CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5513 vulnerabilities reference this CWE, most recent first.
CVE-2026-48776 (GCVE-0-2026-48776)
Vulnerability from cvelistv5 – Published: 2026-06-16 19:51 – Updated: 2026-06-17 14:02| URL | Tags |
|---|---|
| https://github.com/langchain-ai/langgraph/securit… | x_refsource_CONFIRM |
| https://github.com/langchain-ai/langgraph/release… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| langchain-ai | langchain-ai |
Affected:
< 1.2.1
|
|
| langchain-ai | langchain-sdk |
Affected:
< 0.3.15
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48776",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T14:02:12.377940Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T14:02:24.568Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "langchain-ai",
"vendor": "langchain-ai",
"versions": [
{
"status": "affected",
"version": "\u003c 1.2.1"
}
]
},
{
"product": "langchain-sdk",
"vendor": "langchain-ai",
"versions": [
{
"status": "affected",
"version": "\u003c 0.3.15"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LangGraph Python SDK is used to connect to running LangGraph API servers, manage assistants, threads and stream runs from Python applications. Versions 0.3.14 and prior have unsafe URL path construction through unsanitized caller-supplied identifier values used in HTTP request paths for resource operations. Without sanitization of those values, identifiers that contain characters with special meaning in URL paths could cause the resulting request to address a different resource (and potentially a different resource type) than the SDK method\u0027s call site indicates. In deployments where the SDK receives identifier values that originate from untrusted sources, this could result in unintended access, modification, or deletion of resources beyond the calling user\u0027s authorization scope. This issue is most consequential in deployments that forward end-user-supplied values directly into SDK identifier parameters without first validating them against an expected format (such as a UUID), and rely on URL-prefix-based authorization at an upstream layer (reverse proxy, edge gateway, WAF), where the authorization decision is made on the SDK call\u0027s intended path rather than on the final delivered request path. The issue has been fixed in version 0.3.15."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T19:51:09.464Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/langchain-ai/langgraph/security/advisories/GHSA-w39p-vh2g-g8g5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/langchain-ai/langgraph/security/advisories/GHSA-w39p-vh2g-g8g5"
},
{
"name": "https://github.com/langchain-ai/langgraph/releases/tag/sdk%3D%3D0.3.15",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langchain-ai/langgraph/releases/tag/sdk%3D%3D0.3.15"
}
],
"source": {
"advisory": "GHSA-w39p-vh2g-g8g5",
"discovery": "UNKNOWN"
},
"title": "LangGraph SDK has unsafe URL path construction"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48776",
"datePublished": "2026-06-16T19:51:09.464Z",
"dateReserved": "2026-05-22T19:39:05.357Z",
"dateUpdated": "2026-06-17T14:02:24.568Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48772 (GCVE-0-2026-48772)
Vulnerability from cvelistv5 – Published: 2026-06-19 19:28 – Updated: 2026-06-22 15:16| URL | Tags |
|---|---|
| https://github.com/sysown/proxysql/security/advis… | x_refsource_CONFIRM |
| https://github.com/sysown/proxysql/releases/tag/v3.0.9 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48772",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T15:15:18.320420Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T15:16:33.852Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/sysown/proxysql/security/advisories/GHSA-gw94-85m2-x8v2"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "proxysql",
"vendor": "sysown",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 3.0.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. In versions 2.0.0 through 3.0.8, the ProxySQL MySQL frontend accepts the `PROXY UNKNOWN \u003caddr\u003e \u003caddr\u003e \u003cport\u003e \u003cport\u003e\\r\\n` PP1 frame as a well-formed PROXY protocol header. The HAProxy PROXY protocol v1 specification says that when the protocol token is `UNKNOWN`, the receiver MUST ignore any address fields that follow it, because the proxy has declared it cannot determine the client identity. ProxySQL parses those address fields anyway via `sscanf` and writes the spoofed source address into the session\u0027s `addr.addr` field. From there it flows directly into the query-rule matcher, where the `client_addr` predicate decides routing and ACL. When `mysql-proxy_protocol_networks = \u0027*\u0027` (the default), any TCP peer can send a PP1 frame and choose any source IP claim. With that, any `mysql_query_rules` row pinned to a `client_addr` value is forgeable: the attacker writes the address they want to match into the PP1 line, and ProxySQL routes their query as if it came from that address. In practice this is a routing and ACL bypass. Real deployments use `client_addr` for read-write splitting (internal apps go to the primary, public traffic to read replicas), per-app schema pinning, and query-filter rules (DDL allowed only from admin CIDR, public queries blocked from dangerous patterns). An attacker that can reach the frontend port can forge their way into any of those routes. Version 3.0.9 patches this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-348",
"description": "CWE-348: Use of Less Trusted Source",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T19:28:46.248Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/sysown/proxysql/security/advisories/GHSA-gw94-85m2-x8v2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sysown/proxysql/security/advisories/GHSA-gw94-85m2-x8v2"
},
{
"name": "https://github.com/sysown/proxysql/releases/tag/v3.0.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sysown/proxysql/releases/tag/v3.0.9"
}
],
"source": {
"advisory": "GHSA-gw94-85m2-x8v2",
"discovery": "UNKNOWN"
},
"title": "ProxySQL: PROXY-Protocol-v1 UNKNOWN parses spoofed source IP, bypassing mysql_query_rules.client_addr ACL"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48772",
"datePublished": "2026-06-19T19:28:46.248Z",
"dateReserved": "2026-05-22T19:39:05.357Z",
"dateUpdated": "2026-06-22T15:16:33.852Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48507 (GCVE-0-2026-48507)
Vulnerability from cvelistv5 – Published: 2026-06-08 15:41 – Updated: 2026-06-08 18:03- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/grokability/snipe-it/security/… | x_refsource_CONFIRM |
| https://github.com/grokability/snipe-it/commit/40… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| grokability | snipe-it |
Affected:
< 8.6.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48507",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T18:02:32.917829Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T18:03:30.480Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "snipe-it",
"vendor": "grokability",
"versions": [
{
"status": "affected",
"version": "\u003c 8.6.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Snipe-IT is an IT asset/license management system. A vulnerability in versions prior to 8.6.0 allows a non-admin user holding only the granular `users.edit` permission to lock every admin out of the instance by editing the `activated` flag (which determines whether or not a user can login) and the `ldap_import` flag, which determines whether or not the user can request a password reset. Version 8.6.0 contains a patch."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T15:41:01.840Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/grokability/snipe-it/security/advisories/GHSA-6f75-x745-xcpr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/grokability/snipe-it/security/advisories/GHSA-6f75-x745-xcpr"
},
{
"name": "https://github.com/grokability/snipe-it/commit/403f9c848b05274642f64450696bdcdc242a352a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grokability/snipe-it/commit/403f9c848b05274642f64450696bdcdc242a352a"
}
],
"source": {
"advisory": "GHSA-6f75-x745-xcpr",
"discovery": "UNKNOWN"
},
"title": "Snipe-IT: Bulk editing users allowed `ldap_import` and `activated_in` bulk editing users"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48507",
"datePublished": "2026-06-08T15:41:01.840Z",
"dateReserved": "2026-05-21T16:18:10.618Z",
"dateUpdated": "2026-06-08T18:03:30.480Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48501 (GCVE-0-2026-48501)
Vulnerability from cvelistv5 – Published: 2026-05-29 15:14 – Updated: 2026-05-29 17:14- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/cli/cli/security/advisories/GH… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48501",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T17:13:29.316659Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T17:14:30.823Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cli",
"vendor": "cli",
"versions": [
{
"status": "affected",
"version": "\u003c 2.93.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GitHub CLI (gh) is GitHub\u2019s official command line tool. Prior to 2.93.0, GitHub CLI incorrectly includes authorization header in API requests to TUF repository mirrors via gh attestation, gh release verify, and gh release verify-asset commands. The CLI uses a shared HTTP client with an authentication layer that automatically attaches tokens to outgoing requests. This layer lacks accurate host detection and can incorrectly attribute the target host, providing it with a token it should never receive. Specifically, the host normalization logic collapses any *.github.com subdomain to github.com, so a request to tuf-repo.github.com (a GitHub Pages site, not a GitHub API endpoint) is treated as a request to github.com and receives the user\u0027s github.com token. For hosts that don\u0027t match github.com or a known GHES instance at all, the resolver falls back to GH_ENTERPRISE_TOKEN if set. The gh attestation, gh release verify and gh release verify-asset commands fetch data from several external hosts as part of their normal operation (TUF metadata from tuf-repo.github.com and tuf-repo-cdn.sigstore.dev, artifact bundles from Azure Blob Storage). Because these requests go through the same authenticated HTTP client, the token is sent to all of them. This vulnerability is fixed in 2.93.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T15:14:54.975Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/cli/cli/security/advisories/GHSA-8xvp-7hj6-mcj9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/cli/cli/security/advisories/GHSA-8xvp-7hj6-mcj9"
}
],
"source": {
"advisory": "GHSA-8xvp-7hj6-mcj9",
"discovery": "UNKNOWN"
},
"title": "GitHub CLI tokens leak via `gh attestation` commands"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48501",
"datePublished": "2026-05-29T15:14:54.975Z",
"dateReserved": "2026-05-21T15:33:08.292Z",
"dateUpdated": "2026-05-29T17:14:30.823Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48493 (GCVE-0-2026-48493)
Vulnerability from cvelistv5 – Published: 2026-06-23 22:11 – Updated: 2026-06-25 13:01- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/grokability/snipe-it/security/… | x_refsource_CONFIRM |
| https://github.com/grokability/snipe-it/pull/19024 | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| grokability | snipe-it |
Affected:
< 8.6.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48493",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T13:00:57.003096Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T13:01:19.174Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "snipe-it",
"vendor": "grokability",
"versions": [
{
"status": "affected",
"version": "\u003c 8.6.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Snipe-IT is an IT asset/license management system. In versions prior to 8.6.0, a user with only users.edit can send a PATCH to /api/v1/users/{their_own_id} and grant themselves any permission except admin and superuser \u2014 for example `assets.view`, `assets.create`, `reports.view`, import, etc. The issue is patched in version 8.6.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T22:11:06.847Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/grokability/snipe-it/security/advisories/GHSA-52fw-7fw2-fmv5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/grokability/snipe-it/security/advisories/GHSA-52fw-7fw2-fmv5"
},
{
"name": "https://github.com/grokability/snipe-it/pull/19024",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grokability/snipe-it/pull/19024"
}
],
"source": {
"advisory": "GHSA-52fw-7fw2-fmv5",
"discovery": "UNKNOWN"
},
"title": "Snipe-IT Vulnerable to Privilege Escalation for self via API Permissions Assignment"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48493",
"datePublished": "2026-06-23T22:11:06.847Z",
"dateReserved": "2026-05-21T15:33:08.292Z",
"dateUpdated": "2026-06-25T13:01:19.174Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48489 (GCVE-0-2026-48489)
Vulnerability from cvelistv5 – Published: 2026-07-14 19:14 – Updated: 2026-07-16 14:40- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/symfony/symfony/security/advis… | x_refsource_CONFIRM |
| https://github.com/symfony/symfony/commit/c48a427… | x_refsource_MISC |
| https://github.com/symfony/symfony/releases/tag/v5.4.53 | x_refsource_MISC |
| https://github.com/symfony/symfony/releases/tag/v6.4.41 | x_refsource_MISC |
| https://github.com/symfony/symfony/releases/tag/v7.4.13 | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| symfony | symfony |
Affected:
< 5.4.53
Affected: >= 6.0.0-BETA1, < 6.4.41 Affected: >= 7.0.0-BETA1, < 7.4.13 Affected: >= 8.0.0-BETA1, < 8.0.13 |
|
| symfony | security-http |
Affected:
< 5.4.53
Affected: >= 6.0.0-BETA1, < 6.4.41 Affected: >= 7.0.0-BETA1, < 7.4.13 Affected: >= 8.0.0-BETA1, < 8.0.13 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48489",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-16T14:39:55.938217Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T14:40:10.013Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "symfony",
"vendor": "symfony",
"versions": [
{
"status": "affected",
"version": "\u003c 5.4.53"
},
{
"status": "affected",
"version": "\u003e= 6.0.0-BETA1, \u003c 6.4.41"
},
{
"status": "affected",
"version": "\u003e= 7.0.0-BETA1, \u003c 7.4.13"
},
{
"status": "affected",
"version": "\u003e= 8.0.0-BETA1, \u003c 8.0.13"
}
]
},
{
"product": "security-http",
"vendor": "symfony",
"versions": [
{
"status": "affected",
"version": "\u003c 5.4.53"
},
{
"status": "affected",
"version": "\u003e= 6.0.0-BETA1, \u003c 6.4.41"
},
{
"status": "affected",
"version": "\u003e= 7.0.0-BETA1, \u003c 7.4.13"
},
{
"status": "affected",
"version": "\u003e= 8.0.0-BETA1, \u003c 8.0.13"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.53, 6.4.41, 7.4.13, and 8.0.13, DefaultAuthenticationFailureHandler honored the request-supplied _failure_path parameter when failure_forward: true was enabled, allowing an unauthenticated failing login request to dispatch a subrequest to access_control-protected GET routes that skipped firewall listeners. This issue is fixed in versions 5.4.53, 6.4.41, 7.4.13, and 8.0.13."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T19:14:12.233Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/symfony/symfony/security/advisories/GHSA-6h46-9jf5-q59x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/symfony/symfony/security/advisories/GHSA-6h46-9jf5-q59x"
},
{
"name": "https://github.com/symfony/symfony/commit/c48a4276309e11aedeeb0ce3a89dfbf0b4fe04ff",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/symfony/symfony/commit/c48a4276309e11aedeeb0ce3a89dfbf0b4fe04ff"
},
{
"name": "https://github.com/symfony/symfony/releases/tag/v5.4.53",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/symfony/symfony/releases/tag/v5.4.53"
},
{
"name": "https://github.com/symfony/symfony/releases/tag/v6.4.41",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/symfony/symfony/releases/tag/v6.4.41"
},
{
"name": "https://github.com/symfony/symfony/releases/tag/v7.4.13",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/symfony/symfony/releases/tag/v7.4.13"
}
],
"source": {
"advisory": "GHSA-6h46-9jf5-q59x",
"discovery": "UNKNOWN"
},
"title": "Symfony: Security Firewall Bypass via failure_forward Subrequest: Unauthenticated Access to access_control-Protected GET Routes"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48489",
"datePublished": "2026-07-14T19:14:12.233Z",
"dateReserved": "2026-05-21T15:33:08.291Z",
"dateUpdated": "2026-07-16T14:40:10.013Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48349 (GCVE-0-2026-48349)
Vulnerability from cvelistv5 – Published: 2026-07-14 19:53 – Updated: 2026-07-15 10:38- CWE-863 - Incorrect Authorization (CWE-863)
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/animate… | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Adobe | Adobe Animate 2023 |
Affected:
0 , ≤ 23.0.15
(custom)
Unaffected: 23.0.16 (custom) |
|
| Adobe | Adobe Animate 2024 |
Affected:
0 , ≤ 24.0.13
(custom)
Unaffected: 24.0.14 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48349",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T03:59:29.496265Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T10:38:19.308Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Adobe Animate 2023",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "23.0.15",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "23.0.16",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Animate 2024",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "24.0.13",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "24.0.14",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-07-14T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Animate is affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. Exploit depends on conditions beyond the attacker\u0027s control. Exploitation of this issue does not require user interaction. Scope is changed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 8.2,
"environmentalSeverity": "HIGH",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "HIGH",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "HIGH",
"modifiedAttackVector": "LOCAL",
"modifiedAvailabilityImpact": "HIGH",
"modifiedConfidentialityImpact": "HIGH",
"modifiedIntegrityImpact": "HIGH",
"modifiedPrivilegesRequired": "NONE",
"modifiedScope": "CHANGED",
"modifiedUserInteraction": "NONE",
"privilegesRequired": "NONE",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "CHANGED",
"temporalScore": 8.1,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization (CWE-863)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T19:53:33.123Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://helpx.adobe.com/security/products/animate/apsb26-83.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Animate | Incorrect Authorization (CWE-863)",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2026-48349",
"datePublished": "2026-07-14T19:53:33.123Z",
"dateReserved": "2026-05-21T15:28:38.140Z",
"dateUpdated": "2026-07-15T10:38:19.308Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48348 (GCVE-0-2026-48348)
Vulnerability from cvelistv5 – Published: 2026-07-14 19:53 – Updated: 2026-07-15 10:38- CWE-863 - Incorrect Authorization (CWE-863)
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/animate… | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Adobe | Adobe Animate 2023 |
Affected:
0 , ≤ 23.0.15
(custom)
Unaffected: 23.0.16 (custom) |
|
| Adobe | Adobe Animate 2024 |
Affected:
0 , ≤ 24.0.13
(custom)
Unaffected: 24.0.14 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48348",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T03:59:28.750442Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T10:38:32.924Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Adobe Animate 2023",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "23.0.15",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "23.0.16",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Animate 2024",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "24.0.13",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "24.0.14",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-07-14T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Animate is affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. Exploit depends on conditions beyond the attacker\u0027s control. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "HIGH",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "HIGH",
"modifiedAttackVector": "LOCAL",
"modifiedAvailabilityImpact": "HIGH",
"modifiedConfidentialityImpact": "HIGH",
"modifiedIntegrityImpact": "HIGH",
"modifiedPrivilegesRequired": "NONE",
"modifiedScope": "CHANGED",
"modifiedUserInteraction": "REQUIRED",
"privilegesRequired": "NONE",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "CHANGED",
"temporalScore": 7.7,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization (CWE-863)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T19:53:32.422Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://helpx.adobe.com/security/products/animate/apsb26-83.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Animate | Incorrect Authorization (CWE-863)",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2026-48348",
"datePublished": "2026-07-14T19:53:32.422Z",
"dateReserved": "2026-05-21T15:28:38.140Z",
"dateUpdated": "2026-07-15T10:38:32.924Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48327 (GCVE-0-2026-48327)
Vulnerability from cvelistv5 – Published: 2026-07-14 21:04 – Updated: 2026-07-15 10:33- CWE-863 - Incorrect Authorization (CWE-863)
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/coldfus… | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Adobe | ColdFusion 2025 |
Affected:
0 , ≤ 10
(semver)
Unaffected: 11 (semver) |
|
| Adobe | ColdFusion 2023 |
Affected:
0 , ≤ 21
(semver)
Unaffected: 22 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48327",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T04:00:08.917672Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T10:33:15.972Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "ColdFusion 2025",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "10",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "ColdFusion 2023",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "21",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "22",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-07-14T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "ColdFusion is affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 9.1,
"environmentalSeverity": "CRITICAL",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "HIGH",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "ADJACENT_NETWORK",
"modifiedAvailabilityImpact": "HIGH",
"modifiedConfidentialityImpact": "HIGH",
"modifiedIntegrityImpact": "HIGH",
"modifiedPrivilegesRequired": "LOW",
"modifiedScope": "CHANGED",
"modifiedUserInteraction": "NONE",
"privilegesRequired": "LOW",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "CHANGED",
"temporalScore": 9,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization (CWE-863)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T21:04:12.455Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://helpx.adobe.com/security/products/coldfusion/apsb26-82.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "ColdFusion | Incorrect Authorization (CWE-863)",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2026-48327",
"datePublished": "2026-07-14T21:04:12.455Z",
"dateReserved": "2026-05-21T15:28:38.138Z",
"dateUpdated": "2026-07-15T10:33:15.972Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48321 (GCVE-0-2026-48321)
Vulnerability from cvelistv5 – Published: 2026-07-14 21:04 – Updated: 2026-07-16 03:55- CWE-863 - Incorrect Authorization (CWE-863)
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/coldfus… | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Adobe | ColdFusion 2025 |
Affected:
0 , ≤ 10
(semver)
Unaffected: 11 (semver) |
|
| Adobe | ColdFusion 2023 |
Affected:
0 , ≤ 21
(semver)
Unaffected: 22 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48321",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T03:55:24.149Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "ColdFusion 2025",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "10",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "ColdFusion 2023",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "21",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "22",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-07-14T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "ColdFusion is affected by an Incorrect Authorization vulnerability that could result in privilege escalation. An attacker could leverage this vulnerability to gain unauthorized read and write access. Exploitation of this issue does not require user interaction. Scope is changed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 9.3,
"environmentalSeverity": "CRITICAL",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "HIGH",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "ADJACENT_NETWORK",
"modifiedAvailabilityImpact": "NONE",
"modifiedConfidentialityImpact": "HIGH",
"modifiedIntegrityImpact": "HIGH",
"modifiedPrivilegesRequired": "NONE",
"modifiedScope": "CHANGED",
"modifiedUserInteraction": "NONE",
"privilegesRequired": "NONE",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "CHANGED",
"temporalScore": 9.3,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization (CWE-863)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T21:04:09.567Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://helpx.adobe.com/security/products/coldfusion/apsb26-82.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "ColdFusion | Incorrect Authorization (CWE-863)",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2026-48321",
"datePublished": "2026-07-14T21:04:09.567Z",
"dateReserved": "2026-05-21T15:28:38.137Z",
"dateUpdated": "2026-07-16T03:55:24.149Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.