Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3255 vulnerabilities reference this CWE, most recent first.

CVE-2026-6444 (GCVE-0-2026-6444)

Vulnerability from cvelistv5 – Published: 2026-06-09 18:40 – Updated: 2026-06-09 20:00
VLAI
Summary
A flaw exists in the FlashArray Purity management interface where an authenticated low-privileged user may, under specific conditions, access functionality beyond their assigned privileges.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization bypass through User-Controlled key
Assigner
Impacted products
Vendor Product Version
Everpure FlashArray Affected: 6.10.0 , ≤ 6.10.5 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6444",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-09T20:00:47.463624Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-09T20:00:56.387Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "FlashArray",
          "vendor": "Everpure",
          "versions": [
            {
              "lessThanOrEqual": "6.10.5",
              "status": "affected",
              "version": "6.10.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eA flaw exists in the FlashArray Purity management interface where an authenticated low-privileged user may, under specific conditions, access functionality beyond their assigned privileges.\u003c/p\u003e"
            }
          ],
          "value": "A flaw exists in the FlashArray Purity management interface where an authenticated low-privileged user may, under specific conditions, access functionality beyond their assigned privileges."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-233",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-233 Privilege Escalation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization bypass through User-Controlled key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-09T18:40:26.171Z",
        "orgId": "3895c224-4e1d-482a-adb3-fa64795683ac",
        "shortName": "Everpure"
      },
      "references": [
        {
          "url": "https://support.purestorage.com/bundle/m_security_bulletins/page/Pure_Security/topics/concept/c_security_bulletins.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "3895c224-4e1d-482a-adb3-fa64795683ac",
    "assignerShortName": "Everpure",
    "cveId": "CVE-2026-6444",
    "datePublished": "2026-06-09T18:40:26.171Z",
    "dateReserved": "2026-04-16T18:24:16.662Z",
    "dateUpdated": "2026-06-09T20:00:56.387Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6375 (GCVE-0-2026-6375)

Vulnerability from cvelistv5 – Published: 2026-04-23 20:07 – Updated: 2026-04-24 18:19
VLAI
Title
Authorization bypass through User-Controlled key in SpiceJet Online Booking System
Summary
A vulnerability in SpiceJet’s booking API allows unauthenticated users to query passenger name records (PNRs) without any access controls. Because PNR identifiers follow a predictable pattern, an attacker could systematically enumerate valid records and obtain associated passenger names. This flaw stems from missing authorization checks on an endpoint intended for authenticated profile access.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization bypass through User-Controlled key
Assigner
Impacted products
Date Public
2026-04-23 16:00
Credits
Owais Shaikh reported these vulnerabilities to CISA.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6375",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-24T15:51:50.174882Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-24T18:19:59.492Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Online Booking System",
          "vendor": "SpiceJet",
          "versions": [
            {
              "status": "affected",
              "version": "All"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Owais Shaikh reported these vulnerabilities to CISA."
        }
      ],
      "datePublic": "2026-04-23T16:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A vulnerability in SpiceJet\u2019s booking API allows unauthenticated users to query passenger name records (PNRs) without any access controls. Because PNR identifiers follow a predictable pattern, an attacker could systematically enumerate valid records and obtain associated passenger names. This flaw stems from missing authorization checks on an endpoint intended for authenticated profile access."
            }
          ],
          "value": "A vulnerability in SpiceJet\u2019s booking API allows unauthenticated users to query passenger name records (PNRs) without any access controls. Because PNR identifiers follow a predictable pattern, an attacker could systematically enumerate valid records and obtain associated passenger names. This flaw stems from missing authorization checks on an endpoint intended for authenticated profile access."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization bypass through User-Controlled key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-23T20:08:10.133Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-04"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Authorization bypass through User-Controlled key in SpiceJet Online Booking System",
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2026-6375",
    "datePublished": "2026-04-23T20:07:23.930Z",
    "dateReserved": "2026-04-15T16:31:31.228Z",
    "dateUpdated": "2026-04-24T18:19:59.492Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6212 (GCVE-0-2026-6212)

Vulnerability from cvelistv5 – Published: 2026-07-10 18:35 – Updated: 2026-07-10 19:13
VLAI
Title
IDOR in Teracity's TeraMIS
Summary
Authorization bypass through User-Controlled key vulnerability in Teracity Software Technologies Inc. TeraMIS allows Privilege Abuse. This issue affects TeraMIS: from V03.26.01.14 through 30.04.2026.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization bypass through User-Controlled key
Assigner
References
Impacted products
Vendor Product Version
Teracity Software Technologies Inc. TeraMIS Affected: V03.26.01.14 , ≤ 30.04.2026 (custom)
Create a notification for this product.
Date Public
2026-07-10 18:16
Credits
Can Nesimi ARI
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6212",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-10T19:13:38.327131Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-10T19:13:49.677Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "TeraMIS",
          "vendor": "Teracity Software Technologies Inc.",
          "versions": [
            {
              "lessThanOrEqual": "30.04.2026",
              "status": "affected",
              "version": "V03.26.01.14",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Can Nesimi ARI"
        }
      ],
      "datePublic": "2026-07-10T18:16:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Authorization bypass through User-Controlled key vulnerability in Teracity Software Technologies Inc. TeraMIS allows Privilege Abuse.\u003cp\u003eThis issue affects TeraMIS: from V03.26.01.14 through 30.04.2026.\u003c/p\u003e"
            }
          ],
          "value": "Authorization bypass through User-Controlled key vulnerability in Teracity Software Technologies Inc. TeraMIS allows Privilege Abuse.\n\nThis issue affects TeraMIS: from V03.26.01.14 through 30.04.2026."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-122",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-122 Privilege Abuse"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization bypass through User-Controlled key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-10T18:35:43.613Z",
        "orgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
        "shortName": "TR-CERT"
      },
      "references": [
        {
          "tags": [
            "government-resource"
          ],
          "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0528"
        }
      ],
      "source": {
        "advisory": "TR-26-0528",
        "defect": [
          "TR-26-0528"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "IDOR in Teracity\u0027s TeraMIS",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
    "assignerShortName": "TR-CERT",
    "cveId": "CVE-2026-6212",
    "datePublished": "2026-07-10T18:35:43.613Z",
    "dateReserved": "2026-04-13T12:17:13.977Z",
    "dateUpdated": "2026-07-10T19:13:49.677Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6206 (GCVE-0-2026-6206)

Vulnerability from cvelistv5 – Published: 2026-05-14 08:24 – Updated: 2026-05-14 10:42
VLAI
Title
MW WP Form <= 5.1.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure via 'post_id' Query Parameter
Summary
The MW WP Form plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 5.1.2 via the _get_post_property_from_querystring() function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Vendor Product Version
websoudan MW WP Form Affected: 0 , ≤ 5.1.2 (semver)
Create a notification for this product.
Credits
Kirasec
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6206",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T10:37:30.303141Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T10:42:52.973Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "MW WP Form",
          "vendor": "websoudan",
          "versions": [
            {
              "lessThanOrEqual": "5.1.2",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Kirasec"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The MW WP Form plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 5.1.2 via the _get_post_property_from_querystring() function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-14T08:24:26.532Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7f2c39f6-3d37-4765-99e8-023610856b61?source=cve"
        },
        {
          "url": "https://github.com/web-soudan/mw-wp-form/commit/77aed98f56fdddc19bddf21c8f12faa5086d9202"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3516013/mw-wp-form"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-03-10T00:00:00.000Z",
          "value": "Discovered"
        },
        {
          "lang": "en",
          "time": "2026-04-13T12:08:15.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-05-13T19:51:32.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "MW WP Form \u003c= 5.1.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure via \u0027post_id\u0027 Query Parameter"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-6206",
    "datePublished": "2026-05-14T08:24:26.532Z",
    "dateReserved": "2026-04-13T11:52:59.172Z",
    "dateUpdated": "2026-05-14T10:42:52.973Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6072 (GCVE-0-2026-6072)

Vulnerability from cvelistv5 – Published: 2026-05-20 01:25 – Updated: 2026-05-20 13:13
VLAI
Title
Oliver POS <= 2.4.2.6 - Unauthenticated Authorization Bypass Through User-Controlled Key to 'OliverAuth' Header
Summary
The Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.4.2.6. The plugin protects its entire /wp-json/pos-bridge/* REST API namespace through the oliver_pos_rest_authentication() permission callback, which uses a loose PHP comparison (==) to compare the attacker-supplied 'OliverAuth' header value against the 'oliver_pos_authorization_token' option. On fresh installations where the admin has not yet completed the connection flow, this option is unset (get_option returns false). Due to PHP's type juggling, the loose comparison '0' == false evaluates to true, allowing an unauthenticated attacker to bypass authentication by sending 'OliverAuth: 0'. This grants full access to all POS API endpoints, enabling attackers to read user data (including administrator details), update user profiles (including email addresses), and delete non-admin users. An admin account email reset can lead to site takeover.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Credits
Hunter Jensen
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6072",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-20T13:13:44.799243Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-20T13:13:52.305Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Oliver POS \u2013 A WooCommerce Point of Sale (POS)",
          "vendor": "oliverpos",
          "versions": [
            {
              "lessThanOrEqual": "2.4.2.6",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Hunter Jensen"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Oliver POS \u2013 A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.4.2.6. The plugin protects its entire /wp-json/pos-bridge/* REST API namespace through the oliver_pos_rest_authentication() permission callback, which uses a loose PHP comparison (==) to compare the attacker-supplied \u0027OliverAuth\u0027 header value against the \u0027oliver_pos_authorization_token\u0027 option. On fresh installations where the admin has not yet completed the connection flow, this option is unset (get_option returns false). Due to PHP\u0027s type juggling, the loose comparison \u00270\u0027 == false evaluates to true, allowing an unauthenticated attacker to bypass authentication by sending \u0027OliverAuth: 0\u0027. This grants full access to all POS API endpoints, enabling attackers to read user data (including administrator details), update user profiles (including email addresses), and delete non-admin users. An admin account email reset can lead to site takeover."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-20T01:25:54.241Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ca6aa922-9c58-445c-b88a-3d1d1c95102c?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/oliver-pos/trunk/includes/class-pos-bridge.php#L1679"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/oliver-pos/tags/2.4.2.6/includes/class-pos-bridge.php#L1679"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/oliver-pos/trunk/includes/class-pos-bridge.php#L1677"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/oliver-pos/tags/2.4.2.6/includes/class-pos-bridge.php#L1677"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/oliver-pos/trunk/includes/class-pos-bridge-user.php#L170"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/oliver-pos/tags/2.4.2.6/includes/class-pos-bridge-user.php#L170"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/oliver-pos/trunk/includes/class-pos-bridge-user.php#L195"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/oliver-pos/tags/2.4.2.6/includes/class-pos-bridge-user.php#L195"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/oliver-pos/trunk/includes/class-pos-bridge-user.php#L231"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/oliver-pos/tags/2.4.2.6/includes/class-pos-bridge-user.php#L231"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-05-19T12:03:04.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Oliver POS \u003c= 2.4.2.6 - Unauthenticated Authorization Bypass Through User-Controlled Key to \u0027OliverAuth\u0027 Header"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-6072",
    "datePublished": "2026-05-20T01:25:54.241Z",
    "dateReserved": "2026-04-10T14:00:15.790Z",
    "dateUpdated": "2026-05-20T13:13:52.305Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6063 (GCVE-0-2026-6063)

Vulnerability from cvelistv5 – Published: 2026-05-14 05:34 – Updated: 2026-05-14 13:21
VLAI
Title
Authorization Bypass Through User-Controlled Key in GitLab
Summary
GitLab has remediated an issue in GitLab EE affecting all versions from 11.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that under certain conditions could have allowed an authenticated user with developer-role permissions to remove code owner approval rules from merge requests due to improper access control.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Vendor Product Version
GitLab GitLab Affected: 11.10 , < 18.9.7 (semver)
Affected: 18.10 , < 18.10.6 (semver)
Affected: 18.11 , < 18.11.3 (semver)
    cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Thanks [pollito](https://hackerone.com/pollito) for reporting this vulnerability through our HackerOne bug bounty program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6063",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T13:21:41.702425Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T13:21:53.278Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "product": "GitLab",
          "repo": "git://git@gitlab.com:gitlab-org/gitlab.git",
          "vendor": "GitLab",
          "versions": [
            {
              "lessThan": "18.9.7",
              "status": "affected",
              "version": "11.10",
              "versionType": "semver"
            },
            {
              "lessThan": "18.10.6",
              "status": "affected",
              "version": "18.10",
              "versionType": "semver"
            },
            {
              "lessThan": "18.11.3",
              "status": "affected",
              "version": "18.11",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Thanks [pollito](https://hackerone.com/pollito) for reporting this vulnerability through our HackerOne bug bounty program"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "GitLab has remediated an issue in GitLab EE affecting all versions from 11.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that under certain conditions could have allowed an authenticated user with developer-role permissions to remove code owner approval rules from merge requests due to improper access control."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-14T05:34:12.358Z",
        "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
        "shortName": "GitLab"
      },
      "references": [
        {
          "url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/596332"
        },
        {
          "name": "HackerOne Bug Bounty Report #3649087",
          "tags": [
            "technical-description",
            "exploit",
            "permissions-required"
          ],
          "url": "https://hackerone.com/reports/3649087"
        },
        {
          "url": "https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to versions 18.9.7, 18.10.6, 18.11.3 or above."
        }
      ],
      "title": "Authorization Bypass Through User-Controlled Key in GitLab"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
    "assignerShortName": "GitLab",
    "cveId": "CVE-2026-6063",
    "datePublished": "2026-05-14T05:34:12.358Z",
    "dateReserved": "2026-04-10T12:33:39.407Z",
    "dateUpdated": "2026-05-14T13:21:53.278Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6062 (GCVE-0-2026-6062)

Vulnerability from cvelistv5 – Published: 2026-06-22 13:40 – Updated: 2026-06-22 15:41
VLAI
Title
IDOR in Jira plugin subscription edit endpoint
Summary
Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 Fail to validate channel ownership of an existing subscription before applying edits which allows an authenticated attacker to hijack subscriptions from channels they have no access to via a crafted PUT request to the subscription edit endpoint.. Mattermost Advisory ID: MMSA-2026-00650
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
URL Tags
https://mattermost.com/security-updates vendor-advisory
Impacted products
Vendor Product Version
Mattermost Mattermost Affected: 11.7.0 , ≤ 11.7.0 (semver)
Affected: 11.6.0 , ≤ 11.6.2 (semver)
Affected: 11.5.0 , ≤ 11.5.5 (semver)
Affected: 10.11.0 , ≤ 10.11.17 (semver)
Unaffected: 11.8.0
Unaffected: 11.7.1
Unaffected: 11.6.3
Unaffected: 11.5.6
Unaffected: 10.11.18
Create a notification for this product.
Credits
0hmz
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6062",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-22T15:41:30.282800Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-22T15:41:48.877Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Mattermost",
          "vendor": "Mattermost",
          "versions": [
            {
              "lessThanOrEqual": "11.7.0",
              "status": "affected",
              "version": "11.7.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "11.6.2",
              "status": "affected",
              "version": "11.6.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "11.5.5",
              "status": "affected",
              "version": "11.5.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.11.17",
              "status": "affected",
              "version": "10.11.0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "11.8.0"
            },
            {
              "status": "unaffected",
              "version": "11.7.1"
            },
            {
              "status": "unaffected",
              "version": "11.6.3"
            },
            {
              "status": "unaffected",
              "version": "11.5.6"
            },
            {
              "status": "unaffected",
              "version": "10.11.18"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "0hmz"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Mattermost versions 11.7.x \u003c= 11.7.0, 11.6.x \u003c= 11.6.2, 11.5.x \u003c= 11.5.5, 10.11.x \u003c= 10.11.17 Fail to validate channel ownership of an existing subscription before applying edits which allows an authenticated attacker to hijack subscriptions from channels they have no access to via a crafted PUT request to the subscription edit endpoint.. Mattermost Advisory ID: MMSA-2026-00650"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-22T13:40:07.776Z",
        "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "shortName": "Mattermost"
      },
      "references": [
        {
          "name": "MMSA-2026-00650",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://mattermost.com/security-updates"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Update Mattermost to versions 11.8.0, 11.7.1, 11.6.3, 11.5.6, 10.11.18 or higher."
        }
      ],
      "source": {
        "advisory": "MMSA-2026-00650",
        "defect": [
          "https://mattermost.atlassian.net/browse/MM-68271"
        ],
        "discovery": "EXTERNAL"
      },
      "title": "IDOR in Jira plugin subscription edit endpoint",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
    "assignerShortName": "Mattermost",
    "cveId": "CVE-2026-6062",
    "datePublished": "2026-06-22T13:40:07.776Z",
    "dateReserved": "2026-04-10T10:57:59.278Z",
    "dateUpdated": "2026-06-22T15:41:48.877Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6008 (GCVE-0-2026-6008)

Vulnerability from cvelistv5 – Published: 2026-05-14 12:24 – Updated: 2026-05-14 13:48
VLAI
Title
IDOR in Im Park's DijiDemi
Summary
Authorization bypass through User-Controlled key vulnerability in Im Park Information Technology, Electronics, Press, Publishing and Advertising, Education Ltd. Co. DijiDemi allows Privilege Abuse. This issue affects DijiDemi: from v4.5.12.1 before v4.5.13.0.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization bypass through User-Controlled key
Assigner
References
Date Public
2026-05-14 12:19
Credits
Muhammet Emirhan SÜMER
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6008",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T13:48:33.827800Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T13:48:41.525Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "DijiDemi",
          "vendor": "Im Park Information Technology, Electronics, Press, Publishing and Advertising, Education Ltd. Co.",
          "versions": [
            {
              "lessThan": "v4.5.13.0",
              "status": "affected",
              "version": "v4.5.12.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Muhammet Emirhan S\u00dcMER"
        }
      ],
      "datePublic": "2026-05-14T12:19:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Authorization bypass through User-Controlled key vulnerability in Im Park Information Technology, Electronics, Press, Publishing and Advertising, Education Ltd. Co. DijiDemi allows Privilege Abuse.\u003cp\u003eThis issue affects DijiDemi: from v4.5.12.1 before v4.5.13.0.\u003c/p\u003e"
            }
          ],
          "value": "Authorization bypass through User-Controlled key vulnerability in Im Park Information Technology, Electronics, Press, Publishing and Advertising, Education Ltd. Co. DijiDemi allows Privilege Abuse.\n\nThis issue affects DijiDemi: from v4.5.12.1 before v4.5.13.0."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-122",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-122 Privilege Abuse"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization bypass through User-Controlled key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-14T12:30:55.568Z",
        "orgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
        "shortName": "TR-CERT"
      },
      "references": [
        {
          "tags": [
            "government-resource"
          ],
          "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0239"
        }
      ],
      "source": {
        "advisory": "TR-26-0239",
        "defect": [
          "TR-26-0239"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "IDOR in Im Park\u0027s DijiDemi",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
    "assignerShortName": "TR-CERT",
    "cveId": "CVE-2026-6008",
    "datePublished": "2026-05-14T12:24:46.606Z",
    "dateReserved": "2026-04-09T13:46:11.729Z",
    "dateUpdated": "2026-05-14T13:48:41.525Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6001 (GCVE-0-2026-6001)

Vulnerability from cvelistv5 – Published: 2026-05-12 09:53 – Updated: 2026-05-12 12:20
VLAI
Title
IDOR in Abis Technology's BAPSİS
Summary
Authorization bypass through User-Controlled key vulnerability in ABIS Technology Ltd. Co. BAPSİS allows Exploitation of Trusted Identifiers. This issue affects BAPSİS: before v.202604152042.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization bypass through User-Controlled key
Assigner
References
Impacted products
Vendor Product Version
ABIS Technology Ltd. Co. BAPSİS Affected: 0 , < v.202604152042 (custom)
Create a notification for this product.
Date Public
2026-05-12 09:48
Credits
Tolga DEMİREL
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6001",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-12T12:19:58.383814Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T12:20:23.312Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "BAPS\u0130S",
          "vendor": "ABIS Technology Ltd. Co.",
          "versions": [
            {
              "lessThan": "v.202604152042",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Tolga DEM\u0130REL"
        }
      ],
      "datePublic": "2026-05-12T09:48:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Authorization bypass through User-Controlled key vulnerability in ABIS Technology Ltd. Co. BAPS\u0130S allows Exploitation of Trusted Identifiers.\u003cp\u003eThis issue affects BAPS\u0130S: before v.202604152042.\u003c/p\u003e"
            }
          ],
          "value": "Authorization bypass through User-Controlled key vulnerability in ABIS Technology Ltd. Co. BAPS\u0130S allows Exploitation of Trusted Identifiers.\n\nThis issue affects BAPS\u0130S: before v.202604152042."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-21",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-21 Exploitation of Trusted Identifiers"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization bypass through User-Controlled key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-12T09:53:12.336Z",
        "orgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
        "shortName": "TR-CERT"
      },
      "references": [
        {
          "tags": [
            "government-resource"
          ],
          "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0223"
        }
      ],
      "source": {
        "advisory": "TR-26-0223",
        "defect": [
          "TR-26-0223"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "IDOR in Abis Technology\u0027s BAPS\u0130S",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
    "assignerShortName": "TR-CERT",
    "cveId": "CVE-2026-6001",
    "datePublished": "2026-05-12T09:53:12.336Z",
    "dateReserved": "2026-04-09T13:18:37.659Z",
    "dateUpdated": "2026-05-12T12:20:23.312Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-5845 (GCVE-0-2026-5845)

Vulnerability from cvelistv5 – Published: 2026-04-21 22:42 – Updated: 2026-04-22 18:04
VLAI
Title
Improper authorization fallback allows scoped user-to-server token installation escape in GitHub Enterprise Server
Summary
An improper authorization vulnerability in scoped user-to-server (ghu_) token authorization in GitHub Enterprise Server allows an authenticated attacker to access private repositories outside the intended installation scope, which can include write operations, via an authorization fallback that treated a revoked/deleted installation as a global installation context, which could be chained with token revocation timing and SSH push attribution to obtain and reuse a victim-scoped token. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, and 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization bypass through User-Controlled key
Assigner
Impacted products
Vendor Product Version
GitHub Enterprise Server Affected: 3.20.0 , < 3.20.1 (semver)
Affected: 3.19.0 , ≤ 3.19.4 (semver)
Affected: 3.18.0 , ≤ 3.18.7 (semver)
Affected: 3.17.0 , ≤ 3.17.13 (semver)
Affected: 3.16.0 , ≤ 3.16.16 (semver)
Affected: 3.15.0 , ≤ 3.15.20 (semver)
Affected: 3.14.0 , ≤ 3.14.25 (semver)
Create a notification for this product.
Credits
ahacker1
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-5845",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-22T18:03:53.486677Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-22T18:04:05.173Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Enterprise Server",
          "vendor": "GitHub",
          "versions": [
            {
              "changes": [
                {
                  "at": "3.20.1",
                  "status": "unaffected"
                }
              ],
              "lessThan": "3.20.1",
              "status": "affected",
              "version": "3.20.0",
              "versionType": "semver"
            },
            {
              "changes": [
                {
                  "at": "3.19.5",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "3.19.4",
              "status": "affected",
              "version": "3.19.0",
              "versionType": "semver"
            },
            {
              "changes": [
                {
                  "at": "3.18.8",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "3.18.7",
              "status": "affected",
              "version": "3.18.0",
              "versionType": "semver"
            },
            {
              "changes": [
                {
                  "at": "3.17.14",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "3.17.13",
              "status": "affected",
              "version": "3.17.0",
              "versionType": "semver"
            },
            {
              "changes": [
                {
                  "at": "3.16.17",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "3.16.16",
              "status": "affected",
              "version": "3.16.0",
              "versionType": "semver"
            },
            {
              "changes": [
                {
                  "at": "3.15.21",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "3.15.20",
              "status": "affected",
              "version": "3.15.0",
              "versionType": "semver"
            },
            {
              "changes": [
                {
                  "at": "3.14.26",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "3.14.25",
              "status": "affected",
              "version": "3.14.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "ahacker1"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "An improper authorization vulnerability in scoped user-to-server (\u003ccode\u003eghu_\u003c/code\u003e) token authorization in GitHub Enterprise Server allows an authenticated attacker to access private repositories outside the intended installation scope, which can include write operations, via an authorization fallback that treated a revoked/deleted installation as a global installation context, which could be chained with token revocation timing and SSH push attribution to obtain and reuse a victim-scoped token. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, and 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program."
            }
          ],
          "value": "An improper authorization vulnerability in scoped user-to-server (ghu_) token authorization in GitHub Enterprise Server allows an authenticated attacker to access private repositories outside the intended installation scope, which can include write operations, via an authorization fallback that treated a revoked/deleted installation as a global installation context, which could be chained with token revocation timing and SSH push attribution to obtain and reuse a victim-scoped token. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, and 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-233",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-233 Privilege Escalation"
            }
          ]
        },
        {
          "capecId": "CAPEC-26",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-26 Leveraging Race Conditions"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization bypass through User-Controlled key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-21T22:42:13.198Z",
        "orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
        "shortName": "GitHub_P"
      },
      "references": [
        {
          "url": "https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.1"
        },
        {
          "url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.5"
        },
        {
          "url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.8"
        },
        {
          "url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.14"
        },
        {
          "url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.17"
        },
        {
          "url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.21"
        },
        {
          "url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.26"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Improper authorization fallback allows scoped user-to-server token installation escape in GitHub Enterprise Server",
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
    "assignerShortName": "GitHub_P",
    "cveId": "CVE-2026-5845",
    "datePublished": "2026-04-21T22:42:13.198Z",
    "dateReserved": "2026-04-08T18:28:58.486Z",
    "dateUpdated": "2026-04-22T18:04:05.173Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.