Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3229 vulnerabilities reference this CWE, most recent first.

GHSA-WR8M-5H2P-4432

Vulnerability from github – Published: 2025-09-11 18:35 – Updated: 2025-12-20 02:57
VLAI
Summary
Liferay Portal API Allows Authenticated Users to Access Workflow Definitions by Name
Details

An Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.7, 2024.Q1.1 through 2024.Q1.12, and 7.4 GA through update 92 allows remote authenticated users to access a workflow definition by name via the API.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.liferay:com.liferay.portal.workflow.kaleo.runtime.integration.impl"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.1"
            },
            {
              "fixed": "5.0.48"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-43782"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-15T13:42:17Z",
    "nvd_published_at": "2025-09-11T18:15:33Z",
    "severity": "MODERATE"
  },
  "details": "An Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.7, 2024.Q1.1 through 2024.Q1.12, and 7.4 GA through update 92 allows remote authenticated users to access a workflow definition by name via the API.",
  "id": "GHSA-wr8m-5h2p-4432",
  "modified": "2025-12-20T02:57:55Z",
  "published": "2025-09-11T18:35:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43782"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/4e85bafae4c4e17d3f87054d1f1d49a908d79819"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/720f2d3fde180e5c2971a5d01246dfec36f68131"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/acf50c712f7f21c2f52db30883486cb885c8bdd0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/ad55ef75cb82c8b1ed01f311488475a646481731"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/b61004c960e10d576634096fccc9f71677df0fbd"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/c30a8b729e133f7f40277ce7dc350b87d13d49c7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal"
    },
    {
      "type": "WEB",
      "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43782"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Liferay Portal API Allows Authenticated Users to Access Workflow Definitions by Name"
}

GHSA-WR9W-6WCP-7M3P

Vulnerability from github – Published: 2024-05-14 18:31 – Updated: 2024-05-14 18:31
VLAI
Details

An authorization bypass through user-controlled key vulnerability [CWE-639] in FortiVoiceEntreprise version 7.0.0 through 7.0.1 and before 6.4.8 allows an authenticated attacker to read the SIP configuration of other users via crafted HTTP or HTTPS requests.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-40720"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-14T17:15:19Z",
    "severity": "HIGH"
  },
  "details": "An authorization bypass through user-controlled key vulnerability [CWE-639] in FortiVoiceEntreprise version 7.0.0 through 7.0.1 and before 6.4.8 allows an authenticated attacker to read the SIP configuration of other users via crafted HTTP or HTTPS requests.",
  "id": "GHSA-wr9w-6wcp-7m3p",
  "modified": "2024-05-14T18:31:02Z",
  "published": "2024-05-14T18:31:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40720"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.com/psirt/FG-IR-23-282"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WRF9-6JF3-2W3C

Vulnerability from github – Published: 2023-01-27 21:31 – Updated: 2026-04-08 21:31
VLAI
Details

The Quick Restaurant Menu plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the fact that during menu item deletion/modification, the plugin does not verify that the post ID provided to the AJAX action is indeed a menu item. This makes it possible for authenticated attackers, with subscriber-level access or higher, to modify or delete arbitrary posts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-0550"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-27T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The Quick Restaurant Menu plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the fact that during menu item deletion/modification, the plugin does not verify that the post ID provided to the AJAX action is indeed a menu item. This makes it possible for authenticated attackers, with subscriber-level access or higher, to modify or delete arbitrary posts.",
  "id": "GHSA-wrf9-6jf3-2w3c",
  "modified": "2026-04-08T21:31:47Z",
  "published": "2023-01-27T21:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0550"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/quick-restaurant-menu/tags/2.0.2/includes/admin/ajax-functions.php"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/2851871/quick-restaurant-menu/trunk?contextall=1\u0026old=2788636\u0026old_path=%2Fquick-restaurant-menu%2Ftrunk"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/blog/2023/02/multiple-vulnerabilities-patched-in-quick-restaurant-menu-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/faa4fba5-cd19-4b96-aa09-07ed6d52a107"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/faa4fba5-cd19-4b96-aa09-07ed6d52a107?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WRJ5-H97X-2XCG

Vulnerability from github – Published: 2025-01-09 21:31 – Updated: 2025-01-09 21:31
VLAI
Details

The WPBookit plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.6.4. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-10215"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-09T20:15:34Z",
    "severity": "CRITICAL"
  },
  "details": "The WPBookit plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.6.4. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts.",
  "id": "GHSA-wrj5-h97x-2xcg",
  "modified": "2025-01-09T21:31:31Z",
  "published": "2025-01-09T21:31:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10215"
    },
    {
      "type": "WEB",
      "url": "https://documentation.iqonic.design/wpbookit/versions/change-log"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2d23a2b9-8476-4564-a5de-5e6cfc38ce68?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WRP2-HMJF-4443

Vulnerability from github – Published: 2024-08-06 15:30 – Updated: 2024-08-06 15:30
VLAI
Details

Insecure Direct Object Reference vulnerability identified in OpenText ArcSight Intelligence.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-6357"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-06T13:15:56Z",
    "severity": "MODERATE"
  },
  "details": "Insecure Direct Object Reference vulnerability identified in OpenText ArcSight Intelligence.",
  "id": "GHSA-wrp2-hmjf-4443",
  "modified": "2024-08-06T15:30:53Z",
  "published": "2024-08-06T15:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6357"
    },
    {
      "type": "WEB",
      "url": "https://portal.microfocus.com/s/article/KM000032593"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WRQV-46C5-Q67W

Vulnerability from github – Published: 2026-02-20 18:31 – Updated: 2026-02-20 21:31
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PawFriends - Pet Shop and Veterinary WordPress Theme: from n/a through <= 1.3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-22383"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-20T16:22:37Z",
    "severity": "HIGH"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PawFriends - Pet Shop and Veterinary WordPress Theme: from n/a through \u003c= 1.3.",
  "id": "GHSA-wrqv-46c5-q67w",
  "modified": "2026-02-20T21:31:22Z",
  "published": "2026-02-20T18:31:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22383"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Theme/pawfriends/vulnerability/wordpress-pawfriends-pet-shop-and-veterinary-wordpress-theme-theme-1-3-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WV46-V6XC-2QHF

Vulnerability from github – Published: 2026-03-26 19:08 – Updated: 2026-04-10 19:46
VLAI
Summary
OpenClaw: Synology Chat reply delivery could be rebound through username-based user resolution.
Details

Summary

Synology Chat reply delivery could rebind to a mutable username match instead of the stable numeric user_id recorded by the webhook event.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected: < 2026.3.22
  • Fixed: >= 2026.3.22
  • Latest released tag checked: v2026.3.23-2 (630f1479c44f78484dfa21bb407cbe6f171dac87)
  • Latest published npm version checked: 2026.3.23-2

Fix Commit(s)

  • 7ade3553b74ee3f461c4acd216653d5ba411f455

Release Status

The fix shipped in v2026.3.22 and remains present in v2026.3.23 and v2026.3.23-2.

Code-Level Confirmation

  • extensions/synology-chat/src/webhook-handler.ts now keeps replies bound to the stable webhook user identifier unless an explicit dangerous opt-in is enabled.
  • extensions/synology-chat/src/config-schema.ts contains the explicit dangerous opt-in seam instead of silent username rebinding.

OpenClaw thanks @nexrin for reporting.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35670"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-706",
      "CWE-807"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-26T19:08:16Z",
    "nvd_published_at": "2026-04-10T17:17:09Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\nSynology Chat reply delivery could rebind to a mutable username match instead of the stable numeric user_id recorded by the webhook event.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: \u003c 2026.3.22\n- Fixed: \u003e= 2026.3.22\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Fix Commit(s)\n- `7ade3553b74ee3f461c4acd216653d5ba411f455`\n\n## Release Status\nThe fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`.\n\n## Code-Level Confirmation\n- extensions/synology-chat/src/webhook-handler.ts now keeps replies bound to the stable webhook user identifier unless an explicit dangerous opt-in is enabled.\n- extensions/synology-chat/src/config-schema.ts contains the explicit dangerous opt-in seam instead of silent username rebinding.\n\nOpenClaw thanks @nexrin for reporting.",
  "id": "GHSA-wv46-v6xc-2qhf",
  "modified": "2026-04-10T19:46:22Z",
  "published": "2026-03-26T19:08:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-wv46-v6xc-2qhf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35670"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/7ade3553b74ee3f461c4acd216653d5ba411f455"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-webhook-reply-rebinding-via-username-resolution-in-synology-chat"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: Synology Chat reply delivery could be rebound through username-based user resolution."
}

GHSA-WV8Q-WHPG-VF5V

Vulnerability from github – Published: 2023-09-04 12:30 – Updated: 2024-03-21 03:35
VLAI
Details

** UNSUPPPORTED WHEN ASSIGNED ** An IDOR vulnerability has been found in ZKTeco ZEM800 product affecting version 6.60. This vulnerability allows a local attacker to obtain registered user backup files or device configuration files over a local network or through a VPN server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-4587"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-04T12:15:10Z",
    "severity": "MODERATE"
  },
  "details": "** UNSUPPPORTED WHEN ASSIGNED ** An IDOR vulnerability has been found in ZKTeco ZEM800 product affecting version 6.60. This vulnerability allows a local attacker to obtain registered user backup files or device configuration files over a local network or through a VPN server.",
  "id": "GHSA-wv8q-whpg-vf5v",
  "modified": "2024-03-21T03:35:41Z",
  "published": "2023-09-04T12:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4587"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/insecure-direct-object-reference-zkteco-zem800"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WVGJ-QHVV-W9Q3

Vulnerability from github – Published: 2023-07-12 06:30 – Updated: 2024-04-04 06:01
VLAI
Details

The Getnet Argentina para Woocommerce plugin for WordPress is vulnerable to authorization bypass due to missing validation on the 'webhook' function in versions up to, and including, 0.0.4. This makes it possible for unauthenticated attackers to set their payment status to 'APPROVED' without payment.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-3525"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-12T05:15:10Z",
    "severity": "HIGH"
  },
  "details": "The Getnet Argentina para Woocommerce plugin for WordPress is vulnerable to authorization bypass due to missing validation on the \u0027webhook\u0027 function in versions up to, and including, 0.0.4. This makes it possible for unauthenticated attackers to set their payment status to \u0027APPROVED\u0027 without payment.",
  "id": "GHSA-wvgj-qhvv-w9q3",
  "modified": "2024-04-04T06:01:47Z",
  "published": "2023-07-12T06:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3525"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/245e9117-ca63-458e-a094-60a759f5ec19?source=cve"
    },
    {
      "type": "WEB",
      "url": "https://www.youtube.com/watch?v=xTyWqh93AM0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WVM9-MQ8W-WRM8

Vulnerability from github – Published: 2023-10-20 09:30 – Updated: 2024-04-04 08:50
VLAI
Details

The wpDiscuz plugin for WordPress is vulnerable to unauthorized modification of data due to a missing authorization check on the voteOnComment function in versions up to, and including, 7.6.3. This makes it possible for unauthenticated attackers to increase or decrease the rating of a comment.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-3869"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-20T08:15:12Z",
    "severity": "MODERATE"
  },
  "details": "The wpDiscuz plugin for WordPress is vulnerable to unauthorized modification of data due to a missing authorization check on the voteOnComment function in versions up to, and including, 7.6.3. This makes it possible for unauthenticated attackers to increase or decrease the rating of a comment.",
  "id": "GHSA-wvm9-mq8w-wrm8",
  "modified": "2024-04-04T08:50:40Z",
  "published": "2023-10-20T09:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3869"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wpdiscuz/trunk/utils/class.WpdiscuzHelperAjax.php#L681"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b30ac1b0-eae2-4194-bf8e-ae73b4236965?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.