Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3255 vulnerabilities reference this CWE, most recent first.

GHSA-PMH5-6PJ5-85X2

Vulnerability from github – Published: 2025-02-26 21:30 – Updated: 2025-03-05 00:30
VLAI
Details

SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references (IDOR) via the devService API model.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-50687"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T21:15:17Z",
    "severity": "CRITICAL"
  },
  "details": "SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references (IDOR) via the devService API model.",
  "id": "GHSA-pmh5-6pj5-85x2",
  "modified": "2025-03-05T00:30:33Z",
  "published": "2025-02-26T21:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50687"
    },
    {
      "type": "WEB",
      "url": "https://en.sungrowpower.com/security-notice-detail-2/6114"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PMJC-X5XH-P27V

Vulnerability from github – Published: 2025-11-12 06:30 – Updated: 2025-11-12 06:30
VLAI
Details

The GeoDirectory – WP Business Directory Plugin and Classified Listings Directory plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.8.139 via the 'post_attachment_upload' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, to attach arbitrary image files to arbitrary places.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-12833"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-12T05:15:41Z",
    "severity": "MODERATE"
  },
  "details": "The GeoDirectory \u2013 WP Business Directory Plugin and Classified Listings Directory plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.8.139 via the \u0027post_attachment_upload\u0027 function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, to attach arbitrary image files to arbitrary places.",
  "id": "GHSA-pmjc-x5xh-p27v",
  "modified": "2025-11-12T06:30:24Z",
  "published": "2025-11-12T06:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12833"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AyeCode/geodirectory/commit/db655b04be32a160c0abf73217faf0a50585aa92"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3393024%40geodirectory\u0026new=3393024%40geodirectory\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/geodirectory"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/408f0c2a-ef3c-4592-8722-d56afce92e24?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PMJJ-H5JM-VXH4

Vulnerability from github – Published: 2025-12-19 15:31 – Updated: 2025-12-20 17:41
VLAI
Summary
pretix has Broken Access Control Allowing Cross-User File Access via UUID
Details

An API endpoint allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pretix"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2025.10.0"
            },
            {
              "fixed": "2025.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pretix"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2025.9.0"
            },
            {
              "fixed": "2025.9.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pretix"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2025.8.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-14882"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-20T17:41:16Z",
    "nvd_published_at": "2025-12-19T13:16:02Z",
    "severity": "LOW"
  },
  "details": "An API endpoint allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.",
  "id": "GHSA-pmjj-h5jm-vxh4",
  "modified": "2025-12-20T17:41:16Z",
  "published": "2025-12-19T15:31:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14882"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pretix/pretix/commit/4b5651862c57c6e384822d1d23292342126c479a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pretix/pretix"
    },
    {
      "type": "WEB",
      "url": "https://pretix.eu/about/en/blog/20251219-release-2025-10-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "pretix has Broken Access Control Allowing Cross-User File Access via UUID"
}

GHSA-PMQC-V2G6-QW5W

Vulnerability from github – Published: 2024-02-08 12:30 – Updated: 2026-05-20 12:30
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in Mia Technology Inc. MİA-MED allows Authentication Abuse.This issue affects MİA-MED: before 1.0.7.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6515"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-08T10:15:11Z",
    "severity": "HIGH"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Mia Technology Inc. M\u0130A-MED allows Authentication Abuse.This issue affects M\u0130A-MED: before 1.0.7.",
  "id": "GHSA-pmqc-v2g6-qw5w",
  "modified": "2026-05-20T12:30:35Z",
  "published": "2024-02-08T12:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6515"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-24-0087"
    },
    {
      "type": "WEB",
      "url": "https://www.usom.gov.tr/bildirim/tr-24-0087"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PMV9-7F92-57XH

Vulnerability from github – Published: 2024-09-10 15:31 – Updated: 2024-09-25 21:30
VLAI
Details

An authorization bypass through user-controlled key [CWE-639] vulnerability in FortiAnalyzer version 7.4.1 and before 7.2.5 and FortiManager version 7.4.1 and before 7.2.5 may allow a remote attacker with low privileges to read sensitive data via a crafted HTTP request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-44254"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-10T15:15:14Z",
    "severity": "MODERATE"
  },
  "details": "An authorization bypass through user-controlled key\u00a0[CWE-639] vulnerability in FortiAnalyzer version 7.4.1 and before 7.2.5 and FortiManager version 7.4.1 and before 7.2.5 may allow a remote attacker with low privileges to read sensitive data via a crafted HTTP request.",
  "id": "GHSA-pmv9-7f92-57xh",
  "modified": "2024-09-25T21:30:33Z",
  "published": "2024-09-10T15:31:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44254"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.com/psirt/FG-IR-23-204"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PP3P-6JJH-RMG7

Vulnerability from github – Published: 2022-12-28 15:30 – Updated: 2023-01-10 15:42
VLAI
Summary
usememos/memos Improper Access Control vulnerability
Details

An Improper Access Control vulnerability in usememos/memos 0.9.0 and prior can result in a user deleting others' public and private memos.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.9.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/usememos/memos"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-4806"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-30T22:09:17Z",
    "nvd_published_at": "2022-12-28T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An Improper Access Control vulnerability in usememos/memos 0.9.0 and prior can result in a user deleting others\u0027 public and private memos.",
  "id": "GHSA-pp3p-6jjh-rmg7",
  "modified": "2023-01-10T15:42:32Z",
  "published": "2022-12-28T15:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4806"
    },
    {
      "type": "WEB",
      "url": "https://github.com/usememos/memos/commit/3556ae4e651d9443dc3bb8a170dd3cc726517a53"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/usememos/memos"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/2c7101bc-e6d8-4cd0-9003-bc8d86f4e4be"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "usememos/memos Improper Access Control vulnerability"
}

GHSA-PP3Q-3FPH-XPQH

Vulnerability from github – Published: 2026-01-28 18:30 – Updated: 2026-01-29 18:31
VLAI
Details

A division-by-zero vulnerability in the flow.floor_divide() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input tensor with zero.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-65887"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-369",
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-28T17:16:08Z",
    "severity": "MODERATE"
  },
  "details": "A division-by-zero vulnerability in the flow.floor_divide() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input tensor with zero.",
  "id": "GHSA-pp3q-3fph-xpqh",
  "modified": "2026-01-29T18:31:42Z",
  "published": "2026-01-28T18:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65887"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Oneflow-Inc/oneflow/issues/10665"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Daisy2ang"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Oneflow-Inc/oneflow"
    },
    {
      "type": "WEB",
      "url": "http://oneflow.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PP44-53WG-RWWX

Vulnerability from github – Published: 2025-07-31 15:35 – Updated: 2025-07-31 18:32
VLAI
Details

CS Cart 4.18.3 is vulnerable to Insecure Direct Object Reference (IDOR). The user profile functionality allows enabling or disabling stickers through a parameter (company_id) sent in the request. However, this operation is not properly validated on the server side. An authenticated user can manipulate the request to target other users' accounts and toggle the sticker setting by modifying the company_id or other object identifiers.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-50849"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-31T15:15:36Z",
    "severity": "HIGH"
  },
  "details": "CS Cart 4.18.3 is vulnerable to Insecure Direct Object Reference (IDOR). The user profile functionality allows enabling or disabling stickers through a parameter (company_id) sent in the request. However, this operation is not properly validated on the server side. An authenticated user can manipulate the request to target other users\u0027 accounts and toggle the sticker setting by modifying the company_id or other object identifiers.",
  "id": "GHSA-pp44-53wg-rwwx",
  "modified": "2025-07-31T18:32:03Z",
  "published": "2025-07-31T15:35:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-50849"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hackerwahab/CS-Cart-Vulns/blob/main/CVE-2025-50849.md"
    },
    {
      "type": "WEB",
      "url": "http://cs.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PP66-R2H3-JCWQ

Vulnerability from github – Published: 2024-01-10 18:30 – Updated: 2024-01-10 18:30
VLAI
Details

An Authorization Bypass Through User-Controlled Key vulnerability [CWE-639] affecting PortiPortal version 7.2.1 and below, version 7.0.6 and below, version 6.0.14 and below, version 5.3.8 and below may allow a remote authenticated user with at least read-only permissions to access to other organization endpoints via crafted GET requests.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-48783"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-10T18:15:46Z",
    "severity": "MODERATE"
  },
  "details": "An\u00a0Authorization Bypass Through User-Controlled Key vulnerability [CWE-639] affecting PortiPortal version 7.2.1 and below, version 7.0.6 and below, version 6.0.14 and below, version 5.3.8 and below may allow a remote authenticated user with at least read-only permissions to access to other organization endpoints via crafted GET requests.",
  "id": "GHSA-pp66-r2h3-jcwq",
  "modified": "2024-01-10T18:30:28Z",
  "published": "2024-01-10T18:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48783"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.com/psirt/FG-IR-23-408"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PPGC-36HR-Q23G

Vulnerability from github – Published: 2026-07-03 09:31 – Updated: 2026-07-03 09:31
VLAI
Details

The Ad Inserter – Ad Manager & AdSense Ads plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 2.8.16 via the 'data' attribute of the [adinserter] shortcode. This is due to the replace_ai_tags() function processing a {reusable-block-N} tag pattern that calls get_post_field('post_content', N) without verifying the requesting user's capability with current_user_can('read_post'), without restricting the post type to 'wp_block', and without checking the post status. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the full content of arbitrary posts including Private, Draft, Pending, Trashed, and password-protected posts owned by other users, by placing the shortcode in a post they own and previewing it.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-11900"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-03T09:16:36Z",
    "severity": "MODERATE"
  },
  "details": "The Ad Inserter \u2013 Ad Manager \u0026 AdSense Ads plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 2.8.16 via the \u0027data\u0027 attribute of the [adinserter] shortcode. This is due to the replace_ai_tags() function processing a {reusable-block-N} tag pattern that calls get_post_field(\u0027post_content\u0027, N) without verifying the requesting user\u0027s capability with current_user_can(\u0027read_post\u0027), without restricting the post type to \u0027wp_block\u0027, and without checking the post status. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the full content of arbitrary posts including Private, Draft, Pending, Trashed, and password-protected posts owned by other users, by placing the shortcode in a post they own and previewing it.",
  "id": "GHSA-ppgc-36hr-q23g",
  "modified": "2026-07-03T09:31:28Z",
  "published": "2026-07-03T09:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11900"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.13/ad-inserter.php#L10569"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.13/ad-inserter.php#L10818"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.13/ad-inserter.php#L13083"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.13/ad-inserter.php#L2101"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.16/ad-inserter.php#L10569"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.16/ad-inserter.php#L10818"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.16/ad-inserter.php#L13083"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.16/ad-inserter.php#L2101"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3591792%40ad-inserter\u0026new=3591792%40ad-inserter\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/20f0e9ae-786b-4ba8-a6d5-92bf31ebc2c7?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.