CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5541 vulnerabilities reference this CWE, most recent first.
GHSA-P89V-94G7-8VXF
Vulnerability from github – Published: 2026-03-24 06:31 – Updated: 2026-03-24 06:31Vitals ESP developed by Galaxy Software Services has a Incorrect Authorization vulnerability, allowing authenticated remote attackers to perform certain administrative functions, thereby escalating privileges.
{
"affected": [],
"aliases": [
"CVE-2026-4639"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-24T05:16:25Z",
"severity": "HIGH"
},
"details": "Vitals ESP developed by Galaxy Software Services has a Incorrect Authorization vulnerability, allowing authenticated remote attackers to perform certain administrative functions, thereby escalating privileges.",
"id": "GHSA-p89v-94g7-8vxf",
"modified": "2026-03-24T06:31:14Z",
"published": "2026-03-24T06:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4639"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/en/cp-139-10795-25784-2.html"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-10794-704a2-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-P8F7-22GQ-M7J9
Vulnerability from github – Published: 2022-10-17 12:00 – Updated: 2024-04-10 18:37socket/transport.ex in Phoenix before 1.6.14 mishandles check_origin wildcarding. NOTE: LiveView applications are unaffected by default because of the presence of a LiveView CSRF token.
{
"affected": [
{
"package": {
"ecosystem": "Hex",
"name": "phoenix"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.14"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-42975"
],
"database_specific": {
"cwe_ids": [
"CWE-346",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2022-10-18T18:01:44Z",
"nvd_published_at": "2022-10-17T06:15:00Z",
"severity": "HIGH"
},
"details": "socket/transport.ex in Phoenix before 1.6.14 mishandles check_origin wildcarding. NOTE: LiveView applications are unaffected by default because of the presence of a LiveView CSRF token.",
"id": "GHSA-p8f7-22gq-m7j9",
"modified": "2024-04-10T18:37:53Z",
"published": "2022-10-17T12:00:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42975"
},
{
"type": "WEB",
"url": "https://github.com/phoenixframework/phoenix/commit/6e7185b33a59e0b1d1c0b4223adf340a73e963ae"
},
{
"type": "PACKAGE",
"url": "https://github.com/phoenixframework/phoenix"
},
{
"type": "WEB",
"url": "https://hexdocs.pm/phoenix/1.6.14/changelog.html#1-6-14-2022-10-10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Phoenix before 1.6.14 mishandles check_origin wildcarding"
}
GHSA-P8RP-XFQ6-8F8M
Vulnerability from github – Published: 2026-03-03 18:31 – Updated: 2026-03-06 00:31An improper authorization vulnerability in GitHub Trigger Comment Control in Google Cloud Build prior to 2026-1-26 allows a remote attacker to execute arbitrary code in the build environment.
This vulnerability was patched on 26 January 2026, and no customer action is needed.
{
"affected": [],
"aliases": [
"CVE-2026-3136"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-03T17:16:19Z",
"severity": "HIGH"
},
"details": "An improper authorization\u00a0vulnerability in GitHub Trigger Comment Control\u00a0in Google\u00a0Cloud Build\u00a0prior to 2026-1-26\u00a0allows a remote attacker\u00a0to execute arbitrary code in the build environment.\n\nThis vulnerability was patched on 26 January 2026, and no customer action is needed.",
"id": "GHSA-p8rp-xfq6-8f8m",
"modified": "2026-03-06T00:31:29Z",
"published": "2026-03-03T18:31:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3136"
},
{
"type": "WEB",
"url": "https://docs.cloud.google.com/build/docs/release-notes#March_03_2026"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear",
"type": "CVSS_V4"
}
]
}
GHSA-P953-2G5P-33C5
Vulnerability from github – Published: 2026-05-13 00:48 – Updated: 2026-05-13 00:48Heym before 0.0.21 contains an authorization bypass vulnerability in workflow execution that allows authenticated users to execute arbitrary workflows by referencing victim workflow UUIDs without proper access validation. Attackers can create workflows with execute nodes or agent subWorkflowIds pointing to victim workflow UUIDs to load and execute those workflows under attacker-controlled execution paths, exposing victim workflow outputs and triggering workflow nodes with unintended side effects.
{
"affected": [],
"aliases": [
"CVE-2026-45226"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-12T22:16:38Z",
"severity": "HIGH"
},
"details": "Heym before 0.0.21 contains an authorization bypass vulnerability in workflow execution that allows authenticated users to execute arbitrary workflows by referencing victim workflow UUIDs without proper access validation. Attackers can create workflows with execute nodes or agent subWorkflowIds pointing to victim workflow UUIDs to load and execute those workflows under attacker-controlled execution paths, exposing victim workflow outputs and triggering workflow nodes with unintended side effects.",
"id": "GHSA-p953-2g5p-33c5",
"modified": "2026-05-13T00:48:14Z",
"published": "2026-05-13T00:48:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45226"
},
{
"type": "WEB",
"url": "https://github.com/heymrun/heym/pull/93"
},
{
"type": "WEB",
"url": "https://github.com/heymrun/heym/commit/3ae3ef6a7d3609da0e910f9ed6b81e99a1661ac8"
},
{
"type": "WEB",
"url": "https://github.com/heymrun/heym/releases/tag/v0.0.21"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/heym-authorization-bypass-in-workflow-execution"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-P95M-PP4P-P9J3
Vulnerability from github – Published: 2025-08-20 09:30 – Updated: 2025-11-05 15:31MiR software versions prior to version 3.0.0 have insufficient authorization controls when creating text notes, allowing low-privilege users to create notes which are intended only for administrative users.
{
"affected": [],
"aliases": [
"CVE-2025-9228"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-20T09:15:28Z",
"severity": "MODERATE"
},
"details": "MiR software versions prior to version 3.0.0 have insufficient authorization controls when creating text notes, \nallowing low-privilege users to create notes which are intended only for administrative users.",
"id": "GHSA-p95m-pp4p-p9j3",
"modified": "2025-11-05T15:31:02Z",
"published": "2025-08-20T09:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9228"
},
{
"type": "WEB",
"url": "https://a.storyblok.com/f/230581/x/46f48d3787/msa-15.pdf"
},
{
"type": "WEB",
"url": "https://mobile-industrial-robots.com/security-advisories/insufficient-authorization-when-creating-notes"
},
{
"type": "WEB",
"url": "https://supportportal.mobile-industrial-robots.com/documentation/mir-cybersecurity-guide/mir-cybersecurity-guide"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P967-H43J-8P83
Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2022-07-13 00:01In all versions of GitLab CE/EE since version 13.0, a privileged user, through an API call, can change the visibility level of a group or a project to a restricted option even after the instance administrator sets that visibility option as restricted in settings.
{
"affected": [],
"aliases": [
"CVE-2021-39903"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-04T23:15:00Z",
"severity": "MODERATE"
},
"details": "In all versions of GitLab CE/EE since version 13.0, a privileged user, through an API call, can change the visibility level of a group or a project to a restricted option even after the instance administrator sets that visibility option as restricted in settings.",
"id": "GHSA-p967-h43j-8p83",
"modified": "2022-07-13T00:01:38Z",
"published": "2022-05-24T19:19:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39903"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1086781"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39903.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/300017"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P972-2FG6-PW4J
Vulnerability from github – Published: 2024-11-13 21:30 – Updated: 2024-11-26 21:32baltic-it TOPqw Webportal v1.35.283.2 is vulnerable to Incorrect Access Control in the User Management function in /Apps/TOPqw/BenutzerManagement.aspx. This allows a low privileged user to access all modules in the web portal, view and manipulate information and permissions of other users, lock other user or unlock the own account, change the password of other users, create new users or delete existing users and view, manipulate and delete reference data.
{
"affected": [],
"aliases": [
"CVE-2024-45877"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-13T21:15:28Z",
"severity": "MODERATE"
},
"details": "baltic-it TOPqw Webportal v1.35.283.2 is vulnerable to Incorrect Access Control in the User Management function in /Apps/TOPqw/BenutzerManagement.aspx. This allows a low privileged user to access all modules in the web portal, view and manipulate information and permissions of other users, lock other user or unlock the own account, change the password of other users, create new users or delete existing users and view, manipulate and delete reference data.",
"id": "GHSA-p972-2fg6-pw4j",
"modified": "2024-11-26T21:32:23Z",
"published": "2024-11-13T21:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45877"
},
{
"type": "WEB",
"url": "https://cyber.wtf/2024/11/11/topqw-webportal-cves"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P9CX-F595-H79H
Vulnerability from github – Published: 2024-11-07 15:31 – Updated: 2024-11-07 18:28A flaw was found in Feedback. Bulk messaging in the activity's non-respondents report did not verify message recipients belonging to the set of users returned by the report.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "4.2.0-beta"
},
{
"fixed": "4.2.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "4.3.0-beta"
},
{
"fixed": "4.3.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "4.4.0-beta"
},
{
"fixed": "4.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-43438"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2024-11-07T18:28:35Z",
"nvd_published_at": "2024-11-07T14:15:16Z",
"severity": "MODERATE"
},
"details": "A flaw was found in Feedback. Bulk messaging in the activity\u0027s non-respondents report did not verify message recipients belonging to the set of users returned by the report.",
"id": "GHSA-p9cx-f595-h79h",
"modified": "2024-11-07T18:28:35Z",
"published": "2024-11-07T15:31:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43438"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304267"
},
{
"type": "PACKAGE",
"url": "https://github.com/moodle/moodle"
},
{
"type": "WEB",
"url": "https://moodle.org/mod/forum/discuss.php?d=461208"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Moodle\u0027s IDOR in Feedback non-respondents report allows messaging arbitrary site users"
}
GHSA-P9G6-6PPX-5QRR
Vulnerability from github – Published: 2025-01-31 03:32 – Updated: 2025-06-30 18:31This vulnerability allows network-adjacent attackers to create arbitrary files on affected installations of Pioneer DMH-WT7600NEX devices. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.
The specific flaw exists within the telematics functionality. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root.
{
"affected": [],
"aliases": [
"CVE-2024-23929"
],
"database_specific": {
"cwe_ids": [
"CWE-863",
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-31T01:15:09Z",
"severity": "HIGH"
},
"details": "This vulnerability allows network-adjacent attackers to create arbitrary files on affected installations of Pioneer DMH-WT7600NEX devices. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.\n\nThe specific flaw exists within the telematics functionality. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root.",
"id": "GHSA-p9g6-6ppx-5qrr",
"modified": "2025-06-30T18:31:45Z",
"published": "2025-01-31T03:32:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23929"
},
{
"type": "WEB",
"url": "https://jpn.pioneer/ja/car/dl/dmh-sz700_sf700"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1044"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P9GV-JGW3-97Q9
Vulnerability from github – Published: 2023-09-14 09:30 – Updated: 2024-04-04 07:40A Privilege escalation vulnerability exists in Trellix Windows DLP endpoint for windows which can be abused to delete any file/folder for which the user does not have permission to.
{
"affected": [],
"aliases": [
"CVE-2023-4814"
],
"database_specific": {
"cwe_ids": [
"CWE-250",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-14T07:15:41Z",
"severity": "HIGH"
},
"details": "\nA Privilege escalation vulnerability exists in Trellix Windows DLP endpoint for windows which can be abused to delete any file/folder for which the user does not have permission to.\n\n",
"id": "GHSA-p9gv-jgw3-97q9",
"modified": "2024-04-04T07:40:02Z",
"published": "2023-09-14T09:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4814"
},
{
"type": "WEB",
"url": "https://kcm.trellix.com/corporate/index?page=content\u0026id=SB10407"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.