Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3254 vulnerabilities reference this CWE, most recent first.

GHSA-R472-MW7M-967F

Vulnerability from github – Published: 2026-05-14 20:27 – Updated: 2026-05-15 23:55
VLAI
Summary
Open WebUI: Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints
Details

Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints

Summary

Multiple endpoints accept a user-supplied file_id and attach the referenced file to a resource the caller controls (folder knowledge, knowledge-base contents) without verifying that the caller owns or has been granted access to the file. The file's content then becomes reachable through the downstream RAG / file-content paths, allowing any authenticated user to exfiltrate any other user's private file — and on the knowledge-base path, also to overwrite it — given knowledge of the file's UUID.

Affected code paths

Path 1 — Folder knowledge ingestion via folders.update

backend/open_webui/routers/folders.py:156POST /api/v1/folders/{id}/update accepts a FolderUpdateForm whose data: Optional[dict] field is written verbatim into the folder. The folder consumer at backend/open_webui/utils/middleware.py:2409 spreads folder.data['files'] directly into form_data['files'] for the next chat completion, which becomes RAG context. There is no per-file ownership check at the writer (the update handler) and no per-file ownership check at the reader (the middleware folder consumer) — only the folder list endpoint (folders.py:78-94) cleans up by stripping inaccessible files, and that runs lazily at folder-list time rather than at chat time. An attacker with a victim's file UUID can write data: {"files": [{"id": "<victim>", "type": "file"}]} into their own folder, immediately chat in that folder, and have the LLM return the victim's document content via RAG. The cleanup pass strips the file from persistence later, but the exfiltration has already happened.

Path 2 — Knowledge-base attach via knowledge.{id}/file/add and knowledge.{id}/files/batch/add

backend/open_webui/routers/knowledge.py:616-669 (add_file_to_knowledge_by_id) and backend/open_webui/routers/knowledge.py:972-1035 (add_files_to_knowledge_by_id_batch) check the caller's write access to the knowledge base but never validate the caller's access to the file_id being attached. Because has_access_to_file(..., user) returns True for any file linked to a KB the caller owns, attaching a victim's file_id to an attacker-owned KB silently unlocks read and write on that file through /api/v1/files/{id}/content and /api/v1/files/{id}/data/content/update. This is a stronger variant than Path 1 — full read AND overwrite, persisted, no cleanup pass to mitigate.

Proof of concept

Path 1 (folder knowledge)

# Attacker writes victim file_id into their own folder
curl -X POST http://target/api/v1/folders/<attacker_folder_id>/update \
  -H "Authorization: Bearer $ATK" -H "Content-Type: application/json" \
  -d "{\"data\": {\"files\": [{\"id\": \"$VICTIM_FILE_ID\", \"type\": \"file\"}]}}"

# Attacker chats in that folder — victim file becomes RAG context
curl -X POST http://target/api/chat/completions \
  -H "Authorization: Bearer $ATK" -H "Content-Type: application/json" \
  -d "{\"model\":\"any\",\"messages\":[{\"role\":\"user\",\"content\":\"summarise my uploaded document\"}],\"folder_id\":\"<attacker_folder_id>\"}"

Path 2 (knowledge-base attach)

# Attacker creates own KB
KB=$(curl -s -X POST http://target/api/v1/knowledge/create \
  -H "Authorization: Bearer $ATK" -H "Content-Type: application/json" \
  -d '{"name":"x","description":"x","data":{}}' | jq -r .id)

# Attach victim's file_id — no ownership check
curl -X POST http://target/api/v1/knowledge/$KB/file/add \
  -H "Authorization: Bearer $ATK" -H "Content-Type: application/json" \
  -d "{\"file_id\":\"$VICTIM_FILE_ID\"}"

# Read victim file through standard files endpoint (now accessible because file is "linked to KB I own")
curl http://target/api/v1/files/$VICTIM_FILE_ID/content -H "Authorization: Bearer $ATK"

# Overwrite
curl -X POST http://target/api/v1/files/$VICTIM_FILE_ID/data/content/update \
  -H "Authorization: Bearer $ATK" -H "Content-Type: application/json" \
  -d '{"content":"tampered"}'

Impact

  • Confidentiality: Any authenticated user can read the contents of any other user's private uploaded file, given knowledge of the file UUID. UUIDs are V4 (not enumerable in practice) but leak through normal usage — file IDs appear in chat sources, in shared chats' citations, in URL paths (/workspace/files/), in browser history / referrer headers, and in any export/share flow that surfaces source metadata.
  • Integrity: Path 2 (knowledge attach) additionally allows the attacker to overwrite the victim's file content, persisting attacker-controlled text under the victim's file_id. Subsequent reads by the victim or by any RAG flow that ingests the victim's file return the tampered content.
  • Availability: None directly — file rows are not deleted by these paths.

Recommended fix

Validate the supplied file_id against the caller's read access before attaching, in every writer.

Credits

Per the consolidation rule in SECURITY.md, credit goes only to reporters who FIRST identified a distinct sub-path that no earlier filing covered.

MrBeard-FT — first to identify the folder-knowledge ingestion path (Path 1) Classic298 — first to identify the knowledge-base attach path (Path 2 — /knowledge/{id}/file/add and /files/batch/add)

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.9.4"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "open-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45402"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-14T20:27:35Z",
    "nvd_published_at": "2026-05-15T21:16:38Z",
    "severity": "HIGH"
  },
  "details": "# Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints\n\n## Summary\n\nMultiple endpoints accept a user-supplied `file_id` and attach the referenced file to a resource the caller controls (folder knowledge, knowledge-base contents) without verifying that the caller owns or has been granted access to the file. The file\u0027s content then becomes reachable through the downstream RAG / file-content paths, allowing any authenticated user to exfiltrate any other user\u0027s private file \u2014 and on the knowledge-base path, also to overwrite it \u2014 given knowledge of the file\u0027s UUID.\n\n## Affected code paths\n\n### Path 1 \u2014 Folder knowledge ingestion via `folders.update`\n\n`backend/open_webui/routers/folders.py:156` \u2014 `POST /api/v1/folders/{id}/update` accepts a `FolderUpdateForm` whose `data: Optional[dict]` field is written verbatim into the folder. The folder consumer at `backend/open_webui/utils/middleware.py:2409` spreads `folder.data[\u0027files\u0027]` directly into `form_data[\u0027files\u0027]` for the next chat completion, which becomes RAG context. There is no per-file ownership check at the writer (the update handler) and no per-file ownership check at the reader (the middleware folder consumer) \u2014 only the *folder list* endpoint (`folders.py:78-94`) cleans up by stripping inaccessible files, and that runs lazily at folder-list time rather than at chat time. An attacker with a victim\u0027s file UUID can write `data: {\"files\": [{\"id\": \"\u003cvictim\u003e\", \"type\": \"file\"}]}` into their own folder, immediately chat in that folder, and have the LLM return the victim\u0027s document content via RAG. The cleanup pass strips the file from persistence later, but the exfiltration has already happened.\n\n### Path 2 \u2014 Knowledge-base attach via `knowledge.{id}/file/add` and `knowledge.{id}/files/batch/add`\n\n`backend/open_webui/routers/knowledge.py:616-669` (`add_file_to_knowledge_by_id`) and `backend/open_webui/routers/knowledge.py:972-1035` (`add_files_to_knowledge_by_id_batch`) check the caller\u0027s *write access to the knowledge base* but never validate the caller\u0027s access to the `file_id` being attached. Because `has_access_to_file(..., user)` returns True for any file linked to a KB the caller owns, attaching a victim\u0027s `file_id` to an attacker-owned KB silently unlocks read **and** write on that file through `/api/v1/files/{id}/content` and `/api/v1/files/{id}/data/content/update`. This is a stronger variant than Path 1 \u2014 full read AND overwrite, persisted, no cleanup pass to mitigate.\n\n## Proof of concept\n\n### Path 1 (folder knowledge)\n```bash\n# Attacker writes victim file_id into their own folder\ncurl -X POST http://target/api/v1/folders/\u003cattacker_folder_id\u003e/update \\\n  -H \"Authorization: Bearer $ATK\" -H \"Content-Type: application/json\" \\\n  -d \"{\\\"data\\\": {\\\"files\\\": [{\\\"id\\\": \\\"$VICTIM_FILE_ID\\\", \\\"type\\\": \\\"file\\\"}]}}\"\n\n# Attacker chats in that folder \u2014 victim file becomes RAG context\ncurl -X POST http://target/api/chat/completions \\\n  -H \"Authorization: Bearer $ATK\" -H \"Content-Type: application/json\" \\\n  -d \"{\\\"model\\\":\\\"any\\\",\\\"messages\\\":[{\\\"role\\\":\\\"user\\\",\\\"content\\\":\\\"summarise my uploaded document\\\"}],\\\"folder_id\\\":\\\"\u003cattacker_folder_id\u003e\\\"}\"\n```\n  \n### Path 2 (knowledge-base attach)\n\n```\n# Attacker creates own KB\nKB=$(curl -s -X POST http://target/api/v1/knowledge/create \\\n  -H \"Authorization: Bearer $ATK\" -H \"Content-Type: application/json\" \\\n  -d \u0027{\"name\":\"x\",\"description\":\"x\",\"data\":{}}\u0027 | jq -r .id)\n\n# Attach victim\u0027s file_id \u2014 no ownership check\ncurl -X POST http://target/api/v1/knowledge/$KB/file/add \\\n  -H \"Authorization: Bearer $ATK\" -H \"Content-Type: application/json\" \\\n  -d \"{\\\"file_id\\\":\\\"$VICTIM_FILE_ID\\\"}\"\n\n# Read victim file through standard files endpoint (now accessible because file is \"linked to KB I own\")\ncurl http://target/api/v1/files/$VICTIM_FILE_ID/content -H \"Authorization: Bearer $ATK\"\n\n# Overwrite\ncurl -X POST http://target/api/v1/files/$VICTIM_FILE_ID/data/content/update \\\n  -H \"Authorization: Bearer $ATK\" -H \"Content-Type: application/json\" \\\n  -d \u0027{\"content\":\"tampered\"}\u0027\n```\n\n## Impact\n\n- Confidentiality: Any authenticated user can read the contents of any other user\u0027s private uploaded file, given knowledge of the file UUID. UUIDs are V4 (not enumerable in practice) but leak through normal usage \u2014 file IDs appear in chat sources, in shared chats\u0027 citations, in URL paths (/workspace/files/\u003cid\u003e), in browser history / referrer headers, and in any export/share flow that surfaces source metadata.\n- Integrity: Path 2 (knowledge attach) additionally allows the attacker to overwrite the victim\u0027s file content, persisting attacker-controlled text under the victim\u0027s file_id. Subsequent reads by the victim or by any RAG flow that ingests the victim\u0027s file return the tampered content.\n- Availability: None directly \u2014 file rows are not deleted by these paths.\n\n## Recommended fix\n\nValidate the supplied file_id against the caller\u0027s read access before attaching, in every writer.\n\n### Credits\n\nPer the consolidation rule in SECURITY.md, credit goes only to reporters who FIRST identified a distinct sub-path that no earlier filing covered.\n\nMrBeard-FT \u2014 first to identify the folder-knowledge ingestion path (Path 1)\nClassic298 \u2014 first to identify the knowledge-base attach path (Path 2 \u2014 /knowledge/{id}/file/add and /files/batch/add)",
  "id": "GHSA-r472-mw7m-967f",
  "modified": "2026-05-15T23:55:40Z",
  "published": "2026-05-14T20:27:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-r472-mw7m-967f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45402"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-webui/open-webui"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/releases/tag/v0.9.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Open WebUI: Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints"
}

GHSA-R48Q-9G5R-8Q2H

Vulnerability from github – Published: 2022-06-09 00:00 – Updated: 2022-06-17 18:18
VLAI
Summary
Authorization Bypass Through User-Controlled Key in go-restful
Details

Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/emicklei/go-restful/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/emicklei/go-restful"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.16.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/emicklei/go-restful/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-1996"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-09T23:50:21Z",
    "nvd_published_at": "2022-06-08T13:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0.",
  "id": "GHSA-r48q-9g5r-8q2h",
  "modified": "2022-06-17T18:18:04Z",
  "published": "2022-06-09T00:00:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1996"
    },
    {
      "type": "WEB",
      "url": "https://github.com/emicklei/go-restful/issues/489"
    },
    {
      "type": "WEB",
      "url": "https://github.com/emicklei/go-restful/commit/926662532deb450272956c7bc573978464aae74e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/emicklei/go-restful/commit/f292efff46ae17e9d104f865a60a39a2ae9402f1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/emicklei/go-restful/commit/fd3c327a379ce08c68ef18765bdc925f5d9bad10"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20220923-0005"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2022-0619"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZGQKWD6SE75PFBPFVSZYAKAVXKBZXKWS"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z55VUVGO7E5PJFXIOVAY373NZRHBNCI5"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W56PP46JVZEKCANBKXFKRVSBBRRMCY6V"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SO5QC2JFW2PXBWAE27OYYYL5SPFUBHTY"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OBDD3Q23RCGAGHIXUCWBU6N3S4RNAKXB"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/575BLJ3Y2EQBRNTFR2OSQQ6L2W6UCST3"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/be837427-415c-4d8c-808b-62ce20aa84f1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/emicklei/go-restful"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Authorization Bypass Through User-Controlled Key in go-restful"
}

GHSA-R4G7-M54C-6F4W

Vulnerability from github – Published: 2025-09-22 21:30 – Updated: 2026-06-06 09:31
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in PROLIZ Computer Software Hardware Service Trade Ltd. Co. OBS (Student Affairs Information System) allows Parameter Injection.This issue affects OBS (Student Affairs Information System): before v26.0328.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-0875"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-22T08:15:33Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in PROLIZ Computer Software Hardware Service Trade Ltd. Co. OBS (Student Affairs Information System) allows Parameter Injection.This issue affects OBS (Student Affairs Information System): before v26.0328.",
  "id": "GHSA-r4g7-m54c-6f4w",
  "modified": "2026-06-06T09:31:14Z",
  "published": "2025-09-22T21:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0875"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0282"
    },
    {
      "type": "WEB",
      "url": "https://www.usom.gov.tr/bildirim/tr-25-0282"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R4JV-P8QQ-69JQ

Vulnerability from github – Published: 2025-05-31 12:30 – Updated: 2025-05-31 12:30
VLAI
Details

The Free Booking Plugin for Hotels, Restaurants and Car Rentals – eaSYNC Booking plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.21 via the 'view_request_details' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view the details of any booking request. The vulnerability was partially patched in versions 1.3.18 and 1.3.21.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-4691"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-31T12:15:20Z",
    "severity": "MODERATE"
  },
  "details": "The Free Booking Plugin for Hotels, Restaurants and Car Rentals \u2013 eaSYNC Booking plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.21 via the \u0027view_request_details\u0027 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view the details of any booking request. The vulnerability was partially patched in versions 1.3.18 and 1.3.21.",
  "id": "GHSA-r4jv-p8qq-69jq",
  "modified": "2025-05-31T12:30:29Z",
  "published": "2025-05-31T12:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4691"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/easync-booking/tags/1.3.17/easync.php#L4859"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3243634"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3293607"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3300408"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3c9953b3-dd09-4c80-be11-4daf3bbac720?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R4XH-HP7Q-826Q

Vulnerability from github – Published: 2023-10-31 00:31 – Updated: 2023-11-06 21:31
VLAI
Details

An issue in minCal v.1.0.0 allows a remote attacker to execute arbitrary code via a crafted script to the customer_data parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-46478"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-30T23:15:08Z",
    "severity": "HIGH"
  },
  "details": "An issue in minCal v.1.0.0 allows a remote attacker to execute arbitrary code via a crafted script to the customer_data parameter.",
  "id": "GHSA-r4xh-hp7q-826q",
  "modified": "2023-11-06T21:31:06Z",
  "published": "2023-10-31T00:31:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46478"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mr-xmen786/CVE-2023-46478/tree/main"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R4XP-GCM2-3943

Vulnerability from github – Published: 2024-12-25 09:30 – Updated: 2024-12-25 09:30
VLAI
Details

The Avada (Fusion) Builder plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.11.12 via the handle_clone_post() function and the 'fusion_blog' shortcode and due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-12335"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-25T07:15:11Z",
    "severity": "MODERATE"
  },
  "details": "The Avada (Fusion) Builder plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.11.12 via the handle_clone_post() function and the \u0027fusion_blog\u0027 shortcode and due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to.",
  "id": "GHSA-r4xp-gcm2-3943",
  "modified": "2024-12-25T09:30:47Z",
  "published": "2024-12-25T09:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12335"
    },
    {
      "type": "WEB",
      "url": "https://avada.com"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4181dcad-b5bd-46db-b47c-3cdee427123c?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R4XR-M393-778M

Vulnerability from github – Published: 2024-11-20 12:30 – Updated: 2024-11-20 21:45
VLAI
Summary
Moodle IDOR when accessing list of course badges
Details

A vulnerability was found in Moodle. Additional checks are required to ensure users can only fetch the list of course badges for courses that they are intended to have access to.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "moodle/moodle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.4.0-beta"
            },
            {
              "fixed": "4.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-48899"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-20T18:25:30Z",
    "nvd_published_at": "2024-11-20T11:15:05Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in Moodle. Additional checks are required to ensure users can only fetch the list of course badges for courses that they are intended to have access to.",
  "id": "GHSA-r4xr-m393-778m",
  "modified": "2024-11-20T21:45:14Z",
  "published": "2024-11-20T12:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48899"
    },
    {
      "type": "WEB",
      "url": "https://github.com/moodle/moodle/commit/07ad4b8ebc715056056e01f2175820bfce6b290f"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318819"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/moodle/moodle"
    },
    {
      "type": "WEB",
      "url": "https://moodle.org/mod/forum/discuss.php?d=462878#p1858337"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Moodle IDOR when accessing list of course badges"
}

GHSA-R59X-8XCR-CC6W

Vulnerability from github – Published: 2023-11-14 06:30 – Updated: 2023-11-17 21:30
VLAI
Details

Insecure Direct Object References (IDOR) in EMSigner v2.8.7 allow attackers to gain unauthorized access to application content and view sensitive data of other users via manipulation of the documentID and EncryptedDocumentId parameters.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-43900"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-14T05:15:08Z",
    "severity": "MODERATE"
  },
  "details": "Insecure Direct Object References (IDOR) in EMSigner v2.8.7 allow attackers to gain unauthorized access to application content and view sensitive data of other users via manipulation of the documentID and EncryptedDocumentId parameters.",
  "id": "GHSA-r59x-8xcr-cc6w",
  "modified": "2023-11-17T21:30:26Z",
  "published": "2023-11-14T06:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43900"
    },
    {
      "type": "WEB",
      "url": "https://secpro.llc/emsigner-cve-3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R5C3-XJH9-7VCW

Vulnerability from github – Published: 2025-12-23 21:30 – Updated: 2025-12-23 21:30
VLAI
Details

Orangescrum 1.8.0 contains a privilege escalation vulnerability that allows authenticated users to take over other project-assigned accounts by manipulating session cookies. Attackers can extract the victim's unique ID from the page source and replace their own session cookie to gain unauthorized access to another user's account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47721"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-23T20:15:44Z",
    "severity": "HIGH"
  },
  "details": "Orangescrum 1.8.0 contains a privilege escalation vulnerability that allows authenticated users to take over other project-assigned accounts by manipulating session cookies. Attackers can extract the victim\u0027s unique ID from the page source and replace their own session cookie to gain unauthorized access to another user\u0027s account.",
  "id": "GHSA-r5c3-xjh9-7vcw",
  "modified": "2025-12-23T21:30:28Z",
  "published": "2025-12-23T21:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47721"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/50551"
    },
    {
      "type": "WEB",
      "url": "https://www.orangescrum.org"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/orangescrum-authenticated-privilege-escalation-via-user-session-manipulation"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-R5JF-6F2J-GQC9

Vulnerability from github – Published: 2025-07-21 15:30 – Updated: 2026-06-05 18:31
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in PAVO Inc. PAVO Pay allows Exploitation of Trusted Identifiers.This issue affects PAVO Pay: before 13.05.2025.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-4129"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-21T14:15:29Z",
    "severity": "HIGH"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in PAVO Inc. PAVO Pay allows Exploitation of Trusted Identifiers.This issue affects PAVO Pay: before 13.05.2025.",
  "id": "GHSA-r5jf-6f2j-gqc9",
  "modified": "2026-06-05T18:31:30Z",
  "published": "2025-07-21T15:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4129"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0166"
    },
    {
      "type": "WEB",
      "url": "https://www.usom.gov.tr/bildirim/tr-25-0166"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.