CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3255 vulnerabilities reference this CWE, most recent first.
GHSA-MX8C-7RH4-QFJ2
Vulnerability from github – Published: 2025-08-06 12:31 – Updated: 2025-08-06 12:31CWE-639 Authorization Bypass Through User-Controlled Key
{
"affected": [],
"aliases": [
"CVE-2025-46387"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-06T11:15:28Z",
"severity": "HIGH"
},
"details": "CWE-639 Authorization Bypass Through User-Controlled Key",
"id": "GHSA-mx8c-7rh4-qfj2",
"modified": "2025-08-06T12:31:20Z",
"published": "2025-08-06T12:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46387"
},
{
"type": "WEB",
"url": "https://www.gov.il/en/departments/dynamiccollectors/cve_advisories_listing?skip=0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MXGW-57R7-Q28C
Vulnerability from github – Published: 2024-07-22 12:30 – Updated: 2024-07-22 12:30Authorization Bypass Through User-Controlled Key vulnerability in Academy LMS.This issue affects Academy LMS: from n/a through 2.0.4.
{
"affected": [],
"aliases": [
"CVE-2024-38701"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-22T11:15:03Z",
"severity": "MODERATE"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in Academy LMS.This issue affects Academy LMS: from n/a through 2.0.4.",
"id": "GHSA-mxgw-57r7-q28c",
"modified": "2024-07-22T12:30:37Z",
"published": "2024-07-22T12:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38701"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/academy/wordpress-academy-lms-plugin-2-0-4-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MXQ2-5JPG-7474
Vulnerability from github – Published: 2026-06-22 15:30 – Updated: 2026-06-22 15:30Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 Fail to validate channel ownership of an existing subscription before applying edits which allows an authenticated attacker to hijack subscriptions from channels they have no access to via a crafted PUT request to the subscription edit endpoint.. Mattermost Advisory ID: MMSA-2026-00650
{
"affected": [],
"aliases": [
"CVE-2026-6062"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-22T14:17:51Z",
"severity": "MODERATE"
},
"details": "Mattermost versions 11.7.x \u003c= 11.7.0, 11.6.x \u003c= 11.6.2, 11.5.x \u003c= 11.5.5, 10.11.x \u003c= 10.11.17 Fail to validate channel ownership of an existing subscription before applying edits which allows an authenticated attacker to hijack subscriptions from channels they have no access to via a crafted PUT request to the subscription edit endpoint.. Mattermost Advisory ID: MMSA-2026-00650",
"id": "GHSA-mxq2-5jpg-7474",
"modified": "2026-06-22T15:30:45Z",
"published": "2026-06-22T15:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6062"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-MXQ5-F9C5-W4P5
Vulnerability from github – Published: 2026-06-01 09:31 – Updated: 2026-07-09 20:51A bug in Apache Airflow's bulk Task Instances API (PATCH/DELETE /api/v2/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances) evaluated authorization against the dag_id resolved from the URL path while operating on the dag_id / dag_run_id extracted from request-body entity fields. An authenticated UI/API user with edit permission on one Dag could mutate Task Instance state in any other Dag by keeping the authorized Dag's ID in the URL path and naming the target Dag's IDs in the request body entities. Affects deployments that rely on per-Dag edit-scope to keep Task Instance state isolated between teams. Users are advised to upgrade to apache-airflow 3.2.2 or later.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "apache-airflow"
},
"ranges": [
{
"events": [
{
"introduced": "3.2.0"
},
{
"fixed": "3.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41084"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-09T20:51:57Z",
"nvd_published_at": "2026-06-01T09:16:18Z",
"severity": "HIGH"
},
"details": "A bug in Apache Airflow\u0027s bulk Task Instances API (`PATCH/DELETE /api/v2/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances`) evaluated authorization against the `dag_id` resolved from the URL path while operating on the `dag_id` / `dag_run_id` extracted from request-body entity fields. An authenticated UI/API user with edit permission on one Dag could mutate Task Instance state in any other Dag by keeping the authorized Dag\u0027s ID in the URL path and naming the target Dag\u0027s IDs in the request body entities. Affects deployments that rely on per-Dag edit-scope to keep Task Instance state isolated between teams. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.",
"id": "GHSA-mxq5-f9c5-w4p5",
"modified": "2026-07-09T20:51:57Z",
"published": "2026-06-01T09:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41084"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/64288"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/airflow"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2026-183.yaml"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/w0hdcqfr71hf9rl1bwvpjs7q9yp1bldk"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/05/31/7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache Airflow Vulnerable to Authorization Bypass Through User-Controlled Key"
}
GHSA-MXR4-JXX7-RXVW
Vulnerability from github – Published: 2024-11-09 03:30 – Updated: 2026-04-08 18:33The User Meta – User Profile Builder and User management plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.1 via the getUser() due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to obtain user meta values from form fields. Please note that this requires a site administrator to create a form that displays potentially sensitive information like password hashes. This may also be exploited by unauthenticated users if the 'user-meta-public-profile' shortcode is used insecurely.
{
"affected": [],
"aliases": [
"CVE-2024-9262"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-09T03:15:05Z",
"severity": "MODERATE"
},
"details": "The User Meta \u2013 User Profile Builder and User management plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.1 via the getUser() due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to obtain user meta values from form fields. Please note that this requires a site administrator to create a form that displays potentially sensitive information like password hashes. This may also be exploited by unauthenticated users if the \u0027user-meta-public-profile\u0027 shortcode is used insecurely.",
"id": "GHSA-mxr4-jxx7-rxvw",
"modified": "2026-04-08T18:33:39Z",
"published": "2024-11-09T03:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9262"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/user-meta/trunk/models/classes/generate/PublicProfile.php#L28"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3221099%40user-meta\u0026new=3221099%40user-meta\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4ed81348-7604-4858-bc8e-b4504d77ee45?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MXR8-QJ6J-F7GQ
Vulnerability from github – Published: 2024-04-26 03:30 – Updated: 2024-07-03 18:36An issue was discovered in Zammad before 6.3.0. The Zammad Upload Cache uses insecure, partially guessable FormIDs to identify content. An attacker could try to brute force them to upload malicious content to article drafts they have no access to.
{
"affected": [],
"aliases": [
"CVE-2024-33668"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-26T01:15:46Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in Zammad before 6.3.0. The Zammad Upload Cache uses insecure, partially guessable FormIDs to identify content. An attacker could try to brute force them to upload malicious content to article drafts they have no access to.",
"id": "GHSA-mxr8-qj6j-f7gq",
"modified": "2024-07-03T18:36:53Z",
"published": "2024-04-26T03:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33668"
},
{
"type": "WEB",
"url": "https://zammad.com/en/advisories/zaa-2024-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MXRH-VWCX-VG7H
Vulnerability from github – Published: 2026-07-13 12:35 – Updated: 2026-07-13 12:35Mattermost versions 11.7.x <= 11.7.1, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to restrict metric configuration changes to the playbook being saved, which allows an authenticated user with team access to alter another user’s playbook metric settings via a crafted import or update request with a foreign metric ID. Mattermost Advisory ID: MMSA-2026-00653
{
"affected": [],
"aliases": [
"CVE-2026-6541"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-13T11:16:28Z",
"severity": "MODERATE"
},
"details": "Mattermost versions 11.7.x \u003c= 11.7.1, 11.6.x \u003c= 11.6.4, 10.11.x \u003c= 10.11.19 fail to restrict metric configuration changes to the playbook being saved, which allows an authenticated user with team access to alter another user\u2019s playbook metric settings via a crafted import or update request with a foreign metric ID. Mattermost Advisory ID: MMSA-2026-00653",
"id": "GHSA-mxrh-vwcx-vg7h",
"modified": "2026-07-13T12:35:06Z",
"published": "2026-07-13T12:35:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6541"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P26R-GFGC-C47H
Vulnerability from github – Published: 2024-10-14 18:30 – Updated: 2024-12-12 17:51An Insecure Direct Object Reference (IDOR) vulnerability in KubeSphere v3.4.1 and v4.1.1 allows low-privileged authenticated attackers to access sensitive resources without proper authorization checks.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/kubesphere/kubesphere"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.1.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/kubesphere/kubesphere"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.4.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-46528"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2024-11-01T20:35:14Z",
"nvd_published_at": "2024-10-14T18:15:03Z",
"severity": "MODERATE"
},
"details": "An Insecure Direct Object Reference (IDOR) vulnerability in KubeSphere v3.4.1 and v4.1.1 allows low-privileged authenticated attackers to access sensitive resources without proper authorization checks.",
"id": "GHSA-p26r-gfgc-c47h",
"modified": "2024-12-12T17:51:25Z",
"published": "2024-10-14T18:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46528"
},
{
"type": "WEB",
"url": "https://github.com/kubesphere/kubesphere/issues/6227"
},
{
"type": "PACKAGE",
"url": "https://github.com/kubesphere/kubesphere"
},
{
"type": "WEB",
"url": "https://kubesphere.io"
},
{
"type": "WEB",
"url": "https://okankurtulus.com.tr/2024/09/09/idor-vulnerability-in-kubesphere"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2024-3248"
},
{
"type": "WEB",
"url": "https://www.kubesphere.io/news/kubesphere-cve-2024-46528"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "KubeSphere IDOR vulnerability"
}
GHSA-P2V5-84J7-PC37
Vulnerability from github – Published: 2026-07-02 12:30 – Updated: 2026-07-02 12:30The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.6.2 via the 'service_id' parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to create approved bookings against services explicitly restricted to admins and agents, consuming restricted appointment capacity and triggering unauthorized bookings for admin/agent-only services. The bypass works via both the params[booking][service_id] parameter in steps__load_step and the presets[selected_service] parameter in steps__start, both of which are publicly accessible without authentication.
{
"affected": [],
"aliases": [
"CVE-2026-12657"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-02T10:16:27Z",
"severity": "MODERATE"
},
"details": "The LatePoint \u2013 Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.6.2 via the \u0027service_id\u0027 parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to create approved bookings against services explicitly restricted to admins and agents, consuming restricted appointment capacity and triggering unauthorized bookings for admin/agent-only services. The bypass works via both the params[booking][service_id] parameter in steps__load_step and the presets[selected_service] parameter in steps__start, both of which are publicly accessible without authentication.",
"id": "GHSA-p2v5-84j7-pc37",
"modified": "2026-07-02T12:30:59Z",
"published": "2026-07-02T12:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12657"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.2/lib/controllers/steps_controller.php#L244"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.2/lib/controllers/steps_controller.php#L341"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.2/lib/helpers/steps_helper.php#L1202"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.2/lib/helpers/steps_helper.php#L1618"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.2/lib/helpers/steps_helper.php#L1710"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/controllers/steps_controller.php#L244"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/controllers/steps_controller.php#L341"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/helpers/steps_helper.php#L1202"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/helpers/steps_helper.php#L1618"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/helpers/steps_helper.php#L1710"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3584059%40latepoint\u0026new=3584059%40latepoint\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/09588c2a-1631-4924-8277-d47f096493c5?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P2VX-QJ66-88Q3
Vulnerability from github – Published: 2023-12-12 03:31 – Updated: 2024-09-30 13:40SAP BTP Security Services Integration Library ([Node.js] @sap/xssec - versions < 3.6.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@sap/xssec"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.6.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-49583"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-639",
"CWE-749"
],
"github_reviewed": true,
"github_reviewed_at": "2023-12-20T17:57:49Z",
"nvd_published_at": "2023-12-12T02:15:07Z",
"severity": "CRITICAL"
},
"details": "SAP\u00a0BTP\u00a0Security Services Integration Library ([Node.js] @sap/xssec - versions \u003c 3.6.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.\n\n",
"id": "GHSA-p2vx-qj66-88q3",
"modified": "2024-09-30T13:40:50Z",
"published": "2023-12-12T03:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49583"
},
{
"type": "WEB",
"url": "https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3411067"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3412456"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3413475"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/@sap/xssec"
},
{
"type": "WEB",
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Escalation of privileges in @sap/xssec"
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.