CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5541 vulnerabilities reference this CWE, most recent first.
GHSA-P4X4-2R7F-WJXG
Vulnerability from github – Published: 2026-04-01 00:02 – Updated: 2026-04-28 18:16Summary
Allow-always persistence could trust wrapper carrier executables instead of the actual invoked target when commands were routed through dispatch wrappers.
Impact
A one-time approval could persist a broader future allowlist entry than the operator intended, weakening execution approval boundaries.
Affected Component
src/infra/exec-approvals-allowlist.ts
Fixed Versions
- Affected:
<= 2026.3.24 - Patched:
>= 2026.3.28 - Latest stable
2026.3.28contains the fix.
Fix
Fixed by commit 9ec44fad39 (Exec approvals: reject wrapper carrier allow-always targets).
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.3.24"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.28"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41380"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-01T00:02:20Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\nAllow-always persistence could trust wrapper carrier executables instead of the actual invoked target when commands were routed through dispatch wrappers.\n\n## Impact\n\nA one-time approval could persist a broader future allowlist entry than the operator intended, weakening execution approval boundaries.\n\n## Affected Component\n\n`src/infra/exec-approvals-allowlist.ts`\n\n## Fixed Versions\n\n- Affected: `\u003c= 2026.3.24`\n- Patched: `\u003e= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `9ec44fad39` (`Exec approvals: reject wrapper carrier allow-always targets`).",
"id": "GHSA-p4x4-2r7f-wjxg",
"modified": "2026-04-28T18:16:15Z",
"published": "2026-04-01T00:02:20Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-p4x4-2r7f-wjxg"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/9ec44fad390f0bc1c29c3cc418b322560cb0222b"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.28"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "OpenClaw gateway exec allow-always over-trusts positional carrier executables"
}
GHSA-P54F-88C4-RHQC
Vulnerability from github – Published: 2025-05-13 21:30 – Updated: 2025-05-13 21:30ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary file system read. An attacker could leverage this vulnerability to access or modify sensitive data without proper authorization. Exploitation of this issue does not require user interaction.
{
"affected": [],
"aliases": [
"CVE-2025-43564"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-13T21:16:16Z",
"severity": "CRITICAL"
},
"details": "ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary file system read. An attacker could leverage this vulnerability to access or modify sensitive data without proper authorization. Exploitation of this issue does not require user interaction.",
"id": "GHSA-p54f-88c4-rhqc",
"modified": "2025-05-13T21:30:57Z",
"published": "2025-05-13T21:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43564"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/coldfusion/apsb25-52.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P56G-X65G-WR86
Vulnerability from github – Published: 2026-06-23 18:31 – Updated: 2026-06-23 18:31NanoClaw before 2.1.0 contains a privilege escalation vulnerability in the channel-registration approval flow where handleChannelApprovalResponse fails to validate admin privileges over target agent groups. Scoped admins can submit forged or stale connect callback values to wire messaging channels into out-of-scope agent groups, exposing unauthorized groups to unapproved channels and enabling unauthorized observation or control of restricted agent group activity.
{
"affected": [],
"aliases": [
"CVE-2026-56694"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-23T16:17:06Z",
"severity": "MODERATE"
},
"details": "NanoClaw before 2.1.0 contains a privilege escalation vulnerability in the channel-registration approval flow where handleChannelApprovalResponse fails to validate admin privileges over target agent groups. Scoped admins can submit forged or stale connect callback values to wire messaging channels into out-of-scope agent groups, exposing unauthorized groups to unapproved channels and enabling unauthorized observation or control of restricted agent group activity.",
"id": "GHSA-p56g-x65g-wr86",
"modified": "2026-06-23T18:31:39Z",
"published": "2026-06-23T18:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56694"
},
{
"type": "WEB",
"url": "https://github.com/nanocoai/nanoclaw/pull/2566"
},
{
"type": "WEB",
"url": "https://github.com/nanocoai/nanoclaw/commit/0eef8fafdd7c475ab5fd8d37ea566a81e74cd834"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/nanoclaw-privilege-escalation-via-forged-channel-approval-callback"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-P56P-86P8-95G9
Vulnerability from github – Published: 2022-05-24 17:26 – Updated: 2022-05-24 17:26Huawei 5G Mobile WiFi E6878-370 with versions of 10.0.3.1(H563SP1C00),10.0.3.1(H563SP21C233) have an improper authorization vulnerability. The device does not restrict certain data received from WAN port. Successful exploit could allow an attacker at WAN side to manage certain service of the device.
{
"affected": [],
"aliases": [
"CVE-2020-9241"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-08-17T16:15:00Z",
"severity": "MODERATE"
},
"details": "Huawei 5G Mobile WiFi E6878-370 with versions of 10.0.3.1(H563SP1C00),10.0.3.1(H563SP21C233) have an improper authorization vulnerability. The device does not restrict certain data received from WAN port. Successful exploit could allow an attacker at WAN side to manage certain service of the device.",
"id": "GHSA-p56p-86p8-95g9",
"modified": "2022-05-24T17:26:06Z",
"published": "2022-05-24T17:26:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9241"
},
{
"type": "WEB",
"url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200812-01-auth-en"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-P58M-CP94-FM4F
Vulnerability from github – Published: 2022-05-24 17:07 – Updated: 2024-04-04 02:47An authorization issue was discovered in GitLab EE < 12.1.2, < 12.0.4, and < 11.11.6 allowing the merge request approval rules to be overridden without appropriate permissions.
{
"affected": [],
"aliases": [
"CVE-2019-5474"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-01-28T03:15:00Z",
"severity": "MODERATE"
},
"details": "An authorization issue was discovered in GitLab EE \u003c 12.1.2, \u003c 12.0.4, and \u003c 11.11.6 allowing the merge request approval rules to be overridden without appropriate permissions.",
"id": "GHSA-p58m-cp94-fm4f",
"modified": "2024-04-04T02:47:15Z",
"published": "2022-05-24T17:07:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5474"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/544756"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/releases/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab-ee/issues/11423"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P5C4-8M5X-VH8P
Vulnerability from github – Published: 2022-03-11 00:02 – Updated: 2022-03-18 00:01An Improper access control vulnerability in StRetailModeReceiver in Wear OS 3.0 prior to Firmware update MAR-2022 Release allows untrusted applications to reset default app settings without a proper permission
{
"affected": [],
"aliases": [
"CVE-2022-24930"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-10T17:46:00Z",
"severity": "MODERATE"
},
"details": "An Improper access control vulnerability in StRetailModeReceiver in Wear OS 3.0 prior to Firmware update MAR-2022 Release allows untrusted applications to reset default app settings without a proper permission",
"id": "GHSA-p5c4-8m5x-vh8p",
"modified": "2022-03-18T00:01:21Z",
"published": "2022-03-11T00:02:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24930"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2022\u0026month=3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P5F8-QF24-24CJ
Vulnerability from github – Published: 2023-12-19 21:39 – Updated: 2023-12-21 21:58Impact
It's possible to execute a Velocity script without script right through the document tree.
To reproduce:
- As a user without script right, create a document, e.g., named Nasty Title
- Set the document's title to
$request.requestURI - Click "Save & View"
- Reload the page in the browser
The navigation panel displays a document named with the current URL, showing that the Velocity code has been executed even though the user doesn't have script right.
Patches
This has been patched in XWiki 14.10.7 and 15.2RC1.
Workarounds
A possible workaround is to:
* modify the page XWiki.DocumentTreeMacros
* search for the code #set ($discard = $translatedDocument.setTitle($translatedDocument.title))
* modify it into #set ($discard = $translatedDocument.setcomment(''))
References
- https://jira.xwiki.org/browse/XWIKI-20625
- https://github.com/xwiki/xwiki-platform/commit/41d7dca2d30084966ca6a7ee537f39ee8354a7e3
For more information
If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-index-tree-macro"
},
"ranges": [
{
"events": [
{
"introduced": "8.3-rc-1"
},
{
"fixed": "14.10.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-index-tree-macro"
},
"ranges": [
{
"events": [
{
"introduced": "15.0-rc-1"
},
{
"fixed": "15.2-rc-1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-50732"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2023-12-19T21:39:31Z",
"nvd_published_at": "2023-12-21T20:15:07Z",
"severity": "HIGH"
},
"details": "### Impact\n\nIt\u0027s possible to execute a Velocity script without script right through the document tree.\n\nTo reproduce:\n\n* As a user without script right, create a document, e.g., named Nasty Title\n* Set the document\u0027s title to `$request.requestURI`\n* Click \"Save \u0026 View\"\n* Reload the page in the browser\n\nThe navigation panel displays a document named with the current URL, showing that the Velocity code has been executed even though the user doesn\u0027t have script right.\n\n### Patches\n\nThis has been patched in XWiki 14.10.7 and 15.2RC1.\n\n### Workarounds\n\nA possible workaround is to:\n* modify the page XWiki.DocumentTreeMacros\n* search for the code `#set ($discard = $translatedDocument.setTitle($translatedDocument.title))`\n* modify it into `#set ($discard = $translatedDocument.setcomment(\u0027\u0027))`\n\n### References\n\n* https://jira.xwiki.org/browse/XWIKI-20625\n* https://github.com/xwiki/xwiki-platform/commit/41d7dca2d30084966ca6a7ee537f39ee8354a7e3\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n* Email us at [Security Mailing List](mailto:security@xwiki.org)",
"id": "GHSA-p5f8-qf24-24cj",
"modified": "2023-12-21T21:58:59Z",
"published": "2023-12-19T21:39:31Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p5f8-qf24-24cj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50732"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/41d7dca2d30084966ca6a7ee537f39ee8354a7e3"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwiki/xwiki-platform"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-20625"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Velocity execution without script right through tree macro"
}
GHSA-P5H8-CWCQ-Q5G2
Vulnerability from github – Published: 2022-12-22 21:30 – Updated: 2025-04-15 21:31An attacker could have injected CSS into stylesheets accessible via internal URIs, such as resource:, and in doing so bypass a page's Content Security Policy. This vulnerability affects Firefox ESR < 91.11, Thunderbird < 102, Thunderbird < 91.11, and Firefox < 101.
{
"affected": [],
"aliases": [
"CVE-2022-31744"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-22T20:15:00Z",
"severity": "MODERATE"
},
"details": "An attacker could have injected CSS into stylesheets accessible via internal URIs, such as resource:, and in doing so bypass a page\u0027s Content Security Policy. This vulnerability affects Firefox ESR \u003c 91.11, Thunderbird \u003c 102, Thunderbird \u003c 91.11, and Firefox \u003c 101.",
"id": "GHSA-p5h8-cwcq-q5g2",
"modified": "2025-04-15T21:31:24Z",
"published": "2022-12-22T21:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31744"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1757604"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-20"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-25"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-26"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P5MG-83XJ-VFQ6
Vulnerability from github – Published: 2025-01-27 18:32 – Updated: 2025-01-27 18:32IBM Sterling File Gateway 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.1 could allow an authenticated user to perform unauthorized actions to another user's data due to improper access controls.
{
"affected": [],
"aliases": [
"CVE-2024-22316"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-27T16:15:30Z",
"severity": "MODERATE"
},
"details": "IBM Sterling File Gateway 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.1 could allow an authenticated user to perform unauthorized actions to another user\u0027s data due to improper access controls.",
"id": "GHSA-p5mg-83xj-vfq6",
"modified": "2025-01-27T18:32:00Z",
"published": "2025-01-27T18:32:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22316"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7176083"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P5Q4-94MG-325P
Vulnerability from github – Published: 2026-06-08 15:32 – Updated: 2026-06-30 03:36A flaw was found in Keycloak. A limited administrator can exploit an improper access control vulnerability in the POST /admin/realms/{realm}/partialImport endpoint. This allows them to bypass Fine-Grained Admin Permissions (FGAP) and escalate their privileges to a full realm administrator by importing users with realm-admin role mappings.
{
"affected": [],
"aliases": [
"CVE-2026-11577"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-08T13:16:32Z",
"severity": "HIGH"
},
"details": "A flaw was found in Keycloak. A limited administrator can exploit an improper access control vulnerability in the POST /admin/realms/{realm}/partialImport endpoint. This allows them to bypass Fine-Grained Admin Permissions (FGAP) and escalate their privileges to a full realm administrator by importing users with realm-admin role mappings.",
"id": "GHSA-p5q4-94mg-325p",
"modified": "2026-06-30T03:36:56Z",
"published": "2026-06-08T15:32:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11577"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/issues/9387"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-11577"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2459993"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-11577.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.