CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3255 vulnerabilities reference this CWE, most recent first.
GHSA-P9W3-8M39-9587
Vulnerability from github – Published: 2023-12-20 15:30 – Updated: 2026-04-28 21:33Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce GoCardless.This issue affects GoCardless: from n/a through 2.5.6.
{
"affected": [],
"aliases": [
"CVE-2023-37871"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-20T14:15:19Z",
"severity": "HIGH"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce GoCardless.This issue affects GoCardless: from n/a through 2.5.6.",
"id": "GHSA-p9w3-8m39-9587",
"modified": "2026-04-28T21:33:27Z",
"published": "2023-12-20T15:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37871"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/woocommerce-gateway-gocardless/wordpress-woocommerce-gocardless-gateway-plugin-2-5-6-unauthenticated-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-P9X3-W98F-7J3Q
Vulnerability from github – Published: 2026-03-02 19:53 – Updated: 2026-03-02 19:53Summary
The MCP token service did not validate token ownership, allowing a Creator within the same base to read, regenerate, or delete another user's MCP tokens if the token ID was known.
Details
McpTokenService.get(), regenerateToken(), and delete() did not filter by fk_user_id. The analogous ApiTokensService correctly enforced ownership.
Impact
Limited — requires Creator role and knowledge of target token ID. Primary risk is denial of service (invalidating tokens) and scoped token disclosure.
Credit
This issue was reported by @bugbunny-research (bugbunny.ai).
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.301.2"
},
"package": {
"ecosystem": "npm",
"name": "nocodb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.301.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-28361"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-02T19:53:41Z",
"nvd_published_at": "2026-03-02T17:16:34Z",
"severity": "MODERATE"
},
"details": "### Summary\nThe MCP token service did not validate token ownership, allowing a Creator within the same base to read, regenerate, or delete another user\u0027s MCP tokens if the token ID was known.\n\n### Details\n`McpTokenService.get()`, `regenerateToken()`, and `delete()` did not filter by `fk_user_id`. The analogous `ApiTokensService` correctly enforced ownership.\n\n### Impact\nLimited \u2014 requires Creator role and knowledge of target token ID. Primary risk is denial of service (invalidating tokens) and scoped token disclosure.\n\n### Credit\nThis issue was reported by [@bugbunny-research](https://github.com/bugbunny-research) (bugbunny.ai).",
"id": "GHSA-p9x3-w98f-7j3q",
"modified": "2026-03-02T19:53:41Z",
"published": "2026-03-02T19:53:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-p9x3-w98f-7j3q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28361"
},
{
"type": "PACKAGE",
"url": "https://github.com/nocodb/nocodb"
},
{
"type": "WEB",
"url": "https://github.com/nocodb/nocodb/releases/tag/0.301.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "NocoDB Missing Ownership Validation in MCP Token Operations"
}
GHSA-PC38-57G8-39GG
Vulnerability from github – Published: 2026-02-12 18:30 – Updated: 2026-02-18 15:31An issue in the "My Details" user profile functionality of Ideagen Q-Pulse 7.1.0.32 allows an authenticated user to view other users' profile information by modifying the objectKey HTTP parameter in the My Details page URL.
{
"affected": [],
"aliases": [
"CVE-2025-69752"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-12T16:16:05Z",
"severity": "MODERATE"
},
"details": "An issue in the \"My Details\" user profile functionality of Ideagen Q-Pulse 7.1.0.32 allows an authenticated user to view other users\u0027 profile information by modifying the objectKey HTTP parameter in the My Details page URL.",
"id": "GHSA-pc38-57g8-39gg",
"modified": "2026-02-18T15:31:24Z",
"published": "2026-02-12T18:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69752"
},
{
"type": "WEB",
"url": "https://github.com/brtsec/public-advisories/tree/main/advisories/CVE-2025-69752"
},
{
"type": "WEB",
"url": "http://ideagen.com"
},
{
"type": "WEB",
"url": "http://q-pulse.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PCM2-6VC4-FM2M
Vulnerability from github – Published: 2024-05-14 18:30 – Updated: 2025-03-27 18:30Globitel KSA SpeechLog v8.1 was discovered to contain an Insecure Direct Object Reference (IDOR) via the userID parameter.
{
"affected": [],
"aliases": [
"CVE-2024-33818"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T15:38:07Z",
"severity": "HIGH"
},
"details": "Globitel KSA SpeechLog v8.1 was discovered to contain an Insecure Direct Object Reference (IDOR) via the userID parameter.",
"id": "GHSA-pcm2-6vc4-fm2m",
"modified": "2025-03-27T18:30:39Z",
"published": "2024-05-14T18:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33818"
},
{
"type": "WEB",
"url": "https://medium.com/%40rajput.thakur/insecure-direct-object-references-cve-2024-33818-86785aa8c969"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PCR4-QPPJ-9V45
Vulnerability from github – Published: 2024-08-22 12:30 – Updated: 2024-09-27 00:31The User Private Files – WordPress File Sharing Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.0 via the 'dpk_upvf_update_doc' due to missing validation on the 'docid' user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to gain access to other user's private files.
{
"affected": [],
"aliases": [
"CVE-2024-7848"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-22T11:15:14Z",
"severity": "MODERATE"
},
"details": "The User Private Files \u2013 WordPress File Sharing Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.0 via the \u0027dpk_upvf_update_doc\u0027 due to missing validation on the \u0027docid\u0027 user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to gain access to other user\u0027s private files.",
"id": "GHSA-pcr4-qppj-9v45",
"modified": "2024-09-27T00:31:04Z",
"published": "2024-08-22T12:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7848"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3136913%40user-private-files\u0026new=3136913%40user-private-files\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0fb06de8-97d6-46c3-83ef-93a209540259?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PF3F-6CWQ-WV9H
Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2022-05-24 19:09The User Profile Picture WordPress plugin before 2.6.0 was affected by an IDOR issue, allowing users with the upload_image capability (by default author and above) to change and delete the profile pictures of other users (including those with higher roles).
{
"affected": [],
"aliases": [
"CVE-2021-24473"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-02T11:15:00Z",
"severity": "MODERATE"
},
"details": "The User Profile Picture WordPress plugin before 2.6.0 was affected by an IDOR issue, allowing users with the upload_image capability (by default author and above) to change and delete the profile pictures of other users (including those with higher roles).",
"id": "GHSA-pf3f-6cwq-wv9h",
"modified": "2022-05-24T19:09:38Z",
"published": "2022-05-24T19:09:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24473"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/79982ea9-4733-4b1e-a43e-17629c1136de"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-PF3Q-2QV4-VX44
Vulnerability from github – Published: 2025-01-30 09:30 – Updated: 2025-01-30 09:30The WooCommerce Wishlist (High customization, fast setup,Free Elementor Wishlist, most features) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.8.7 via the download_pdf_file() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to extract data from wishlists that they should not have access to.
{
"affected": [],
"aliases": [
"CVE-2024-13694"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-30T09:15:08Z",
"severity": "HIGH"
},
"details": "The WooCommerce Wishlist (High customization, fast setup,Free Elementor Wishlist, most features) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.8.7 via the download_pdf_file() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to extract data from wishlists that they should not have access to.",
"id": "GHSA-pf3q-2qv4-vx44",
"modified": "2025-01-30T09:30:37Z",
"published": "2025-01-30T09:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13694"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/smart-wishlist-for-more-convert/trunk/includes/class-wlfmc-form-handler.php#L607"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/smart-wishlist-for-more-convert/trunk/includes/class-wlfmc-wishlist.php#L529"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3229758"
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/smart-wishlist-for-more-convert/#developers"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/59fe7630-ab94-419f-aca5-39b74d86ae4e?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PF62-83X3-9QJV
Vulnerability from github – Published: 2026-07-14 21:32 – Updated: 2026-07-15 15:32Improper authorization in the PAM SSH key and certificate retrieval endpoints in Devolutions Server 2026.2.11, 2026.1.22 allows an authenticated low-privileged user to disclose the private key of an SSH key or certificate PAM credential via a direct object reference to the credential identifier.
{
"affected": [],
"aliases": [
"CVE-2026-15637"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T19:16:51Z",
"severity": "HIGH"
},
"details": "Improper authorization in the PAM SSH key and certificate retrieval \nendpoints in Devolutions Server 2026.2.11, 2026.1.22 allows an \nauthenticated low-privileged user to disclose the private key of an SSH \nkey or certificate PAM credential via a direct object reference to the \ncredential identifier.",
"id": "GHSA-pf62-83x3-9qjv",
"modified": "2026-07-15T15:32:54Z",
"published": "2026-07-14T21:32:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-15637"
},
{
"type": "WEB",
"url": "https://devolutions.net/security/advisories/DEVO-2026-0024"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PF72-GM84-6R86
Vulnerability from github – Published: 2025-09-30 21:31 – Updated: 2025-10-02 18:30An Insecure Direct Object Reference (IDOR) in the /dashboard/notes endpoint of Syaqui Collegetivity v1.0.0 allows attackers to impersonate other users and perform arbitrary operations via a crafted POST request.
{
"affected": [],
"aliases": [
"CVE-2025-56392"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-30T20:15:39Z",
"severity": "HIGH"
},
"details": "An Insecure Direct Object Reference (IDOR) in the /dashboard/notes endpoint of Syaqui Collegetivity v1.0.0 allows attackers to impersonate other users and perform arbitrary operations via a crafted POST request.",
"id": "GHSA-pf72-gm84-6r86",
"modified": "2025-10-02T18:30:58Z",
"published": "2025-09-30T21:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-56392"
},
{
"type": "WEB",
"url": "https://github.com/Zelilac/vulnerability-research/tree/main/CVE-2025-56392"
},
{
"type": "WEB",
"url": "https://github.com/syauqi/collegetivity"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PF8Q-V3QP-47XW
Vulnerability from github – Published: 2024-10-16 12:30 – Updated: 2024-10-16 12:30An authorization bypass through user-controlled key vulnerability affecting 3DSwym in 3DSwymer on Release 3DEXPERIENCE R2024x allows an authenticated attacker to access some unauthorized data.
{
"affected": [],
"aliases": [
"CVE-2024-8040"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-16T12:15:09Z",
"severity": "HIGH"
},
"details": "An authorization bypass through user-controlled key vulnerability affecting 3DSwym in 3DSwymer on Release 3DEXPERIENCE R2024x allows an authenticated attacker to access some unauthorized data.",
"id": "GHSA-pf8q-v3qp-47xw",
"modified": "2024-10-16T12:30:48Z",
"published": "2024-10-16T12:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8040"
},
{
"type": "WEB",
"url": "https://www.3ds.com/vulnerability/advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.