CWE-862
Allowed-with-ReviewMissing Authorization
Abstraction: Class · Status: Incomplete
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
14625 vulnerabilities reference this CWE, most recent first.
GHSA-RRJ2-PJJJ-CXF2
Vulnerability from github – Published: 2024-12-13 15:30 – Updated: 2026-04-28 21:35Missing Authorization vulnerability in HashThemes Viral Mag allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Viral Mag: from n/a through 1.0.9.
{
"affected": [],
"aliases": [
"CVE-2023-28990"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-13T15:15:11Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in HashThemes Viral Mag allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Viral Mag: from n/a through 1.0.9.",
"id": "GHSA-rrj2-pjjj-cxf2",
"modified": "2026-04-28T21:35:23Z",
"published": "2024-12-13T15:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28990"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/theme/viral-mag/vulnerability/wordpress-viral-mag-theme-1-0-9-authenticated-arbitrary-plugin-activation-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RRJ8-527G-2W3M
Vulnerability from github – Published: 2026-03-13 21:31 – Updated: 2026-03-16 15:30Missing Authorization vulnerability in raratheme Ridhi ridhi allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ridhi: from n/a through <= 1.1.2.
{
"affected": [],
"aliases": [
"CVE-2026-32383"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-13T19:54:53Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in raratheme Ridhi ridhi allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ridhi: from n/a through \u003c= 1.1.2.",
"id": "GHSA-rrj8-527g-2w3m",
"modified": "2026-03-16T15:30:35Z",
"published": "2026-03-13T21:31:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32383"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Theme/ridhi/vulnerability/wordpress-ridhi-theme-1-1-2-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RRMM-9V76-H3P4
Vulnerability from github – Published: 2026-05-14 16:22 – Updated: 2026-06-09 10:24Summary
Portainer enforces Role-Based Access Control (RBAC) on top of the Docker API. The proxy layer routes incoming Docker API requests to per-resource handlers (containers, images, services, volumes, etc.) that apply authorization checks.
The Docker plugin management endpoints (/plugins/*) were not registered with a handler, so standard users with endpoint access could call privileged plugin operations — including installing and enabling plugins — directly against the underlying Docker daemon.
The vulnerability is exposed when a non-admin Portainer user (Standard User role, or any role granted endpoint-level access) has been given access to a Docker endpoint via Portainer RBAC. Administrators and users without Docker endpoint access are not affected.
A regular user with access to a Docker endpoint can:
- Pull an arbitrary plugin from any registry via
POST /plugins/pull. - Grant it the privileges it requests, including
CAP_SYS_ADMINand host-path mounts. - Enable the plugin via
POST /plugins/{name}/enable, at which point Docker runs the plugin with root privileges on the host.
Docker plugins execute as root on the host and can request arbitrary host capabilities and mounts. Enabling a crafted plugin gives the user access to the host filesystem and equivalent to root on the Docker host.
Severity
Critical — CVSS 9.4
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CWE-862 — Missing Authorization
Affected Versions
The vulnerability exists in every Portainer release where the Docker API proxy uses the prefix-allowlist routing model — /plugins has never been in the allowlist, and the fall-through path has never applied authorization.
Fixes are included in the next release of each supported branch:
| Branch | First vulnerable | Fixed in |
|---|---|---|
| 2.33.x (LTS) | 2.33.0 | 2.33.8 |
| 2.39.x (LTS) | 2.39.0 | 2.39.2 |
| 2.40.x (STS) | 2.40.0 | 2.41.0 |
Portainer LTS branches receive fixes for 6 months plus a 3-month overlap after the next LTS ships. STS releases are supported only until the next STS ships — the 2.40.x STS line ends with the 2.41.0 release. All releases prior to 2.33.0 are end-of-life and will not receive a fix; users on EOL versions should upgrade to a supported LTS branch.
Workarounds
Administrators who cannot immediately upgrade can reduce exposure by temporarily revoking Docker endpoint access for non-admin users via Portainer RBAC until the patched release is deployed. This eliminates the attack surface without disruption for administrators. This does not replace the fix.
Affected Code
// api/http/proxy/factory/docker/transport.go (pre-fix)
var prefixProxyFuncMap = map[string]func(...){
"build": ...,
"configs": ...,
"containers": ...,
"images": ...,
"networks": ...,
"nodes": ...,
"secrets": ...,
"services": ...,
"swarm": ...,
"tasks": ...,
"v2": ...,
"volumes": ...,
}
func (transport *Transport) ProxyDockerRequest(request *http.Request) (*http.Response, error) {
// ...
prefix := strings.Split(strings.TrimPrefix(unversionedPath, "/"), "/")[0]
if proxyFunc := prefixProxyFuncMap[prefix]; proxyFunc != nil {
return proxyFunc(transport, request, unversionedPath) // authorized
}
return transport.executeDockerRequest(request) // forwarded without authorization
}
/plugins is not in prefixProxyFuncMap, so requests to plugin endpoints fall through to executeDockerRequest and are forwarded to the Docker daemon without any Portainer-side authorization check.
Impact
An authenticated, non-admin Portainer user with access to any Docker-enabled endpoint can:
- Install and enable arbitrary Docker plugins from any registry.
- Execute plugin code with root privileges on the Docker host (including declaring
CAP_SYS_ADMINand host-path mounts). - Read and modify files on the host filesystem from a restricted account, overriding the administrator's security policy.
Timeline
- 2026-03-16: Reported via GitHub Security Advisory by ikkebr.
- 2026-04-20: Fix merged to
develop,release/2.39, andrelease/2.33. - 2026-04-29: 2.41.0 released.
- 2026-05-07: 2.39.2-LTS and 2.33.8-LTS released.
Credit
- ikkebr — identified and reported the proxy allowlist bypass affecting the Docker plugin management endpoints.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/portainer/portainer"
},
"ranges": [
{
"events": [
{
"introduced": "2.33.0"
},
{
"fixed": "2.33.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/portainer/portainer"
},
"ranges": [
{
"events": [
{
"introduced": "2.39.0"
},
{
"fixed": "2.39.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/portainer/portainer"
},
"ranges": [
{
"events": [
{
"introduced": "2.40.0"
},
{
"fixed": "2.41.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44848"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-14T16:22:50Z",
"nvd_published_at": "2026-05-28T22:16:58Z",
"severity": "CRITICAL"
},
"details": "## Summary\n\nPortainer enforces Role-Based Access Control (RBAC) on top of the Docker API. The proxy layer routes incoming Docker API requests to per-resource handlers (containers, images, services, volumes, etc.) that apply authorization checks.\n\nThe Docker plugin management endpoints (`/plugins/*`) were not registered with a handler, so standard users with endpoint access could call privileged plugin operations \u2014 including installing and enabling plugins \u2014 directly against the underlying Docker daemon.\n\nThe vulnerability is exposed when a non-admin Portainer user (Standard User role, or any role granted endpoint-level access) has been given access to a Docker endpoint via Portainer RBAC. Administrators and users without Docker endpoint access are not affected.\n\nA regular user with access to a Docker endpoint can:\n\n- Pull an arbitrary plugin from any registry via `POST /plugins/pull`.\n- Grant it the privileges it requests, including `CAP_SYS_ADMIN` and host-path mounts.\n- Enable the plugin via `POST /plugins/{name}/enable`, at which point Docker runs the plugin with root privileges on the host.\n\nDocker plugins execute as root on the host and can request arbitrary host capabilities and mounts. Enabling a crafted plugin gives the user access to the host filesystem and equivalent to root on the Docker host.\n\n## Severity\n\n**Critical** \u2014 CVSS 9.4\n`CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H`\n\n**CWE-862** \u2014 Missing Authorization\n\n## Affected Versions\n\nThe vulnerability exists in every Portainer release where the Docker API proxy uses the prefix-allowlist routing model \u2014 `/plugins` has never been in the allowlist, and the fall-through path has never applied authorization.\n\nFixes are included in the next release of each supported branch:\n\n| Branch | First vulnerable | Fixed in |\n|---------------------|------------------|------------|\n| 2.33.x (LTS) | 2.33.0 | **2.33.8** |\n| 2.39.x (LTS) | 2.39.0 | **2.39.2** |\n| 2.40.x (STS) | 2.40.0 | **2.41.0** |\n\nPortainer LTS branches receive fixes for 6 months plus a 3-month overlap after the next LTS ships. STS releases are supported only until the next STS ships \u2014 the 2.40.x STS line ends with the 2.41.0 release. All releases **prior to 2.33.0 are end-of-life** and will not receive a fix; users on EOL versions should upgrade to a supported LTS branch.\n\n## Workarounds\n\nAdministrators who cannot immediately upgrade can reduce exposure by temporarily **revoking Docker endpoint access for non-admin users** via Portainer RBAC until the patched release is deployed. This eliminates the attack surface without disruption for administrators. This does not replace the fix.\n\n## Affected Code\n\n```go\n// api/http/proxy/factory/docker/transport.go (pre-fix)\n\nvar prefixProxyFuncMap = map[string]func(...){\n \"build\": ...,\n \"configs\": ...,\n \"containers\": ...,\n \"images\": ...,\n \"networks\": ...,\n \"nodes\": ...,\n \"secrets\": ...,\n \"services\": ...,\n \"swarm\": ...,\n \"tasks\": ...,\n \"v2\": ...,\n \"volumes\": ...,\n}\n\nfunc (transport *Transport) ProxyDockerRequest(request *http.Request) (*http.Response, error) {\n // ...\n prefix := strings.Split(strings.TrimPrefix(unversionedPath, \"/\"), \"/\")[0]\n\n if proxyFunc := prefixProxyFuncMap[prefix]; proxyFunc != nil {\n return proxyFunc(transport, request, unversionedPath) // authorized\n }\n\n return transport.executeDockerRequest(request) // forwarded without authorization\n}\n```\n\n`/plugins` is not in `prefixProxyFuncMap`, so requests to plugin endpoints fall through to `executeDockerRequest` and are forwarded to the Docker daemon without any Portainer-side authorization check.\n\n\n## Impact\n\nAn authenticated, non-admin Portainer user with access to any Docker-enabled endpoint can:\n\n- Install and enable arbitrary Docker plugins from any registry.\n- Execute plugin code with root privileges on the Docker host (including declaring `CAP_SYS_ADMIN` and host-path mounts).\n- Read and modify files on the host filesystem from a restricted account, overriding the administrator\u0027s security policy.\n\n## Timeline\n\n- 2026-03-16: Reported via GitHub Security Advisory by **ikkebr**.\n- 2026-04-20: Fix merged to `develop`, `release/2.39`, and `release/2.33`.\n- 2026-04-29: 2.41.0 released.\n- 2026-05-07: 2.39.2-LTS and 2.33.8-LTS released.\n\n## Credit\n\n- **ikkebr** \u2014 identified and reported the proxy allowlist bypass affecting the Docker plugin management endpoints.",
"id": "GHSA-rrmm-9v76-h3p4",
"modified": "2026-06-09T10:24:45Z",
"published": "2026-05-14T16:22:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/portainer/portainer/security/advisories/GHSA-rrmm-9v76-h3p4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44848"
},
{
"type": "PACKAGE",
"url": "https://github.com/portainer/portainer"
},
{
"type": "WEB",
"url": "https://github.com/portainer/portainer/releases/tag/2.33.8"
},
{
"type": "WEB",
"url": "https://github.com/portainer/portainer/releases/tag/2.39.2"
},
{
"type": "WEB",
"url": "https://github.com/portainer/portainer/releases/tag/2.41.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "Portainer missing authorization on Docker plugin endpoints, which allows host RCE"
}
GHSA-RRP3-97RC-GC2W
Vulnerability from github – Published: 2026-01-23 15:31 – Updated: 2026-01-23 22:35Missing Authorization vulnerability in wptravelengine Travel Monster travel-monster allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travel Monster: from n/a through <= 1.3.3.
{
"affected": [],
"aliases": [
"CVE-2026-24607"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-23T15:16:19Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in wptravelengine Travel Monster travel-monster allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travel Monster: from n/a through \u003c= 1.3.3.",
"id": "GHSA-rrp3-97rc-gc2w",
"modified": "2026-01-23T22:35:51Z",
"published": "2026-01-23T15:31:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24607"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Theme/travel-monster/vulnerability/wordpress-travel-monster-theme-1-3-3-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RRPW-6PH5-G7QX
Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2022-05-24 17:33In callCallbackForRequest of ConnectivityService.java, there is a possible permission bypass due to a missing permission check. This could lead to local information disclosure of the current SSID with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9Android ID: A-161370134
{
"affected": [],
"aliases": [
"CVE-2020-0454"
],
"database_specific": {
"cwe_ids": [
"CWE-732",
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-10T13:15:00Z",
"severity": "MODERATE"
},
"details": "In callCallbackForRequest of ConnectivityService.java, there is a possible permission bypass due to a missing permission check. This could lead to local information disclosure of the current SSID with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9Android ID: A-161370134",
"id": "GHSA-rrpw-6ph5-g7qx",
"modified": "2022-05-24T17:33:28Z",
"published": "2022-05-24T17:33:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0454"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2020-11-01"
},
{
"type": "WEB",
"url": "https://www.usenix.org/conference/usenixsecurity19/presentation/reardon"
},
{
"type": "WEB",
"url": "https://www.usenix.org/system/files/sec19-reardon.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RRQX-J3JJ-4V84
Vulnerability from github – Published: 2025-10-22 15:31 – Updated: 2026-01-20 15:31Missing Authorization vulnerability in Rustaurius Front End Users front-end-only-users.This issue affects Front End Users: from n/a through <= 3.2.33.
{
"affected": [],
"aliases": [
"CVE-2025-62072"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-22T15:16:06Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in Rustaurius Front End Users front-end-only-users.This issue affects Front End Users: from n/a through \u003c= 3.2.33.",
"id": "GHSA-rrqx-j3jj-4v84",
"modified": "2026-01-20T15:31:34Z",
"published": "2025-10-22T15:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62072"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/front-end-only-users/vulnerability/wordpress-front-end-users-plugin-3-2-33-broken-access-control-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://vdp.patchstack.com/database/Wordpress/Plugin/front-end-only-users/vulnerability/wordpress-front-end-users-plugin-3-2-33-broken-access-control-vulnerability"
},
{
"type": "WEB",
"url": "https://vdp.patchstack.com/database/Wordpress/Plugin/front-end-only-users/vulnerability/wordpress-front-end-users-plugin-3-2-33-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RRR5-XGG4-XQQ7
Vulnerability from github – Published: 2024-10-25 09:32 – Updated: 2026-04-08 21:32The WPS Telegram Chat plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'Wps_Telegram_Chat_Admin::checkСonnection' function in versions up to, and including, 4.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to have full access to the Telegram Bot API endpoint and communicate with it.
{
"affected": [],
"aliases": [
"CVE-2024-9628"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-25T08:15:03Z",
"severity": "MODERATE"
},
"details": "The WPS Telegram Chat plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the \u0027Wps_Telegram_Chat_Admin::check\u0421onnection\u0027 function in versions up to, and including, 4.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to have full access to the Telegram Bot API endpoint and communicate with it.",
"id": "GHSA-rrr5-xgg4-xqq7",
"modified": "2026-04-08T21:32:54Z",
"published": "2024-10-25T09:32:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9628"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/wps-telegram-chat/tags/4.5.4/admin/class-wps-telegram-chat-admin.php#L176"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c7f7e545-5e14-421e-90b4-bc54b23d0fe6?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-RRRG-RJ55-27WM
Vulnerability from github – Published: 2024-04-09 21:31 – Updated: 2024-04-09 21:31The Advanced Classifieds & Directory Pro plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the ajax_callback_delete_attachment function in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with subscriber access or higher, to delete arbitrary media uploads.
{
"affected": [],
"aliases": [
"CVE-2024-2222"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-09T19:15:30Z",
"severity": "MODERATE"
},
"details": "The Advanced Classifieds \u0026 Directory Pro plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the ajax_callback_delete_attachment function in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with subscriber access or higher, to delete arbitrary media uploads.",
"id": "GHSA-rrrg-rj55-27wm",
"modified": "2024-04-09T21:31:59Z",
"published": "2024-04-09T21:31:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2222"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/advanced-classifieds-and-directory-pro/trunk/admin/admin.php#L757"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/advanced-classifieds-and-directory-pro/trunk/public/user.php#L689"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3054455%40advanced-classifieds-and-directory-pro%2Ftrunk\u0026old=3012747%40advanced-classifieds-and-directory-pro%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bc5da189-838d-4c0b-a734-283c4da36473?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RRRX-RJCC-VX6W
Vulnerability from github – Published: 2026-01-23 15:31 – Updated: 2026-01-23 21:30Missing Authorization vulnerability in topdevs Smart Product Viewer smart-product-viewer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Smart Product Viewer: from n/a through <= 1.5.4.
{
"affected": [],
"aliases": [
"CVE-2026-24588"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-23T15:16:16Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in topdevs Smart Product Viewer smart-product-viewer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Smart Product Viewer: from n/a through \u003c= 1.5.4.",
"id": "GHSA-rrrx-rjcc-vx6w",
"modified": "2026-01-23T21:30:43Z",
"published": "2026-01-23T15:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24588"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/smart-product-viewer/vulnerability/wordpress-smart-product-viewer-plugin-1-5-4-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RRV4-98WQ-7V85
Vulnerability from github – Published: 2025-01-02 12:32 – Updated: 2026-04-28 21:35Missing Authorization vulnerability in Seers Seers allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Seers: from n/a through 8.1.1.
{
"affected": [],
"aliases": [
"CVE-2023-47515"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-02T12:15:15Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in Seers Seers allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Seers: from n/a through 8.1.1.",
"id": "GHSA-rrv4-98wq-7v85",
"modified": "2026-04-28T21:35:30Z",
"published": "2025-01-02T12:32:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47515"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/seers-cookie-consent-banner-privacy-policy/vulnerability/wordpress-seers-gdpr-ccpa-cookie-consent-compliance-plugin-8-0-6-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.