CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3255 vulnerabilities reference this CWE, most recent first.
GHSA-PMH5-6PJ5-85X2
Vulnerability from github – Published: 2025-02-26 21:30 – Updated: 2025-03-05 00:30SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references (IDOR) via the devService API model.
{
"affected": [],
"aliases": [
"CVE-2024-50687"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T21:15:17Z",
"severity": "CRITICAL"
},
"details": "SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references (IDOR) via the devService API model.",
"id": "GHSA-pmh5-6pj5-85x2",
"modified": "2025-03-05T00:30:33Z",
"published": "2025-02-26T21:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50687"
},
{
"type": "WEB",
"url": "https://en.sungrowpower.com/security-notice-detail-2/6114"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PMJC-X5XH-P27V
Vulnerability from github – Published: 2025-11-12 06:30 – Updated: 2025-11-12 06:30The GeoDirectory – WP Business Directory Plugin and Classified Listings Directory plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.8.139 via the 'post_attachment_upload' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, to attach arbitrary image files to arbitrary places.
{
"affected": [],
"aliases": [
"CVE-2025-12833"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-12T05:15:41Z",
"severity": "MODERATE"
},
"details": "The GeoDirectory \u2013 WP Business Directory Plugin and Classified Listings Directory plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.8.139 via the \u0027post_attachment_upload\u0027 function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, to attach arbitrary image files to arbitrary places.",
"id": "GHSA-pmjc-x5xh-p27v",
"modified": "2025-11-12T06:30:24Z",
"published": "2025-11-12T06:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12833"
},
{
"type": "WEB",
"url": "https://github.com/AyeCode/geodirectory/commit/db655b04be32a160c0abf73217faf0a50585aa92"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3393024%40geodirectory\u0026new=3393024%40geodirectory\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/geodirectory"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/408f0c2a-ef3c-4592-8722-d56afce92e24?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PMJJ-H5JM-VXH4
Vulnerability from github – Published: 2025-12-19 15:31 – Updated: 2025-12-20 17:41An API endpoint allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pretix"
},
"ranges": [
{
"events": [
{
"introduced": "2025.10.0"
},
{
"fixed": "2025.10.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "pretix"
},
"ranges": [
{
"events": [
{
"introduced": "2025.9.0"
},
{
"fixed": "2025.9.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "pretix"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2025.8.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-14882"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-20T17:41:16Z",
"nvd_published_at": "2025-12-19T13:16:02Z",
"severity": "LOW"
},
"details": "An API endpoint allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.",
"id": "GHSA-pmjj-h5jm-vxh4",
"modified": "2025-12-20T17:41:16Z",
"published": "2025-12-19T15:31:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14882"
},
{
"type": "WEB",
"url": "https://github.com/pretix/pretix/commit/4b5651862c57c6e384822d1d23292342126c479a"
},
{
"type": "PACKAGE",
"url": "https://github.com/pretix/pretix"
},
{
"type": "WEB",
"url": "https://pretix.eu/about/en/blog/20251219-release-2025-10-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "pretix has Broken Access Control Allowing Cross-User File Access via UUID"
}
GHSA-PMQC-V2G6-QW5W
Vulnerability from github – Published: 2024-02-08 12:30 – Updated: 2026-05-20 12:30Authorization Bypass Through User-Controlled Key vulnerability in Mia Technology Inc. MİA-MED allows Authentication Abuse.This issue affects MİA-MED: before 1.0.7.
{
"affected": [],
"aliases": [
"CVE-2023-6515"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-08T10:15:11Z",
"severity": "HIGH"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in Mia Technology Inc. M\u0130A-MED allows Authentication Abuse.This issue affects M\u0130A-MED: before 1.0.7.",
"id": "GHSA-pmqc-v2g6-qw5w",
"modified": "2026-05-20T12:30:35Z",
"published": "2024-02-08T12:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6515"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-24-0087"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-24-0087"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PMV9-7F92-57XH
Vulnerability from github – Published: 2024-09-10 15:31 – Updated: 2024-09-25 21:30An authorization bypass through user-controlled key [CWE-639] vulnerability in FortiAnalyzer version 7.4.1 and before 7.2.5 and FortiManager version 7.4.1 and before 7.2.5 may allow a remote attacker with low privileges to read sensitive data via a crafted HTTP request.
{
"affected": [],
"aliases": [
"CVE-2023-44254"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-10T15:15:14Z",
"severity": "MODERATE"
},
"details": "An authorization bypass through user-controlled key\u00a0[CWE-639] vulnerability in FortiAnalyzer version 7.4.1 and before 7.2.5 and FortiManager version 7.4.1 and before 7.2.5 may allow a remote attacker with low privileges to read sensitive data via a crafted HTTP request.",
"id": "GHSA-pmv9-7f92-57xh",
"modified": "2024-09-25T21:30:33Z",
"published": "2024-09-10T15:31:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44254"
},
{
"type": "WEB",
"url": "https://fortiguard.com/psirt/FG-IR-23-204"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PP3P-6JJH-RMG7
Vulnerability from github – Published: 2022-12-28 15:30 – Updated: 2023-01-10 15:42An Improper Access Control vulnerability in usememos/memos 0.9.0 and prior can result in a user deleting others' public and private memos.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.9.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/usememos/memos"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-4806"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-30T22:09:17Z",
"nvd_published_at": "2022-12-28T14:15:00Z",
"severity": "MODERATE"
},
"details": "An Improper Access Control vulnerability in usememos/memos 0.9.0 and prior can result in a user deleting others\u0027 public and private memos.",
"id": "GHSA-pp3p-6jjh-rmg7",
"modified": "2023-01-10T15:42:32Z",
"published": "2022-12-28T15:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4806"
},
{
"type": "WEB",
"url": "https://github.com/usememos/memos/commit/3556ae4e651d9443dc3bb8a170dd3cc726517a53"
},
{
"type": "PACKAGE",
"url": "https://github.com/usememos/memos"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/2c7101bc-e6d8-4cd0-9003-bc8d86f4e4be"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "usememos/memos Improper Access Control vulnerability"
}
GHSA-PP3Q-3FPH-XPQH
Vulnerability from github – Published: 2026-01-28 18:30 – Updated: 2026-01-29 18:31A division-by-zero vulnerability in the flow.floor_divide() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input tensor with zero.
{
"affected": [],
"aliases": [
"CVE-2025-65887"
],
"database_specific": {
"cwe_ids": [
"CWE-369",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-28T17:16:08Z",
"severity": "MODERATE"
},
"details": "A division-by-zero vulnerability in the flow.floor_divide() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input tensor with zero.",
"id": "GHSA-pp3q-3fph-xpqh",
"modified": "2026-01-29T18:31:42Z",
"published": "2026-01-28T18:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65887"
},
{
"type": "WEB",
"url": "https://github.com/Oneflow-Inc/oneflow/issues/10665"
},
{
"type": "WEB",
"url": "https://github.com/Daisy2ang"
},
{
"type": "WEB",
"url": "https://github.com/Oneflow-Inc/oneflow"
},
{
"type": "WEB",
"url": "http://oneflow.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PP44-53WG-RWWX
Vulnerability from github – Published: 2025-07-31 15:35 – Updated: 2025-07-31 18:32CS Cart 4.18.3 is vulnerable to Insecure Direct Object Reference (IDOR). The user profile functionality allows enabling or disabling stickers through a parameter (company_id) sent in the request. However, this operation is not properly validated on the server side. An authenticated user can manipulate the request to target other users' accounts and toggle the sticker setting by modifying the company_id or other object identifiers.
{
"affected": [],
"aliases": [
"CVE-2025-50849"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-31T15:15:36Z",
"severity": "HIGH"
},
"details": "CS Cart 4.18.3 is vulnerable to Insecure Direct Object Reference (IDOR). The user profile functionality allows enabling or disabling stickers through a parameter (company_id) sent in the request. However, this operation is not properly validated on the server side. An authenticated user can manipulate the request to target other users\u0027 accounts and toggle the sticker setting by modifying the company_id or other object identifiers.",
"id": "GHSA-pp44-53wg-rwwx",
"modified": "2025-07-31T18:32:03Z",
"published": "2025-07-31T15:35:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-50849"
},
{
"type": "WEB",
"url": "https://github.com/hackerwahab/CS-Cart-Vulns/blob/main/CVE-2025-50849.md"
},
{
"type": "WEB",
"url": "http://cs.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PP66-R2H3-JCWQ
Vulnerability from github – Published: 2024-01-10 18:30 – Updated: 2024-01-10 18:30An Authorization Bypass Through User-Controlled Key vulnerability [CWE-639] affecting PortiPortal version 7.2.1 and below, version 7.0.6 and below, version 6.0.14 and below, version 5.3.8 and below may allow a remote authenticated user with at least read-only permissions to access to other organization endpoints via crafted GET requests.
{
"affected": [],
"aliases": [
"CVE-2023-48783"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-10T18:15:46Z",
"severity": "MODERATE"
},
"details": "An\u00a0Authorization Bypass Through User-Controlled Key vulnerability [CWE-639] affecting PortiPortal version 7.2.1 and below, version 7.0.6 and below, version 6.0.14 and below, version 5.3.8 and below may allow a remote authenticated user with at least read-only permissions to access to other organization endpoints via crafted GET requests.",
"id": "GHSA-pp66-r2h3-jcwq",
"modified": "2024-01-10T18:30:28Z",
"published": "2024-01-10T18:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48783"
},
{
"type": "WEB",
"url": "https://fortiguard.com/psirt/FG-IR-23-408"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PPGC-36HR-Q23G
Vulnerability from github – Published: 2026-07-03 09:31 – Updated: 2026-07-03 09:31The Ad Inserter – Ad Manager & AdSense Ads plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 2.8.16 via the 'data' attribute of the [adinserter] shortcode. This is due to the replace_ai_tags() function processing a {reusable-block-N} tag pattern that calls get_post_field('post_content', N) without verifying the requesting user's capability with current_user_can('read_post'), without restricting the post type to 'wp_block', and without checking the post status. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the full content of arbitrary posts including Private, Draft, Pending, Trashed, and password-protected posts owned by other users, by placing the shortcode in a post they own and previewing it.
{
"affected": [],
"aliases": [
"CVE-2026-11900"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-03T09:16:36Z",
"severity": "MODERATE"
},
"details": "The Ad Inserter \u2013 Ad Manager \u0026 AdSense Ads plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 2.8.16 via the \u0027data\u0027 attribute of the [adinserter] shortcode. This is due to the replace_ai_tags() function processing a {reusable-block-N} tag pattern that calls get_post_field(\u0027post_content\u0027, N) without verifying the requesting user\u0027s capability with current_user_can(\u0027read_post\u0027), without restricting the post type to \u0027wp_block\u0027, and without checking the post status. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the full content of arbitrary posts including Private, Draft, Pending, Trashed, and password-protected posts owned by other users, by placing the shortcode in a post they own and previewing it.",
"id": "GHSA-ppgc-36hr-q23g",
"modified": "2026-07-03T09:31:28Z",
"published": "2026-07-03T09:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11900"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.13/ad-inserter.php#L10569"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.13/ad-inserter.php#L10818"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.13/ad-inserter.php#L13083"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.13/ad-inserter.php#L2101"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.16/ad-inserter.php#L10569"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.16/ad-inserter.php#L10818"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.16/ad-inserter.php#L13083"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.16/ad-inserter.php#L2101"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3591792%40ad-inserter\u0026new=3591792%40ad-inserter\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/20f0e9ae-786b-4ba8-a6d5-92bf31ebc2c7?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.