CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3234 vulnerabilities reference this CWE, most recent first.
GHSA-VXVC-CG7J-RWQJ
Vulnerability from github – Published: 2026-05-07 03:34 – Updated: 2026-05-14 20:54Summary
An attacker with push access to gittuf's Reference State Log (RSL) can roll back the current policy to any previous policy trusted by the current set of root keys.
Impact
gittuf determines the policy to load by inspecting the RSL. Except for the very first policy (which is automatically trusted given gittuf's TOFU model, or verified against manually specified keys), whenever an RSL entry that points to a new policy is encountered, gittuf validates that this policy is trusted. This is done by checking that the new policy’s root metadata is signed by the required threshold of the current policy's root keys.
Because of this, an attacker with push access to the RSL may create a new entry that references an old policy (that is trusted by the most recent policy's set of root keys), thereby rolling back gittuf's policy to the attacker's chosen state.
Note that the attacker cannot roll back the policy to one that would no longer be trusted by the most recent policy's root keys. As an example, say that Policy A's root keys were for Alice and Bob with a threshold of two, and then Policy B replaced Bob with Carol, with a threshold of two required. An attacker would not be able to roll back the policy to policy A, because it was signed by Alice and Bob, not Alice and Carol.
If you host your repository on a forge such as GitHub, GitLab, Bitbucket, etc., and only certain people are allowed to push to the RSL (e.g. only maintainers of your project have push access to the repository, and all other contributions must be done via pull request), then only those users with push access can perform the attack, or the forge itself.
Fix
gittuf version v0.14.0 introduces a monotonically increasing number to all policy metadata (not to be confused with the metadata version, which dictates the features supported by the metadata). This number is incremented whenever a gittuf client of version v0.14.0 or greater updates the metadata or invokes a patch command to add this field.
During policy verification, gittuf compares the monotonically increasing number of the new policy it encounters in the RSL to the current policy. If any file in the policy (e.g. root of trust, primary policy file, or delegated policy file) has this number, gittuf will check that it increases by one any time the respective file is changed.
Resolution
Upgrade gittuf and Apply Metadata Patch
gittuf strongly recommends users upgrade to the latest version to remediate this vulnerability. Specifically, gittuf version v0.14.0 (and above) are patched with respect to this vulnerability. All users who use gittuf to verify the repository or update its policy metadata must upgrade to prevent this attack.
After a consuming application applies the upgrade, a root of trust user or policy administrator must run:
gittuf trust increment-version
or:
gittuf policy increment-version
to add the monotonically increasing number field to the metadata (see Fix above).
Check for Rollback Attack Attempts
Because this attack requires the attacker to add an entry to the RSL, and because gittuf stores the RSL inside the repository, this attack cannot be performed without leaving evidence behind (in this case, the malicious RSL entry). To check for whether this attack was performed on your repository, run:
gittuf rsl log --ref refs/gittuf/policy
All RSL entries that record new policy states for gittuf should be displayed. There should be one RSL entry every time a legitimate, new policy was applied. Should users find an RSL entry which points to an older policy state, their repository has been compromised.
Credits
gittuf thanks Andrew Nesbitt (@andrew) for finding and responsibly disclosing this vulnerability.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.13.1"
},
"package": {
"ecosystem": "Go",
"name": "github.com/gittuf/gittuf"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.14.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44544"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-07T03:34:13Z",
"nvd_published_at": "2026-05-14T18:16:50Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nAn attacker with push access to gittuf\u0027s Reference State Log (RSL) can roll back the current policy to any previous policy trusted by the current set of root keys.\n\n## Impact\n\ngittuf determines the policy to load by inspecting the RSL. Except for the very first policy (which is automatically trusted given gittuf\u0027s TOFU model, or verified against manually specified keys), whenever an RSL entry that points to a new policy is encountered, gittuf validates that this policy is trusted. This is done by checking that the new policy\u2019s root metadata is signed by the required threshold of the current policy\u0027s root keys.\n\nBecause of this, an attacker with push access to the RSL may create a new entry that references an old policy (that is trusted by the most recent policy\u0027s set of root keys), thereby rolling back gittuf\u0027s policy to the attacker\u0027s chosen state.\n\nNote that the attacker cannot roll back the policy to one that would no longer be trusted by the most recent policy\u0027s root keys. As an example, say that Policy A\u0027s root keys were for Alice and Bob with a threshold of two, and then Policy B replaced Bob with Carol, with a threshold of two required. An attacker would not be able to roll back the policy to policy A, because it was signed by Alice and Bob, not Alice and Carol.\n\nIf you host your repository on a forge such as GitHub, GitLab, Bitbucket, etc., and only certain people are allowed to push to the RSL (e.g. only maintainers of your project have push access to the repository, and all other contributions must be done via pull request), then only those users with push access can perform the attack, or the forge itself.\n\n## Fix\n\ngittuf version v0.14.0 introduces a monotonically increasing number to all policy metadata (not to be confused with the metadata version, which dictates the features supported by the metadata). This number is incremented whenever a gittuf client of version v0.14.0 or greater updates the metadata or invokes a patch command to add this field.\n\nDuring policy verification, gittuf compares the monotonically increasing number of the new policy it encounters in the RSL to the current policy. If any file in the policy (e.g. root of trust, primary policy file, or delegated policy file) has this number, gittuf will check that it increases by one any time the respective file is changed.\n\n## Resolution\n\n### Upgrade gittuf and Apply Metadata Patch\n\ngittuf strongly recommends users upgrade to the latest version to remediate this vulnerability. Specifically, gittuf version v0.14.0 (and above) are patched with respect to this vulnerability. All users who use gittuf to verify the repository or update its policy metadata must upgrade to prevent this attack.\n\nAfter a consuming application applies the upgrade, a root of trust user or policy administrator must run:\n\n```\ngittuf trust increment-version\n```\n\nor:\n```\ngittuf policy increment-version\n```\n\nto add the monotonically increasing number field to the metadata (see [Fix](#fix) above).\n\n### Check for Rollback Attack Attempts\n\nBecause this attack requires the attacker to add an entry to the RSL, and because gittuf stores the RSL inside the repository, this attack cannot be performed without leaving evidence behind (in this case, the malicious RSL entry). To check for whether this attack was performed on your repository, run:\n\n```\ngittuf rsl log --ref refs/gittuf/policy\n```\n\nAll RSL entries that record new policy states for gittuf should be displayed. There should be one RSL entry every time a legitimate, new policy was applied. Should users find an RSL entry which points to an older policy state, their repository has been compromised.\n\n## Credits\n\ngittuf thanks Andrew Nesbitt (@andrew) for finding and responsibly disclosing this vulnerability.",
"id": "GHSA-vxvc-cg7j-rwqj",
"modified": "2026-05-14T20:54:36Z",
"published": "2026-05-07T03:34:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/gittuf/gittuf/security/advisories/GHSA-vxvc-cg7j-rwqj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44544"
},
{
"type": "WEB",
"url": "https://github.com/gittuf/gittuf/commit/dd76efa505f9137a4a9a625c5ac67b333365a1b8"
},
{
"type": "PACKAGE",
"url": "https://github.com/gittuf/gittuf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "gittuf\u0027s policy can be rolled back to prior valid versions"
}
GHSA-W2FH-2F5M-C69G
Vulnerability from github – Published: 2022-05-13 01:43 – Updated: 2022-05-13 01:43In Kanboard before 1.0.47, by altering form data, an authenticated user can add an internal link to a private project of another user.
{
"affected": [],
"aliases": [
"CVE-2017-15206"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-10-11T01:32:00Z",
"severity": "MODERATE"
},
"details": "In Kanboard before 1.0.47, by altering form data, an authenticated user can add an internal link to a private project of another user.",
"id": "GHSA-w2fh-2f5m-c69g",
"modified": "2022-05-13T01:43:41Z",
"published": "2022-05-13T01:43:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15206"
},
{
"type": "WEB",
"url": "https://github.com/kanboard/kanboard/commit/074f6c104f3e49401ef0065540338fc2d4be79f0"
},
{
"type": "WEB",
"url": "https://github.com/kanboard/kanboard/commit/3e0f14ae2b0b5a44bd038a472f17eac75f538524"
},
{
"type": "WEB",
"url": "https://kanboard.net/news/version-1.0.47"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2017/10/04/9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W2GG-FJFH-G555
Vulnerability from github – Published: 2022-05-13 01:19 – Updated: 2022-05-13 01:19In Vanilla before 2.6.1, the polling functionality allows Insecure Direct Object Reference (IDOR) via the Poll ID, leading to the ability of a single user to select multiple Poll Options (e.g., vote for multiple items).
{
"affected": [],
"aliases": [
"CVE-2018-15833"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-08-26T17:29:00Z",
"severity": "MODERATE"
},
"details": "In Vanilla before 2.6.1, the polling functionality allows Insecure Direct Object Reference (IDOR) via the Poll ID, leading to the ability of a single user to select multiple Poll Options (e.g., vote for multiple items).",
"id": "GHSA-w2gg-fjfh-g555",
"modified": "2022-05-13T01:19:12Z",
"published": "2022-05-13T01:19:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15833"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/326434"
},
{
"type": "WEB",
"url": "https://open.vanillaforums.com/discussion/36559"
},
{
"type": "WEB",
"url": "https://twitter.com/viperbluff/status/1033067882941304832"
},
{
"type": "WEB",
"url": "https://twitter.com/viperbluff/status/1033640333890834433"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W2H2-67GF-FG28
Vulnerability from github – Published: 2022-05-24 16:50 – Updated: 2023-01-24 21:30In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.838 to 0.9.8.846, remote attackers can bypass authentication in the login process by leveraging the knowledge of a valid username. The attacker must defeat an encoding that is not equivalent to base64, and thus this is different from CVE-2019-13360.
{
"affected": [],
"aliases": [
"CVE-2019-13605"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-16T17:15:00Z",
"severity": "HIGH"
},
"details": "In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.838 to 0.9.8.846, remote attackers can bypass authentication in the login process by leveraging the knowledge of a valid username. The attacker must defeat an encoding that is not equivalent to base64, and thus this is different from CVE-2019-13360.",
"id": "GHSA-w2h2-67gf-fg28",
"modified": "2023-01-24T21:30:33Z",
"published": "2022-05-24T16:50:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13605"
},
{
"type": "WEB",
"url": "https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13605.md"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/47123"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/153665/CentOS-Control-Web-Panel-0.9.8.836-Authentication-Bypass.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W2M3-H5QG-M4MX
Vulnerability from github – Published: 2025-10-02 15:31 – Updated: 2026-06-06 09:31Use of Hard-coded Credentials, Authorization Bypass Through User-Controlled Key vulnerability in PosCube Hardware Software and Consulting Ltd. Co. Assist allows Excavation, Authentication Bypass.This issue affects Assist: through 10.02.2025.
{
"affected": [],
"aliases": [
"CVE-2025-0642"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-02T13:15:30Z",
"severity": "MODERATE"
},
"details": "Use of Hard-coded Credentials, Authorization Bypass Through User-Controlled Key vulnerability in PosCube Hardware Software and Consulting Ltd. Co. Assist allows Excavation, Authentication Bypass.This issue affects Assist: through 10.02.2025.",
"id": "GHSA-w2m3-h5qg-m4mx",
"modified": "2026-06-06T09:31:14Z",
"published": "2025-10-02T15:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0642"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0309"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-25-0309"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W2RM-X498-V7F9
Vulnerability from github – Published: 2024-05-23 12:31 – Updated: 2024-05-23 12:31An authorization vulnerability exists within GitLab from versions 16.10 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1 where an authenticated attacker could utilize a crafted naming convention to bypass pipeline authorization logic.
{
"affected": [],
"aliases": [
"CVE-2024-5258"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-23T11:15:24Z",
"severity": "MODERATE"
},
"details": "An authorization vulnerability exists within GitLab from versions 16.10 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1 where an authenticated attacker could utilize a crafted naming convention to bypass pipeline authorization logic.",
"id": "GHSA-w2rm-x498-v7f9",
"modified": "2024-05-23T12:31:02Z",
"published": "2024-05-23T12:31:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5258"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/443254"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W35P-GJC5-2G6R
Vulnerability from github – Published: 2026-02-18 18:30 – Updated: 2026-02-18 18:30The Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 10.14.14 via the handle_ajax_save function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, and booking permissions granted by an Administrator, to modify other users' plugin settings, such as booking calendar display options, which can disrupt the booking calendar functionality for the targeted user.
{
"affected": [],
"aliases": [
"CVE-2026-2230"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-18T17:21:36Z",
"severity": "MODERATE"
},
"details": "The Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 10.14.14 via the handle_ajax_save function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, and booking permissions granted by an Administrator, to modify other users\u0027 plugin settings, such as booking calendar display options, which can disrupt the booking calendar functionality for the targeted user.",
"id": "GHSA-w35p-gjc5-2g6r",
"modified": "2026-02-18T18:30:40Z",
"published": "2026-02-18T18:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2230"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/booking/trunk/includes/save-user-meta/save-user-meta.php#L90"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3456856"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/60f7df44-22f9-4a9e-a20c-4b8628674079?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W365-QPC6-8W95
Vulnerability from github – Published: 2023-07-11 00:33 – Updated: 2024-04-04 05:54A security defect was discovered in Foundry job-tracker that enabled users to query metadata related to builds on resources they did not have access to. This defect was resolved with the release of job-tracker 4.645.0. The service was rolled out to all affected Foundry instances. No further intervention is required.
{
"affected": [],
"aliases": [
"CVE-2023-30960"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-10T22:15:09Z",
"severity": "MODERATE"
},
"details": "A security defect was discovered in Foundry job-tracker that enabled users to query metadata related to builds on resources they did not have access to. This defect was resolved with the release of job-tracker 4.645.0. The service was rolled out to all affected Foundry instances. No further intervention is required.\n\n\n\n",
"id": "GHSA-w365-qpc6-8w95",
"modified": "2024-04-04T05:54:17Z",
"published": "2023-07-11T00:33:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30960"
},
{
"type": "WEB",
"url": "https://palantir.safebase.us/?tcuUid=115d9bf4-201f-4cfe-b2fc-219e3a2d945b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W3J8-9P3J-3WJX
Vulnerability from github – Published: 2025-12-17 18:31 – Updated: 2025-12-18 15:39An Insecure Direct Object Reference (IDOR) in Pagekit CMS v1.0.18 allows attackers to escalate privileges.
The project was archived as of December 1, 2023.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "pagekit/pagekit"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.18"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-67165"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-18T15:39:04Z",
"nvd_published_at": "2025-12-17T17:15:51Z",
"severity": "CRITICAL"
},
"details": "An Insecure Direct Object Reference (IDOR) in Pagekit CMS v1.0.18 allows attackers to escalate privileges.\n\nThe project was archived as of December 1, 2023.",
"id": "GHSA-w3j8-9p3j-3wjx",
"modified": "2025-12-18T15:39:04Z",
"published": "2025-12-17T18:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67165"
},
{
"type": "WEB",
"url": "https://github.com/mbiesiad/vulnerability-research/tree/main/CVE-2025-67165"
},
{
"type": "WEB",
"url": "https://github.com/pagekit/docs/blob/develop/user-interface/users.md#permissions"
},
{
"type": "WEB",
"url": "https://github.com/pagekit/docs/blob/develop/user-interface/users.md#roles"
},
{
"type": "PACKAGE",
"url": "https://github.com/pagekit/pagekit"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Pagekit CMS has an Insecure Direct Object Reference (IDOR) in its User Role component"
}
GHSA-W494-P3QW-3WW3
Vulnerability from github – Published: 2025-02-14 09:31 – Updated: 2025-02-15 18:30StrongKey FIDO Server before 4.15.1 treats a non-discoverable (namedcredential) flow as a discoverable transaction.
{
"affected": [],
"aliases": [
"CVE-2025-26788"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-14T08:15:31Z",
"severity": "HIGH"
},
"details": "StrongKey FIDO Server before 4.15.1 treats a non-discoverable (namedcredential) flow as a discoverable transaction.",
"id": "GHSA-w494-p3qw-3ww3",
"modified": "2025-02-15T18:30:25Z",
"published": "2025-02-14T09:31:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26788"
},
{
"type": "WEB",
"url": "https://docs.strongkey.com/index.php/skfs-v3/skfs-release-notes"
},
{
"type": "WEB",
"url": "https://www.securing.pl/en/cve-2025-26788-passkey-authentication-bypass-in-strongkey-fido-server"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L",
"type": "CVSS_V3"
}
]
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.