replace file contents with zero-valued bytes and thus potentially disable security mechanisms. NOTE: this issue is not always security related, but can be security related in realistic situations. A possible example is cp, from a recent GNU Core Utilities (coreutils) version, when attempting to preserve a rule set for denying unauthorized access. (One might use cp when configuring access control, such as with the /etc/hosts.deny file specified in the IBM Support reference.) NOTE: this issue occurs less often in version 2.2.1, and in versions before 2.1.4, because of the default configuration in those versions.",
"id": "GHSA-mvg7-8xh2-47rf",
"modified": "2025-11-03T21:30:56Z",
"published": "2023-11-24T21:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49298"
},
{
"type": "WEB",
"url": "https://github.com/openzfs/zfs/issues/15526"
},
{
"type": "WEB",
"url": "https://github.com/openzfs/zfs/pull/15571"
},
{
"type": "WEB",
"url": "https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=275308"
},
{
"type": "WEB",
"url": "https://bugs.gentoo.org/917224"
},
{
"type": "WEB",
"url": "https://github.com/openzfs/zfs/releases/tag/zfs-2.1.14"
},
{
"type": "WEB",
"url": "https://github.com/openzfs/zfs/releases/tag/zfs-2.2.2"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00019.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00009.html"
},
{
"type": "WEB",
"url": "https://news.ycombinator.com/item?id=38405731"
},
{
"type": "WEB",
"url": "https://news.ycombinator.com/item?id=38770168"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20231124172959/https://www.ibm.com/support/pages/how-remove-missing%C2%A0newline%C2%A0or%C2%A0line%C2%A0too%C2%A0long-error-etchostsallow%C2%A0and%C2%A0etchostsdeny-files"
},
{
"type": "WEB",
"url": "https://www.theregister.com/2023/12/04/two_new_versions_of_openzfs"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MVP9-JCP7-42X3
Vulnerability from github – Published: 2025-05-02 06:31 – Updated: 2025-05-02 06:31The Homey theme for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.4 via the 'homey_delete_user_account' action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete other user's accounts.
{
"affected": [],
"aliases": [
"CVE-2025-1327"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-02T04:15:46Z",
"severity": "MODERATE"
},
"details": "The Homey theme for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.4 via the \u0027homey_delete_user_account\u0027 action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete other user\u0027s accounts.",
"id": "GHSA-mvp9-jcp7-42x3",
"modified": "2025-05-02T06:31:24Z",
"published": "2025-05-02T06:31:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1327"
},
{
"type": "WEB",
"url": "https://themeforest.net/item/homey-booking-wordpress-theme/23338013"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/38aa649c-e9d3-458b-b567-e2e751aaca00?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MVXW-39VG-5JR5
Vulnerability from github – Published: 2026-03-19 09:30 – Updated: 2026-04-01 18:36Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through 3.9.4.
{
"affected": [],
"aliases": [
"CVE-2025-32223"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-19T09:16:15Z",
"severity": "MODERATE"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through 3.9.4.",
"id": "GHSA-mvxw-39vg-5jr5",
"modified": "2026-04-01T18:36:32Z",
"published": "2026-03-19T09:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32223"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/tutor/vulnerability/wordpress-tutor-lms-plugin-3-9-4-insecure-direct-object-references-idor-vulnerability-2?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MW97-J6P7-XP5G
Vulnerability from github – Published: 2025-04-03 15:31 – Updated: 2025-04-21 21:30An insecure direct object reference (IDOR) in the component /assets/stafffiles of OS4ED openSIS v7.0 to v9.1 allows unauthenticated attackers to access files uploaded by staff members.
{
"affected": [],
"aliases": [
"CVE-2025-22931"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-03T14:15:29Z",
"severity": "HIGH"
},
"details": "An insecure direct object reference (IDOR) in the component /assets/stafffiles of OS4ED openSIS v7.0 to v9.1 allows unauthenticated attackers to access files uploaded by staff members.",
"id": "GHSA-mw97-j6p7-xp5g",
"modified": "2025-04-21T21:30:26Z",
"published": "2025-04-03T15:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22931"
},
{
"type": "WEB",
"url": "https://github.com/OS4ED/openSIS-Classic"
},
{
"type": "WEB",
"url": "https://github.com/esusalla/vulnerability-research/tree/main/CVE-2025-22931"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MX7W-QX25-CC3C
Vulnerability from github – Published: 2024-04-07 18:30 – Updated: 2025-02-04 21:32Authorization Bypass Through User-Controlled Key vulnerability in Metagauss ProfileGrid.This issue affects ProfileGrid : from n/a through 5.7.6.
{
"affected": [],
"aliases": [
"CVE-2024-31291"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-07T18:15:11Z",
"severity": "MODERATE"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in Metagauss ProfileGrid.This issue affects ProfileGrid : from n/a through 5.7.6.",
"id": "GHSA-mx7w-qx25-cc3c",
"modified": "2025-02-04T21:32:26Z",
"published": "2024-04-07T18:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31291"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/profilegrid-user-profiles-groups-and-communities/wordpress-profilegrid-plugin-5-7-6-idor-on-friend-request-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.