CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3226 vulnerabilities reference this CWE, most recent first.
GHSA-X2M4-5RQP-RHVQ
Vulnerability from github – Published: 2024-04-08 21:31 – Updated: 2025-03-13 18:31Insecure Direct Object Reference (IDOR) in GNU Savane v.3.12 and before allows a remote attacker to delete arbitrary files via crafted input to the trackers_data_delete_file function.
{
"affected": [],
"aliases": [
"CVE-2024-27630"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-08T21:15:09Z",
"severity": "HIGH"
},
"details": "Insecure Direct Object Reference (IDOR) in GNU Savane v.3.12 and before allows a remote attacker to delete arbitrary files via crafted input to the trackers_data_delete_file function.",
"id": "GHSA-x2m4-5rqp-rhvq",
"modified": "2025-03-13T18:31:56Z",
"published": "2024-04-08T21:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27630"
},
{
"type": "WEB",
"url": "https://github.com/ally-petitt/CVE-2024-27630"
},
{
"type": "WEB",
"url": "https://medium.com/%40allypetitt/how-i-found-3-cves-in-2-days-8a135eb924d3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X2QM-672H-5482
Vulnerability from github – Published: 2024-08-03 15:30 – Updated: 2024-08-03 15:30A vulnerability, which was classified as critical, was found in SimpleMachines SMF 2.1.4. Affected is an unknown function of the file /index.php?action=profile;u=2;area=showalerts;do=remove of the component Delete User Handler. The manipulation of the argument aid leads to improper control of resource identifiers. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-273522 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2024-7437"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-99"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-03T15:15:58Z",
"severity": "MODERATE"
},
"details": "A vulnerability, which was classified as critical, was found in SimpleMachines SMF 2.1.4. Affected is an unknown function of the file /index.php?action=profile;u=2;area=showalerts;do=remove of the component Delete User Handler. The manipulation of the argument aid leads to improper control of resource identifiers. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-273522 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-x2qm-672h-5482",
"modified": "2024-08-03T15:30:34Z",
"published": "2024-08-03T15:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7437"
},
{
"type": "WEB",
"url": "https://github.com/Fewword/Poc/blob/main/smf/smf-poc1.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.273522"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.273522"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.380189"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-X2W5-644H-C9P2
Vulnerability from github – Published: 2025-10-27 15:30 – Updated: 2025-10-27 15:30A security flaw has been discovered in code-projects Client Details System 1.0. The impacted element is an unknown function. The manipulation results in authorization bypass. The attack can be launched remotely. The exploit has been released to the public and may be exploited.
{
"affected": [],
"aliases": [
"CVE-2025-12283"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-27T14:15:39Z",
"severity": "MODERATE"
},
"details": "A security flaw has been discovered in code-projects Client Details System 1.0. The impacted element is an unknown function. The manipulation results in authorization bypass. The attack can be launched remotely. The exploit has been released to the public and may be exploited.",
"id": "GHSA-x2w5-644h-c9p2",
"modified": "2025-10-27T15:30:42Z",
"published": "2025-10-27T15:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12283"
},
{
"type": "WEB",
"url": "https://github.com/hellonewbie/tutorial/issues/11"
},
{
"type": "WEB",
"url": "https://code-projects.org"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.329953"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.329953"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.674213"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-X2W7-XR2G-QHJR
Vulnerability from github – Published: 2026-06-08 21:31 – Updated: 2026-06-08 21:31WACRM prior to commit 73041bf contain an authorization bypass vulnerability in the automation engine that allows authenticated attackers to access and modify contacts belonging to other tenants by supplying an arbitrary caller-controlled contact_id in the POST request body without tenant ownership verification. Attackers can exploit the service-role client that bypasses row-level security to modify victim contact fields including name, email, and company across tenant boundaries using only a known contact UUID.
{
"affected": [],
"aliases": [
"CVE-2026-49141"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-08T20:17:01Z",
"severity": "MODERATE"
},
"details": "WACRM prior to commit 73041bf contain an authorization bypass vulnerability in the automation engine that allows authenticated attackers to access and modify contacts belonging to other tenants by supplying an arbitrary caller-controlled contact_id in the POST request body without tenant ownership verification. Attackers can exploit the service-role client that bypasses row-level security to modify victim contact fields including name, email, and company across tenant boundaries using only a known contact UUID.",
"id": "GHSA-x2w7-xr2g-qhjr",
"modified": "2026-06-08T21:31:50Z",
"published": "2026-06-08T21:31:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49141"
},
{
"type": "WEB",
"url": "https://github.com/ArnasDon/wacrm/pull/194"
},
{
"type": "WEB",
"url": "https://github.com/ArnasDon/wacrm/commit/73041bfa6420f5e1ecbfa1dd4fa847d8529320f5"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/wacrm-authorization-bypass-via-automation-engine-endpoint"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-X2XX-4QHP-2VQX
Vulnerability from github – Published: 2025-08-01 06:31 – Updated: 2025-10-23 15:30The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via authentication bypass in all versions up to, and including, 6.0. This is due to the plugin not properly validating a user's cookie value prior to logging them in through the service_finder_switch_back() function. This makes it possible for unauthenticated attackers to login as any user including admins.
{
"affected": [],
"aliases": [
"CVE-2025-5947"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-01T04:16:21Z",
"severity": "CRITICAL"
},
"details": "The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via authentication bypass in all versions up to, and including, 6.0. This is due to the plugin not properly validating a user\u0027s cookie value prior to logging them in through the service_finder_switch_back() function. This makes it possible for unauthenticated attackers to login as any user including admins.",
"id": "GHSA-x2xx-4qhp-2vqx",
"modified": "2025-10-23T15:30:24Z",
"published": "2025-08-01T06:31:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5947"
},
{
"type": "WEB",
"url": "https://themeforest.net/item/service-finder-service-and-business-listing-wordpress-theme/15208793"
},
{
"type": "WEB",
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-5947-detect-wordpress-vulnerability"
},
{
"type": "WEB",
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-5947-mitigate-wordpress-vulnerability"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c1fe4f60-d93b-4071-90ae-ac863c17fe19?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X35M-4MV2-6M4P
Vulnerability from github – Published: 2026-02-11 12:30 – Updated: 2026-02-11 12:30The 'Videospirecore Theme Plugin' plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.6. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
{
"affected": [],
"aliases": [
"CVE-2025-15096"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-11T10:15:49Z",
"severity": "HIGH"
},
"details": "The \u0027Videospirecore Theme Plugin\u0027 plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.6. This is due to the plugin not properly validating a user\u0027s identity prior to updating their details like email. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user\u0027s email addresses, including administrators, and leverage that to reset the user\u0027s password and gain access to their account.",
"id": "GHSA-x35m-4mv2-6m4p",
"modified": "2026-02-11T12:30:21Z",
"published": "2026-02-11T12:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15096"
},
{
"type": "WEB",
"url": "https://themeforest.net/item/videospire-video-streaming-ott-platform-wordpress-theme/39243225?s_rank=1"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bf152269-73e1-473f-8d97-ce94e9b885d0?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X36W-M8P6-4MC4
Vulnerability from github – Published: 2022-05-24 19:14 – Updated: 2022-05-24 19:14A vulnerability has been identified in Industrial Edge Management (All versions < V1.3). An unauthenticated attacker could change the the password of any user in the system under certain circumstances. With this an attacker could impersonate any valid user on an affected system.
{
"affected": [],
"aliases": [
"CVE-2021-37184"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-14T11:15:00Z",
"severity": "CRITICAL"
},
"details": "A vulnerability has been identified in Industrial Edge Management (All versions \u003c V1.3). An unauthenticated attacker could change the the password of any user in the system under certain circumstances. With this an attacker could impersonate any valid user on an affected system.",
"id": "GHSA-x36w-m8p6-4mc4",
"modified": "2022-05-24T19:14:31Z",
"published": "2022-05-24T19:14:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37184"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-692317.pdf"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-X398-2RGF-67P8
Vulnerability from github – Published: 2026-02-11 12:30 – Updated: 2026-02-11 12:30GitLab has remediated an issue in GitLab EE affecting all versions from 16.7 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to access iteration data from private descendant groups by querying the iterations API endpoint.
{
"affected": [],
"aliases": [
"CVE-2026-1080"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-11T12:16:04Z",
"severity": "MODERATE"
},
"details": "GitLab has remediated an issue in GitLab EE affecting all versions from 16.7 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to access iteration data from private descendant groups by querying the iterations API endpoint.",
"id": "GHSA-x398-2rgf-67p8",
"modified": "2026-02-11T12:30:22Z",
"published": "2026-02-11T12:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1080"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/3484568"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/releases/2026/02/10/patch-release-gitlab-18-8-4-released"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/586477"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X39X-RWWC-FP3F
Vulnerability from github – Published: 2024-11-09 06:30 – Updated: 2024-11-09 06:30The SKT Addons for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.3 via the Unfold widget due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created by Elementor that they should not have access to.
{
"affected": [],
"aliases": [
"CVE-2024-10693"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-09T04:15:04Z",
"severity": "MODERATE"
},
"details": "The SKT Addons for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.3 via the Unfold widget due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created by Elementor that they should not have access to.",
"id": "GHSA-x39x-rwwc-fp3f",
"modified": "2024-11-09T06:30:25Z",
"published": "2024-11-09T06:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10693"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3183804%40skt-addons-for-elementor\u0026new=3183804%40skt-addons-for-elementor\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8accf552-f235-46dd-857b-330eef7765a0?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X3QM-P8HR-3C3H
Vulnerability from github – Published: 2026-05-14 20:27 – Updated: 2026-05-19 16:00Summary
The API /api/v1/notes/{note_id} endpoint lacks proper authorization checks, allowing authenticated users to retrieve notes belonging to other users by guessing or enumerating UUIDs. This results in unauthorized disclosure of potentially sensitive or private user data.
Details
- if notes is enabled from UI (Settings >> General >> Features >> Notes (Beta))
- From API, attacker can access other user notes
- if notes is disabled from UI (Settings >> General >> Features >> Notes (Beta))
- Then attacker can enable the notes from /api/config and access other user notes
PoC
-
Step 1: Log in to the application as a valid user (User A).
-
Step 2: Intercept or inspect the response from the endpoint GET /api/config.
-
Step 3: Observe the field "enable_notes": false in the JSON response.
-
Step 4: Manually change "enable_notes" to true using browser DevTools or by intercepting and modifying the response via a proxy like Burp Suite. (Please note, the occurrence of this API comes twice, hence modification needs to be made twice as well.)
-
Step 5: Observe the loaded frontend application; the previously hidden notes form will now be visible.
- Step 6: Again, click on any note, intercept the request, and Replace the note_id in the URL with a different note ID known to belong to another user (e.g., by guessing or bruteforcing).
- Step 7: Send the modified request while remaining logged in as User A.
- Step 8: Observe that the server returns the content of another user's note, confirming unauthorized access.
Impact
- Unauthorized access to user-created notes
- Possible exposure of confidential or sensitive uploaded data
- Violation of user privacy and data isolation
- High risk of legal or compliance breaches in regulated environments
Resolution
Fixed in commit de3317e26, first released in v0.8.11 (Mar 2026). All per-id note endpoints (GET /api/v1/notes/{id}, POST /api/v1/notes/{id}/update, POST /api/v1/notes/{id}/access/update, deletion) now enforce ownership: the handler fetches the note, then requires the caller to be admin, the note owner, or have an AccessGrants grant for the appropriate permission (read for retrieval, write for mutation). A non-owner with no grant receives 403.
Users on >= 0.8.11 are not affected.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.8.10"
},
"package": {
"ecosystem": "PyPI",
"name": "open-webui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.8.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45666"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-14T20:27:56Z",
"nvd_published_at": "2026-05-15T22:16:56Z",
"severity": "MODERATE"
},
"details": "### Summary\nThe API /api/v1/notes/{note_id} endpoint lacks proper authorization checks, allowing authenticated users to retrieve notes belonging to other users by guessing or enumerating UUIDs. This results in unauthorized disclosure of potentially sensitive or private user data.\n\n### Details\n- if notes is enabled from UI (Settings \u003e\u003e General \u003e\u003e Features \u003e\u003e Notes (Beta))\n - From API, attacker can access other user notes\n- if notes is disabled from UI (Settings \u003e\u003e General \u003e\u003e Features \u003e\u003e Notes (Beta))\n - Then attacker can enable the notes from /api/config and access other user notes \n\n### PoC\n- Step 1: Log in to the application as a valid user (User A).\n\n\n- Step 2: Intercept or inspect the response from the endpoint GET /api/config.\n\n\n- Step 3: Observe the field \"enable_notes\": false in the JSON response.\n- Step 4: Manually change \"enable_notes\" to true using browser DevTools or by intercepting and modifying the response via a proxy like Burp Suite. (Please note, the occurrence of this API comes twice, hence modification needs to be made twice as well.)\n\n\n- Step 5: Observe the loaded frontend application; the previously hidden notes form will now be visible.\n\n\n\n\n- Step 6: Again, click on any note, intercept the request, and Replace the note_id in the URL with a different note ID known to belong to another user (e.g., by guessing or bruteforcing).\n- Step 7: Send the modified request while remaining logged in as User A.\n- Step 8: Observe that the server returns the content of another user\u0027s note, confirming unauthorized access.\n\n\n\n\n### Impact\n1. Unauthorized access to user-created notes\n2. Possible exposure of confidential or sensitive uploaded data\n3. Violation of user privacy and data isolation\n4. High risk of legal or compliance breaches in regulated environments\n\n## Resolution\n\nFixed in commit [de3317e26](https://github.com/open-webui/open-webui/commit/de3317e26bb67a2a7ea015a183bbd1d369880ebd), first released in **v0.8.11** (Mar 2026). All per-id note endpoints (`GET /api/v1/notes/{id}`, `POST /api/v1/notes/{id}/update`, `POST /api/v1/notes/{id}/access/update`, deletion) now enforce ownership: the handler fetches the note, then requires the caller to be admin, the note owner, or have an `AccessGrants` grant for the appropriate permission (`read` for retrieval, `write` for mutation). A non-owner with no grant receives 403.\n\nUsers on `\u003e= 0.8.11` are not affected.",
"id": "GHSA-x3qm-p8hr-3c3h",
"modified": "2026-05-19T16:00:32Z",
"published": "2026-05-14T20:27:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-x3qm-p8hr-3c3h"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45666"
},
{
"type": "WEB",
"url": "https://github.com/open-webui/open-webui/commit/de3317e26bb67a2a7ea015a183bbd1d369880ebd"
},
{
"type": "PACKAGE",
"url": "https://github.com/open-webui/open-webui"
},
{
"type": "WEB",
"url": "https://github.com/open-webui/open-webui/releases/tag/v0.8.11"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Open WebUI has an Indirect Object Reference (IDOR) in user notes"
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.