CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3251 vulnerabilities reference this CWE, most recent first.
GHSA-R827-5P5R-W6F5
Vulnerability from github – Published: 2023-07-06 19:24 – Updated: 2026-05-20 09:30Algan Yazılım Prens Student Information System product has an authenticated Insecure Direct Object Reference (IDOR) vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-2808"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-02T12:15:00Z",
"severity": "HIGH"
},
"details": "Algan Yaz\u00c4\u00b1l\u00c4\u00b1m Prens Student Information System product has an authenticated Insecure Direct Object Reference (IDOR) vulnerability.",
"id": "GHSA-r827-5p5r-w6f5",
"modified": "2026-05-20T09:30:32Z",
"published": "2023-07-06T19:24:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2808"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-22-0708"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-22-0708"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R82J-G6Q9-MVX8
Vulnerability from github – Published: 2026-06-11 12:32 – Updated: 2026-06-11 12:32GitLab has remediated an issue in GitLab EE affecting all versions from 15.5 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with group Owner role to take over another group member's GitLab account due to improper authorization in the Group SAML identity management functionality.
{
"affected": [],
"aliases": [
"CVE-2026-6552"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-11T12:16:32Z",
"severity": "HIGH"
},
"details": "GitLab has remediated an issue in GitLab EE affecting all versions from 15.5 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with group Owner role to take over another group member\u0027s GitLab account due to improper authorization in the Group SAML identity management functionality.",
"id": "GHSA-r82j-g6q9-mvx8",
"modified": "2026-06-11T12:32:45Z",
"published": "2026-06-11T12:32:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6552"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/3655189"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/releases/2026/06/10/patch-release-gitlab-19-0-2-released"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/597295"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R8JR-WG88-FQ5C
Vulnerability from github – Published: 2026-03-12 12:30 – Updated: 2026-04-02 15:31A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@keycloak/keycloak-admin-client"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "26.5.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-js-admin-client"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "26.5.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-2366"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-12T17:38:28Z",
"nvd_published_at": "2026-03-12T11:15:55Z",
"severity": "LOW"
},
"details": "A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim\u0027s unique identifier (UUID) and the Organizations feature is enabled.",
"id": "GHSA-r8jr-wg88-fq5c",
"modified": "2026-04-02T15:31:35Z",
"published": "2026-03-12T12:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2366"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/issues/47062"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:6477"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:6478"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-2366"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2439081"
},
{
"type": "PACKAGE",
"url": "https://github.com/keycloak/keycloak"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Keycloak vulnerable to authorization bypass via the Admin API"
}
GHSA-R8QG-P9R3-CC3J
Vulnerability from github – Published: 2025-01-07 15:31 – Updated: 2025-01-07 15:31The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.5 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to submit resumes for other applicants when applying for jobs.
{
"affected": [],
"aliases": [
"CVE-2024-12131"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-07T13:15:06Z",
"severity": "MODERATE"
},
"details": "The WP Job Portal \u2013 A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.5 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to submit resumes for other applicants when applying for jobs.",
"id": "GHSA-r8qg-p9r3-cc3j",
"modified": "2025-01-07T15:31:47Z",
"published": "2025-01-07T15:31:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12131"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.2.6/modules/jobapply/model.php?rev=3216415"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b4772ab0-41cd-4b35-bda9-d72e0fd7b7a5?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R8VM-WP6W-FXFH
Vulnerability from github – Published: 2025-12-17 21:30 – Updated: 2025-12-19 21:30AVideo versions prior to 20.0 contain an insecure direct object reference vulnerability allowing users with upload permissions to modify the rotation metadata of any video. The endpoint verifies upload capability but fails to enforce ownership or management rights for the targeted video.
{
"affected": [],
"aliases": [
"CVE-2025-34438"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-17T20:15:54Z",
"severity": "MODERATE"
},
"details": "AVideo versions prior to 20.0 contain an insecure direct object reference vulnerability allowing users with upload permissions to modify the rotation metadata of any video. The endpoint verifies upload capability but fails to enforce ownership or management rights for the targeted video.",
"id": "GHSA-r8vm-wp6w-fxfh",
"modified": "2025-12-19T21:30:17Z",
"published": "2025-12-17T21:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34438"
},
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/commit/4a53ab2056"
},
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/commit/c2feaf25cb"
},
{
"type": "WEB",
"url": "https://chocapikk.com/posts/2025/avideo-security-vulnerabilities"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/avideo-idor-arbirary-video-rotation"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-R9GC-9VW9-725F
Vulnerability from github – Published: 2026-03-30 03:30 – Updated: 2026-03-30 03:30The Download Monitor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.7 via the executePayment() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to complete arbitrary pending orders by exploiting a mismatch between the PayPal transaction token and the local order, allowing theft of paid digital goods by paying a minimal amount for a low-cost item and using that payment token to finalize a high-value order.
{
"affected": [],
"aliases": [
"CVE-2026-3124"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-30T02:16:15Z",
"severity": "HIGH"
},
"details": "The Download Monitor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.7 via the executePayment() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to complete arbitrary pending orders by exploiting a mismatch between the PayPal transaction token and the local order, allowing theft of paid digital goods by paying a minimal amount for a low-cost item and using that payment token to finalize a high-value order.",
"id": "GHSA-r9gc-9vw9-725f",
"modified": "2026-03-30T03:30:19Z",
"published": "2026-03-30T03:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3124"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3470119/download-monitor"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/45527d6c-6866-44e6-85c2-5be984afbbc9?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R9M9-87P7-XJ9F
Vulnerability from github – Published: 2026-06-25 06:30 – Updated: 2026-06-25 06:30GitLab has remediated an issue in GitLab EE affecting all versions from 18.6 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user to read or modify another group's virtual registry cleanup policy settings without authorization.
{
"affected": [],
"aliases": [
"CVE-2026-5309"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-25T05:16:55Z",
"severity": "MODERATE"
},
"details": "GitLab has remediated an issue in GitLab EE affecting all versions from 18.6 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user to read or modify another group\u0027s virtual registry cleanup policy settings without authorization.",
"id": "GHSA-r9m9-87p7-xj9f",
"modified": "2026-06-25T06:30:42Z",
"published": "2026-06-25T06:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5309"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/3628793"
},
{
"type": "WEB",
"url": "https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-1-1-released"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/595468"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R9P3-W49V-JHXQ
Vulnerability from github – Published: 2022-12-26 15:30 – Updated: 2023-01-04 21:30The Workreap WordPress theme before 2.6.4 does not verify that an addon service belongs to the user issuing the request, or indeed that it is an addon service, when processing the workreap_addons_service_remove action, allowing any user to delete any post by knowing or guessing the id.
{
"affected": [],
"aliases": [
"CVE-2022-4239"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-26T13:15:00Z",
"severity": "MODERATE"
},
"details": "The Workreap WordPress theme before 2.6.4 does not verify that an addon service belongs to the user issuing the request, or indeed that it is an addon service, when processing the workreap_addons_service_remove action, allowing any user to delete any post by knowing or guessing the id.",
"id": "GHSA-r9p3-w49v-jhxq",
"modified": "2023-01-04T21:30:17Z",
"published": "2022-12-26T15:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4239"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/1c163987-fb53-43f7-bbff-1c2d8c0d694c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RC27-PGC8-PHJ2
Vulnerability from github – Published: 2025-04-01 15:31 – Updated: 2026-04-01 18:34Authorization Bypass Through User-Controlled Key vulnerability in JoomSky JS Job Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects JS Job Manager: from n/a through 2.0.2.
{
"affected": [],
"aliases": [
"CVE-2025-31867"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-01T15:16:28Z",
"severity": "MODERATE"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in JoomSky JS Job Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects JS Job Manager: from n/a through 2.0.2.",
"id": "GHSA-rc27-pgc8-phj2",
"modified": "2026-04-01T18:34:23Z",
"published": "2025-04-01T15:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31867"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/js-jobs/vulnerability/wordpress-js-job-manager-plugin-2-0-2-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-RC5F-3HFV-JXP2
Vulnerability from github – Published: 2025-07-22 12:30 – Updated: 2025-07-22 14:39The femanager extension for TYPO3 allows Insecure Direct Object Reference resulting in unauthorized modification of userdata. This issue affects femanager version 6.4.1 and below, 7.0.0 to 7.5.2 and 8.0.0 to 8.3.0.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "in2code/femanager"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.4.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "in2code/femanager"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.5.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "in2code/femanager"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-7900"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-22T14:39:18Z",
"nvd_published_at": "2025-07-22T11:15:24Z",
"severity": "MODERATE"
},
"details": "The femanager extension for TYPO3 allows Insecure Direct Object Reference resulting in unauthorized modification of userdata. This issue affects femanager version 6.4.1 and below, 7.0.0 to 7.5.2 and 8.0.0 to 8.3.0.",
"id": "GHSA-rc5f-3hfv-jxp2",
"modified": "2025-07-22T14:39:18Z",
"published": "2025-07-22T12:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7900"
},
{
"type": "WEB",
"url": "https://github.com/in2code-de/femanager/commit/9bd9fbded4cf31f69bfe03c55d406e79050f8069"
},
{
"type": "PACKAGE",
"url": "https://github.com/in2code-de/femanager"
},
{
"type": "WEB",
"url": "https://typo3.org/security/advisory/typo3-ext-sa-2025-010"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Femanager extension for TYPO3 allows Insecure Direct Object Reference"
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.