CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3255 vulnerabilities reference this CWE, most recent first.
GHSA-P6WV-4RVR-M4FH
Vulnerability from github – Published: 2025-01-11 09:30 – Updated: 2026-04-08 18:33The Unlimited Theme Addon For Elementor and WooCommerce plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.1 via the 'uta-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created by Elementor that they should not have access to.
{
"affected": [],
"aliases": [
"CVE-2024-12116"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-11T08:15:24Z",
"severity": "MODERATE"
},
"details": "The Unlimited Theme Addon For Elementor and WooCommerce plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.1 via the \u0027uta-template\u0027 shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created by Elementor that they should not have access to.",
"id": "GHSA-p6wv-4rvr-m4fh",
"modified": "2026-04-08T18:33:47Z",
"published": "2025-01-11T09:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12116"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3220786%40unlimited-theme-addons\u0026new=3220786%40unlimited-theme-addons\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/unlimited-theme-addons"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9dbdb6cc-2a00-4d34-9c11-62f3d1b51c73?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P6XJ-35FM-QGMF
Vulnerability from github – Published: 2025-03-11 21:30 – Updated: 2026-04-01 18:33Authorization Bypass Through User-Controlled Key vulnerability in shanebp BP Email Assign Templates allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects BP Email Assign Templates: from n/a through 1.6.
{
"affected": [],
"aliases": [
"CVE-2025-28874"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-11T21:15:44Z",
"severity": "MODERATE"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in shanebp BP Email Assign Templates allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects BP Email Assign Templates: from n/a through 1.6.",
"id": "GHSA-p6xj-35fm-qgmf",
"modified": "2026-04-01T18:33:56Z",
"published": "2025-03-11T21:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-28874"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/bp-email-assign-templates/vulnerability/wordpress-bp-email-assign-templates-by-shanebp-plugin-1-6-arbitrary-content-deletion-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P76W-G4QC-7G8W
Vulnerability from github – Published: 2023-08-14 21:30 – Updated: 2024-04-04 06:55An issue was discovered in Tigergraph Enterprise 3.7.0. There is unsecured write access to SSH authorized keys file. Any code running as the tigergraph user is able to add their SSH public key into the authorised keys file. This allows an attacker to obtain password-less SSH key access by using their own SSH key.
{
"affected": [],
"aliases": [
"CVE-2023-28481"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-14T19:15:10Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Tigergraph Enterprise 3.7.0. There is unsecured write access to SSH authorized keys file. Any code running as the tigergraph user is able to add their SSH public key into the authorised keys file. This allows an attacker to obtain password-less SSH key access by using their own SSH key.",
"id": "GHSA-p76w-g4qc-7g8w",
"modified": "2024-04-04T06:55:16Z",
"published": "2023-08-14T21:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28481"
},
{
"type": "WEB",
"url": "https://neo4j.com/security/cve-2023-28481"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P79F-679R-6P3W
Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2022-05-13 01:23An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control.
{
"affected": [],
"aliases": [
"CVE-2019-9170"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-17T17:29:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control.",
"id": "GHSA-p79f-679r-6p3w",
"modified": "2022-05-13T01:23:02Z",
"published": "2022-05-13T01:23:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9170"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/2019/03/04/security-release-gitlab-11-dot-8-dot-1-released"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/blog/categories/releases"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/51971"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P8P5-G7RX-Q44C
Vulnerability from github – Published: 2026-07-02 06:34 – Updated: 2026-07-02 06:34The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.8.1. This is due to the '/topics' REST API endpoint being registered with a permission callback set to '__return_true', allowing unauthenticated access to course curriculum data without verifying the course's post status or user enrollment. This makes it possible for unauthenticated attackers to access detailed curriculum information for private, draft, scheduled, or password-protected courses by enumerating course IDs.
{
"affected": [],
"aliases": [
"CVE-2026-5348"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-02T06:16:14Z",
"severity": "MODERATE"
},
"details": "The Academy LMS \u2013 WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.8.1. This is due to the \u0027/topics\u0027 REST API endpoint being registered with a permission callback set to \u0027__return_true\u0027, allowing unauthenticated access to course curriculum data without verifying the course\u0027s post status or user enrollment. This makes it possible for unauthenticated attackers to access detailed curriculum information for private, draft, scheduled, or password-protected courses by enumerating course IDs.",
"id": "GHSA-p8p5-g7rx-q44c",
"modified": "2026-07-02T06:34:05Z",
"published": "2026-07-02T06:34:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5348"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/academy/tags/3.5.3/includes/api/course.php#L50"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/academy/tags/3.5.3/includes/api/course.php#L77"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/academy/tags/3.5.3/includes/traits/courses.php#L1514"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/academy/trunk/includes/api/course.php#L50"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/academy/trunk/includes/api/course.php#L77"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/academy/trunk/includes/traits/courses.php#L1514"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3592849%40academy\u0026new=3592849%40academy\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b84ae3e0-de4f-41d6-8944-fadaf6fdcf79?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P8P9-5953-H9JW
Vulnerability from github – Published: 2026-05-22 00:31 – Updated: 2026-06-24 20:56Concrete CMS 9.5.0 and below is vulnerable to IDOR in AddMessage/UpdateMessage via attachments[] parameter which can lead to file permission bypass. The AddMessage and UpdateMessage conversation controllers accept user-supplied file attachment IDs and load files directly via $em->find(File::class, $attachmentID) without checking per-file permissions (canViewFile()). A user who can post in any conversation can reference any file in the CMS file manager by its sequential ID, effectively bypassing the file permission system. If a site truly has private files, the owner should set up a private storage location https://documentation.concretecms.org/user-guide/editors-reference/dashboard/system-and-maintenance/files/file-storage-locations outside of the webroot so that permissions can be checked on view as well. That way, even if an authorized user attaches a file, or otherwise links to it, unauthorized users won't be able to view the file.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "concrete5/concrete5"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.5.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-7886"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-24T18:52:03Z",
"nvd_published_at": "2026-05-21T22:16:49Z",
"severity": "LOW"
},
"details": "Concrete CMS 9.5.0 and below is vulnerable to\u00a0IDOR in AddMessage/UpdateMessage via attachments[] parameter which can lead to file permission bypass.\u00a0The `AddMessage` and `UpdateMessage` conversation controllers accept user-supplied file attachment IDs and load files directly via `$em-\u003efind(File::class, $attachmentID)` without checking per-file permissions (`canViewFile()`). A user who can post in any conversation can reference any file in the CMS file manager by its sequential ID, effectively bypassing the file permission system. If a site truly has private files, the owner should set up a private storage location https://documentation.concretecms.org/user-guide/editors-reference/dashboard/system-and-maintenance/files/file-storage-locations outside of the webroot so that permissions can be checked on view as well. That way, even if an authorized user attaches a file, or otherwise links to it, unauthorized users won\u0027t be able to view the file.",
"id": "GHSA-p8p9-5953-h9jw",
"modified": "2026-06-24T20:56:41Z",
"published": "2026-05-22T00:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7886"
},
{
"type": "WEB",
"url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes"
},
{
"type": "PACKAGE",
"url": "https://github.com/concretecms/concretecms"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Concrete CMS is vulnerable to\u00a0IDOR in AddMessage/UpdateMessage"
}
GHSA-P99H-PFG6-QRFG
Vulnerability from github – Published: 2023-12-12 03:31 – Updated: 2024-09-30 18:51Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-6mjg-37cp-42x5. This link is maintained to preserve external references.
Original Description
SAP BTP Security Services Integration Library ([Python] sap-xssec) - versions < 4.1.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "sap-xssec"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-639",
"CWE-749"
],
"github_reviewed": true,
"github_reviewed_at": "2023-12-15T03:18:45Z",
"nvd_published_at": "2023-12-12T02:15:08Z",
"severity": "CRITICAL"
},
"details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-6mjg-37cp-42x5. This link is maintained to preserve external references.\n\n## Original Description\nSAP\u00a0BTP\u00a0Security Services Integration Library ([Python]\u00a0sap-xssec) - versions \u003c 4.1.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.\n\n",
"id": "GHSA-p99h-pfg6-qrfg",
"modified": "2024-09-30T18:51:33Z",
"published": "2023-12-12T03:31:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/SAP/cloud-pysec/security/advisories/GHSA-6mjg-37cp-42x5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50423"
},
{
"type": "WEB",
"url": "https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067"
},
{
"type": "PACKAGE",
"url": "https://github.com/SAP/cloud-pysec"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3411067"
},
{
"type": "WEB",
"url": "https://pypi.org/project/sap-xssec"
},
{
"type": "WEB",
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Duplicate Advisory: Privilege escalation in sap-xssec",
"withdrawn": "2024-09-30T18:51:33Z"
}
GHSA-P9CX-F595-H79H
Vulnerability from github – Published: 2024-11-07 15:31 – Updated: 2024-11-07 18:28A flaw was found in Feedback. Bulk messaging in the activity's non-respondents report did not verify message recipients belonging to the set of users returned by the report.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "4.2.0-beta"
},
{
"fixed": "4.2.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "4.3.0-beta"
},
{
"fixed": "4.3.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "4.4.0-beta"
},
{
"fixed": "4.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-43438"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2024-11-07T18:28:35Z",
"nvd_published_at": "2024-11-07T14:15:16Z",
"severity": "MODERATE"
},
"details": "A flaw was found in Feedback. Bulk messaging in the activity\u0027s non-respondents report did not verify message recipients belonging to the set of users returned by the report.",
"id": "GHSA-p9cx-f595-h79h",
"modified": "2024-11-07T18:28:35Z",
"published": "2024-11-07T15:31:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43438"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304267"
},
{
"type": "PACKAGE",
"url": "https://github.com/moodle/moodle"
},
{
"type": "WEB",
"url": "https://moodle.org/mod/forum/discuss.php?d=461208"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Moodle\u0027s IDOR in Feedback non-respondents report allows messaging arbitrary site users"
}
GHSA-P9F5-H3RX-J5QW
Vulnerability from github – Published: 2026-06-22 23:59 – Updated: 2026-06-22 23:59Summary
In Gogs 0.14.1, GET /attachments/:uuid returns the raw attachment file without verifying whether the requester has view permission for the associated Issue/Comment/Release or the repository.
In a test environment with REQUIRE_SIGNIN_VIEW = false, we confirmed that an unauthenticated user can download attachments belonging to a private repository.
Description
/attachments/:uuid retrieves an attachment record solely by the UUID provided in the URL and returns the corresponding local file without performing any authorization checks against the attachment’s parent object (Issue/Comment/Release) or the repository it belongs to. As a result, even attachments under private repositories can be downloaded by an unauthenticated user (or a user without proper permissions) as long as the UUID is known.
Relevant code (internal/cmd/web.go:306):
m.Get("/attachments/:uuid", func(c *context.Context) {
attach, err := database.GetAttachmentByUUID(c.Params(":uuid"))
if err != nil {
c.NotFoundOrError(err, "get attachment by UUID")
return
} else if !com.IsFile(attach.LocalPath()) {
c.NotFound()
return
}
fr, err := os.Open(attach.LocalPath())
if err != nil {
c.Error(err, "open attachment file")
return
}
defer fr.Close()
c.Header().Set("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; sandbox")
c.Header().Set("Cache-Control", "public,max-age=86400")
c.Header().Set("Content-Disposition", fmt.Sprintf(`inline; filename="%s"`, attach.Name))
if _, err = io.Copy(c.Resp, fr); err != nil {
c.Error(err, "copy from file to response")
return
}
})
The UUID lookup itself also performs no validation tied to repository visibility or user permissions. Authorization is not enforced at this layer.
Relevant code (internal/database/attachment.go:124):
// GetAttachmentByUUID returns attachment by given UUID.
func GetAttachmentByUUID(uuid string) (*Attachment, error) {
return getAttachmentByUUID(x, uuid)
}
Preconditions
- The attacker knows the target attachment’s UUID (i.e., the attachment URL).
- For unauthenticated exploitation:
[auth] REQUIRE_SIGNIN_VIEW = false. - Even when
REQUIRE_SIGNIN_VIEW = true, exploitation may still be possible because the handler does not check repository-level permissions; a user who can log in but lacks access to the target repository may still retrieve the attachment.
Steps to Reproduce
- Log in as an administrator and create a private repository, e.g.
myadmin/idor-attach-1770724346-1a13bb. - Add an attachment to an Issue in that repository and note the attachment UUID
(example UUID used during testing:
f06d90f8-5b62-4c10-ac8d-f11fdf870b57). -
Log out and access the following as an unauthenticated user:
-
The repository page → 404 Not Found
-
The Issue page under that repository → 404 Not Found
-
GET /attachments/<uuid>→ the attachment file is successfully downloaded
Minimum Required Privileges
REQUIRE_SIGNIN_VIEW = false: none (works without authentication).REQUIRE_SIGNIN_VIEW = true: only the ability to log in (repository view permission is not required in practice).
Impact
-
Confidential information attached to private repositories or restricted Issues/Releases may be disclosed.
-
Examples include credentials, cryptographic keys, personal data, internal documents, or unpublished source code fragments.
- While the severity depends on the attachment contents, attachments frequently contain sensitive data, making the potential impact high.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.14.2"
},
"package": {
"ecosystem": "Go",
"name": "gogs.io/gogs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.14.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-52799"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-22T23:59:03Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\nIn Gogs 0.14.1, `GET /attachments/:uuid` returns the raw attachment file **without verifying whether the requester has view permission for the associated Issue/Comment/Release or the repository**.\nIn a test environment with `REQUIRE_SIGNIN_VIEW = false`, we confirmed that **an unauthenticated user can download attachments belonging to a private repository**.\n\n## Description\n\n`/attachments/:uuid` retrieves an attachment record solely by the UUID provided in the URL and returns the corresponding local file **without performing any authorization checks** against the attachment\u2019s parent object (Issue/Comment/Release) or the repository it belongs to. As a result, even attachments under private repositories can be downloaded by an unauthenticated user (or a user without proper permissions) as long as the UUID is known.\n\nRelevant code (internal/cmd/web.go:306):\n\n```go\nm.Get(\"/attachments/:uuid\", func(c *context.Context) {\n\tattach, err := database.GetAttachmentByUUID(c.Params(\":uuid\"))\n\tif err != nil {\n\t\tc.NotFoundOrError(err, \"get attachment by UUID\")\n\t\treturn\n\t} else if !com.IsFile(attach.LocalPath()) {\n\t\tc.NotFound()\n\t\treturn\n\t}\n\n\tfr, err := os.Open(attach.LocalPath())\n\tif err != nil {\n\t\tc.Error(err, \"open attachment file\")\n\t\treturn\n\t}\n\tdefer fr.Close()\n\n\tc.Header().Set(\"Content-Security-Policy\", \"default-src \u0027none\u0027; style-src \u0027unsafe-inline\u0027; sandbox\")\n\tc.Header().Set(\"Cache-Control\", \"public,max-age=86400\")\n\tc.Header().Set(\"Content-Disposition\", fmt.Sprintf(`inline; filename=\"%s\"`, attach.Name))\n\n\tif _, err = io.Copy(c.Resp, fr); err != nil {\n\t\tc.Error(err, \"copy from file to response\")\n\t\treturn\n\t}\n})\n```\n\nThe UUID lookup itself also performs **no validation tied to repository visibility or user permissions**. Authorization is not enforced at this layer.\n\nRelevant code (internal/database/attachment.go:124):\n\n```go\n// GetAttachmentByUUID returns attachment by given UUID.\nfunc GetAttachmentByUUID(uuid string) (*Attachment, error) {\n\treturn getAttachmentByUUID(x, uuid)\n}\n```\n\n## Preconditions\n\n* The attacker knows the target attachment\u2019s UUID (i.e., the attachment URL).\n* For unauthenticated exploitation: `[auth] REQUIRE_SIGNIN_VIEW = false`.\n* Even when `REQUIRE_SIGNIN_VIEW = true`, exploitation may still be possible because the handler does not check repository-level permissions; a user who can log in but lacks access to the target repository may still retrieve the attachment.\n\n## Steps to Reproduce\n\n1. Log in as an administrator and create a private repository, e.g. `myadmin/idor-attach-1770724346-1a13bb`.\n2. Add an attachment to an Issue in that repository and note the attachment UUID\n (example UUID used during testing: `f06d90f8-5b62-4c10-ac8d-f11fdf870b57`).\n3. Log out and access the following as an unauthenticated user:\n\n* The repository page \u2192 404 Not Found\n\u003cimg width=\"1702\" height=\"758\" alt=\"image\" src=\"https://github.com/user-attachments/assets/8fdb1d92-cfc3-4ef8-977e-60ec13f792df\" /\u003e\n\n* The Issue page under that repository \u2192 404 Not Found\n\u003cimg width=\"1983\" height=\"546\" alt=\"image\" src=\"https://github.com/user-attachments/assets/c44c5e69-8ca2-4ea6-a071-62302b7e896f\" /\u003e\n\n* `GET /attachments/\u003cuuid\u003e` \u2192 **the attachment file is successfully downloaded**\n\u003cimg width=\"2007\" height=\"378\" alt=\"image\" src=\"https://github.com/user-attachments/assets/23950ac6-6b3a-42f8-a06b-b9e0cf508d24\" /\u003e\n\n\n\n## Minimum Required Privileges\n\n* `REQUIRE_SIGNIN_VIEW = false`: none (works without authentication).\n* `REQUIRE_SIGNIN_VIEW = true`: only the ability to log in (repository view permission is not required in practice).\n\n## Impact\n\n* Confidential information attached to private repositories or restricted Issues/Releases may be disclosed.\n\n * Examples include credentials, cryptographic keys, personal data, internal documents, or unpublished source code fragments.\n* While the severity depends on the attachment contents, attachments frequently contain sensitive data, making the potential impact high.",
"id": "GHSA-p9f5-h3rx-j5qw",
"modified": "2026-06-22T23:59:03Z",
"published": "2026-06-22T23:59:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-p9f5-h3rx-j5qw"
},
{
"type": "WEB",
"url": "https://github.com/gogs/gogs/pull/8320"
},
{
"type": "WEB",
"url": "https://github.com/gogs/gogs/commit/d3ca23f9f33d5710472a775d6dcd3a7bb128bb05"
},
{
"type": "PACKAGE",
"url": "https://github.com/gogs/gogs"
},
{
"type": "WEB",
"url": "https://github.com/gogs/gogs/releases/tag/v0.14.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Gogs Missing Authorization in Attachment Download"
}
GHSA-P9JF-6QR6-P275
Vulnerability from github – Published: 2026-01-22 18:30 – Updated: 2026-01-27 21:31Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Justicia justicia allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Justicia: from n/a through <= 1.2.
{
"affected": [],
"aliases": [
"CVE-2026-22409"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-22T17:16:33Z",
"severity": "MODERATE"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Justicia justicia allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Justicia: from n/a through \u003c= 1.2.",
"id": "GHSA-p9jf-6qr6-p275",
"modified": "2026-01-27T21:31:44Z",
"published": "2026-01-22T18:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22409"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Theme/justicia/vulnerability/wordpress-justicia-theme-1-2-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.