CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3235 vulnerabilities reference this CWE, most recent first.
GHSA-VFF3-PQQ8-4CPQ
Vulnerability from github – Published: 2026-03-10 18:24 – Updated: 2026-03-11 20:57An Insecure Direct Object Reference (IDOR) vulnerability exists in Craft Commerce’s cart functionality that allows users to hijack any shopping cart by knowing or guessing its 32-character number. This vulnerability enables the takeover of shopping sessions and potential exposure of PII.
Vulnerability Details
Root Cause
The CartController accepts a user-supplied number parameter to load and modify shopping carts. No ownership validation is performed - the code only checks if the order exists and is incomplete, not whether the requester has authorization to access it.
// CartController.php:374-389 - actionLoadCart()
public function actionLoadCart(): ?Response
{
$number = $this->request->getParam('number');
if ($number === null) {
return $this->asFailure(Craft::t('commerce', 'A cart number must be specified.'));
}
// No ownership check - returns any cart to any requester
$cart = Order::find()->number($number)->isCompleted(false)->one();
// Cart is loaded into attacker's session without authorization
...
}
// CartController.php:606-616 - _getCart()
$orderNumber = $this->request->getBodyParam('number');
if ($orderNumber) {
// Same issue - no ownership validation
$cart = Order::find()->number($orderNumber)->isCompleted(false)->one();
// Returns cart to any requester who knows the number
}
Attack Scenario
Prerequisites
- Target Craft Commerce installation with active shopping carts
- Knowledge of a victim’s cart number (32-character hex string)
Cart Number Acquisition Vectors
- Referrer Header Leakage: Cart URLs shared externally expose the number
- Browser History: Accessible on shared/compromised devices
- Proxy/WAF Logs: Cart numbers logged in URL parameters
- Social Engineering: Support tickets, screenshots containing cart URLs
- Brute Force: While impractical for random targeting, feasible for targeted attacks against recently-created carts
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "craftcms/commerce"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.6.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "craftcms/commerce"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.11.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-31867"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-10T18:24:49Z",
"nvd_published_at": "2026-03-11T18:16:25Z",
"severity": "MODERATE"
},
"details": "An Insecure Direct Object Reference (IDOR) vulnerability exists in Craft Commerce\u2019s cart functionality that allows users to hijack any shopping cart by knowing or guessing its 32-character number. This vulnerability enables the takeover of shopping sessions and potential exposure of PII.\n\n## Vulnerability Details\n\n### Root Cause\n\nThe `CartController` accepts a user-supplied `number` parameter to load and modify shopping carts. No ownership validation is performed - the code only checks if the order exists and is incomplete, not whether the requester has authorization to access it.\n\n```php\n// CartController.php:374-389 - actionLoadCart()\npublic function actionLoadCart(): ?Response\n{\n $number = $this-\u003erequest-\u003egetParam(\u0027number\u0027);\n\n if ($number === null) {\n return $this-\u003easFailure(Craft::t(\u0027commerce\u0027, \u0027A cart number must be specified.\u0027));\n }\n\n // No ownership check - returns any cart to any requester\n $cart = Order::find()-\u003enumber($number)-\u003eisCompleted(false)-\u003eone();\n\n // Cart is loaded into attacker\u0027s session without authorization\n ...\n}\n```\n\n```php\n// CartController.php:606-616 - _getCart()\n$orderNumber = $this-\u003erequest-\u003egetBodyParam(\u0027number\u0027);\nif ($orderNumber) {\n // Same issue - no ownership validation\n $cart = Order::find()-\u003enumber($orderNumber)-\u003eisCompleted(false)-\u003eone();\n // Returns cart to any requester who knows the number\n}\n```\n---\n\n## Attack Scenario\n\n### Prerequisites\n- Target Craft Commerce installation with active shopping carts\n- Knowledge of a victim\u2019s cart number (32-character hex string)\n\n### Cart Number Acquisition Vectors\n\n1. **Referrer Header Leakage**: Cart URLs shared externally expose the number\n2. **Browser History**: Accessible on shared/compromised devices\n3. **Proxy/WAF Logs**: Cart numbers logged in URL parameters\n4. **Social Engineering**: Support tickets, screenshots containing cart URLs\n5. **Brute Force**: While impractical for random targeting, feasible for targeted attacks against recently-created carts\n\n---",
"id": "GHSA-vff3-pqq8-4cpq",
"modified": "2026-03-11T20:57:29Z",
"published": "2026-03-10T18:24:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/craftcms/commerce/security/advisories/GHSA-vff3-pqq8-4cpq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31867"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/commerce/pull/4207"
},
{
"type": "PACKAGE",
"url": "https://github.com/craftcms/commerce"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Craft Commerce: Potential IDOR in Commerce carts"
}
GHSA-VFH4-9WWJ-77FX
Vulnerability from github – Published: 2025-09-10 09:30 – Updated: 2025-09-10 09:30The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 67.7.0 via the 'MJ_gmgt_gmgt_add_user' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the email, password, and other details of any user, including Administrator users.
{
"affected": [],
"aliases": [
"CVE-2025-7049"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-10T07:15:45Z",
"severity": "HIGH"
},
"details": "The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 67.7.0 via the \u0027MJ_gmgt_gmgt_add_user\u0027 function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the email, password, and other details of any user, including Administrator users.",
"id": "GHSA-vfh4-9wwj-77fx",
"modified": "2025-09-10T09:30:58Z",
"published": "2025-09-10T09:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7049"
},
{
"type": "WEB",
"url": "https://codecanyon.net/item/-wpgym-wordpress-gym-management-system/13352964"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/17951f68-8481-477b-a940-cce637f6ec54?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VG32-RQH8-J8PM
Vulnerability from github – Published: 2026-06-25 21:31 – Updated: 2026-06-25 21:31NewsBlur before 14.5.0 contains a broken access control vulnerability that allows authenticated users to read private notification feeds by supplying arbitrary user_id values to the GET /social/interactions endpoint without ownership verification. Attackers can enumerate user_id values to access another user's follows, replies, and social activity without authorization.
{
"affected": [],
"aliases": [
"CVE-2026-56772"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-25T19:16:44Z",
"severity": "MODERATE"
},
"details": "NewsBlur before 14.5.0 contains a broken access control vulnerability that allows authenticated users to read private notification feeds by supplying arbitrary user_id values to the GET /social/interactions endpoint without ownership verification. Attackers can enumerate user_id values to access another user\u0027s follows, replies, and social activity without authorization.",
"id": "GHSA-vg32-rqh8-j8pm",
"modified": "2026-06-25T21:31:30Z",
"published": "2026-06-25T21:31:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56772"
},
{
"type": "WEB",
"url": "https://github.com/samuelclay/NewsBlur/commit/613c60b67cc46b3f4cae1dc2dfd8d717a39bc483"
},
{
"type": "WEB",
"url": "https://github.com/samuelclay/NewsBlur/releases/tag/Android_14.5.0"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/newsblur-insecure-direct-object-reference-in-social-interactions-endpoint"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-VGF3-FPXC-H968
Vulnerability from github – Published: 2026-06-11 15:31 – Updated: 2026-06-11 15:31openSIS Classic 9.3 contains an insecure direct object reference vulnerability in the messaging module. Any authenticated user with access to the messaging module can request sent-message details from modules/messaging/SentMail.php by supplying an arbitrary mail_id value.
{
"affected": [],
"aliases": [
"CVE-2026-8406"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-11T14:16:32Z",
"severity": "HIGH"
},
"details": "openSIS Classic 9.3 contains an insecure direct object reference vulnerability in the messaging module. Any authenticated user with access to the messaging module can request sent-message details from modules/messaging/SentMail.php by supplying an arbitrary mail_id value.",
"id": "GHSA-vgf3-fpxc-h968",
"modified": "2026-06-11T15:31:34Z",
"published": "2026-06-11T15:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8406"
},
{
"type": "WEB",
"url": "https://github.com/OS4ED/openSIS-Classic/commit/c45d43146167324bae06bdf09de3e4bd2e5e478f"
},
{
"type": "WEB",
"url": "https://fluidattacks.com/es/advisories/melanie"
},
{
"type": "WEB",
"url": "https://github.com/OS4ED/openSIS-Classic"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-VH24-W6W7-Q6MW
Vulnerability from github – Published: 2026-07-07 09:37 – Updated: 2026-07-07 09:37Authorization bypass through User-Controlled key vulnerability in Idvlabs Software and Consulting Services Inc. Ontime allows Exploitation of Trusted Identifiers.
This issue affects Ontime: through 04052026.
{
"affected": [],
"aliases": [
"CVE-2026-5799"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-07T08:16:25Z",
"severity": "HIGH"
},
"details": "Authorization bypass through User-Controlled key vulnerability in Idvlabs Software and Consulting Services Inc. Ontime allows Exploitation of Trusted Identifiers.\n\nThis issue affects Ontime: through 04052026.",
"id": "GHSA-vh24-w6w7-q6mw",
"modified": "2026-07-07T09:37:54Z",
"published": "2026-07-07T09:37:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5799"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0503"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VH45-GFXF-VR42
Vulnerability from github – Published: 2026-02-24 09:31 – Updated: 2026-02-24 09:31An Insecure Direct Object Reference (IDOR) vulnerability exists in Serv-U, which when exploited, gives a malicious actor the ability to execute native code as a privileged account.
This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.
{
"affected": [],
"aliases": [
"CVE-2025-40541"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-704"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-24T08:16:28Z",
"severity": "CRITICAL"
},
"details": "An Insecure Direct Object Reference (IDOR) vulnerability exists in Serv-U, which when exploited, gives a malicious actor the ability to execute native code as a privileged account.\n\nThis issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.",
"id": "GHSA-vh45-gfxf-vr42",
"modified": "2026-02-24T09:31:21Z",
"published": "2026-02-24T09:31:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40541"
},
{
"type": "WEB",
"url": "https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-5-4_release_notes.htm"
},
{
"type": "WEB",
"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40541"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VHFH-VMQ7-84JF
Vulnerability from github – Published: 2024-11-22 09:33 – Updated: 2026-04-08 21:32The Easy Twitter Feed – Twitter feeds plugin for WP plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.6 via the [etf] shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to.
{
"affected": [],
"aliases": [
"CVE-2024-10666"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-22T06:15:18Z",
"severity": "MODERATE"
},
"details": "The Easy Twitter Feed \u2013 Twitter feeds plugin for WP plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.6 via the [etf] shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to.",
"id": "GHSA-vhfh-vmq7-84jf",
"modified": "2026-04-08T21:32:56Z",
"published": "2024-11-22T09:33:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10666"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3206719%40easy-twitter-feeds\u0026new=3206719%40easy-twitter-feeds\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/easy-twitter-feeds"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d9cd3168-3261-4e36-8fbe-2058cd821937?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VJ33-3XG6-G6WW
Vulnerability from github – Published: 2026-07-02 12:31 – Updated: 2026-07-02 12:31Unauthenticated Insecure Direct Object References (IDOR) in Kirki <= 6.0.11 versions.
{
"affected": [],
"aliases": [
"CVE-2026-57680"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-02T12:17:38Z",
"severity": "MODERATE"
},
"details": "Unauthenticated Insecure Direct Object References (IDOR) in Kirki \u003c= 6.0.11 versions.",
"id": "GHSA-vj33-3xg6-g6ww",
"modified": "2026-07-02T12:31:01Z",
"published": "2026-07-02T12:31:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57680"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/kirki/vulnerability/wordpress-kirki-plugin-6-0-11-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-VJ6P-V8M8-9CJQ
Vulnerability from github – Published: 2023-09-27 15:30 – Updated: 2023-09-27 15:30Sensitive information disclosure and manipulation due to improper authorization. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 35979.
{
"affected": [],
"aliases": [
"CVE-2023-44206"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-27T15:19:39Z",
"severity": "HIGH"
},
"details": "Sensitive information disclosure and manipulation due to improper authorization. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 35979.",
"id": "GHSA-vj6p-v8m8-9cjq",
"modified": "2023-09-27T15:30:39Z",
"published": "2023-09-27T15:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44206"
},
{
"type": "WEB",
"url": "https://security-advisory.acronis.com/advisories/SEC-5839"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VJF2-9278-JMJ7
Vulnerability from github – Published: 2025-11-12 09:30 – Updated: 2025-11-12 09:30The Payment Plugins Braintree For WooCommerce plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the wc-braintree/v1/3ds/vaulted_nonce REST API endpoint in all versions up to, and including, 3.2.78. This is due to the endpoint being registered with permission_callback set to __return_true and processing user-supplied token IDs without verifying ownership or authentication. This makes it possible for unauthenticated attackers to retrieve payment method nonces for any stored payment token in the system, which can be used to create fraudulent transactions, charge customer credit cards, or attach payment methods to other subscriptions.
{
"affected": [],
"aliases": [
"CVE-2025-12903"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-12T09:15:40Z",
"severity": "HIGH"
},
"details": "The Payment Plugins Braintree For WooCommerce plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the wc-braintree/v1/3ds/vaulted_nonce REST API endpoint in all versions up to, and including, 3.2.78. This is due to the endpoint being registered with permission_callback set to __return_true and processing user-supplied token IDs without verifying ownership or authentication. This makes it possible for unauthenticated attackers to retrieve payment method nonces for any stored payment token in the system, which can be used to create fraudulent transactions, charge customer credit cards, or attach payment methods to other subscriptions.",
"id": "GHSA-vjf2-9278-jmj7",
"modified": "2025-11-12T09:30:27Z",
"published": "2025-11-12T09:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12903"
},
{
"type": "WEB",
"url": "https://developer.wordpress.org/rest-api/using-the-rest-api/authentication"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/woo-payment-gateway/tags/3.2.78/includes/api/class-wc-braintree-controller-3ds.php#L23"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/woo-payment-gateway/tags/3.2.78/includes/api/class-wc-braintree-controller-3ds.php#L35"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/woo-payment-gateway/tags/3.2.78/includes/api/class-wc-braintree-controller-3ds.php#L41"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3392259%40woo-payment-gateway\u0026new=3392259%40woo-payment-gateway\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/89cd5429-39a0-441f-ba69-dea111eae5ed?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.