CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5541 vulnerabilities reference this CWE, most recent first.
GHSA-P9VF-JJJ8-M5R9
Vulnerability from github – Published: 2022-09-20 00:00 – Updated: 2025-05-29 18:31The Linux-PAM package before 1.5.2-6.1 for openSUSE Tumbleweed allows authentication bypass for SSH logins. The pam_access.so module doesn't correctly restrict login if a user tries to connect from an IP address that is not resolvable via DNS. In such conditions, a user with denied access to a machine can still get access. NOTE: the relevance of this issue is largely limited to openSUSE Tumbleweed and openSUSE Factory; it does not affect Linux-PAM upstream.
{
"affected": [],
"aliases": [
"CVE-2022-28321"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-19T22:15:00Z",
"severity": "CRITICAL"
},
"details": "The Linux-PAM package before 1.5.2-6.1 for openSUSE Tumbleweed allows authentication bypass for SSH logins. The pam_access.so module doesn\u0027t correctly restrict login if a user tries to connect from an IP address that is not resolvable via DNS. In such conditions, a user with denied access to a machine can still get access. NOTE: the relevance of this issue is largely limited to openSUSE Tumbleweed and openSUSE Factory; it does not affect Linux-PAM upstream.",
"id": "GHSA-p9vf-jjj8-m5r9",
"modified": "2025-05-29T18:31:08Z",
"published": "2022-09-20T00:00:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28321"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1197654"
},
{
"type": "WEB",
"url": "https://www.suse.com/security/cve/CVE-2022-28321.html"
},
{
"type": "WEB",
"url": "http://download.opensuse.org/source/distribution/openSUSE-current/repo/oss/src"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P9VX-XF7X-8HP9
Vulnerability from github – Published: 2025-04-29 03:30 – Updated: 2025-04-29 15:31An authentication issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.4, tvOS 18.4, macOS Ventura 13.7.5, iPadOS 17.7.6, macOS Sonoma 14.7.5, iOS 18.4 and iPadOS 18.4, visionOS 2.4. An attacker on the local network may be able to bypass authentication policy.
{
"affected": [],
"aliases": [
"CVE-2025-24206"
],
"database_specific": {
"cwe_ids": [
"CWE-288",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-29T03:15:34Z",
"severity": "HIGH"
},
"details": "An authentication issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.4, tvOS 18.4, macOS Ventura 13.7.5, iPadOS 17.7.6, macOS Sonoma 14.7.5, iOS 18.4 and iPadOS 18.4, visionOS 2.4. An attacker on the local network may be able to bypass authentication policy.",
"id": "GHSA-p9vx-xf7x-8hp9",
"modified": "2025-04-29T15:31:50Z",
"published": "2025-04-29T03:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24206"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122371"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122372"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122373"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122374"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122375"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122377"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122378"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PC24-6VHP-R88J
Vulnerability from github – Published: 2023-02-03 21:30 – Updated: 2023-02-12 06:30In Progress WS_FTP Server before 8.8, it is possible for a host administrator to elevate their privileges via the administrative interface due to insufficient authorization controls applied on user modification workflows.
{
"affected": [],
"aliases": [
"CVE-2023-24029"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-03T21:15:00Z",
"severity": "HIGH"
},
"details": "In Progress WS_FTP Server before 8.8, it is possible for a host administrator to elevate their privileges via the administrative interface due to insufficient authorization controls applied on user modification workflows.",
"id": "GHSA-pc24-6vhp-r88j",
"modified": "2023-02-12T06:30:27Z",
"published": "2023-02-03T21:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24029"
},
{
"type": "WEB",
"url": "https://community.progress.com/s/article/WS-FTP-Server-Critical-Security-Product-Alert-Bulletin-January-2023?popup=true"
},
{
"type": "WEB",
"url": "https://www.progress.com/ws_ftp"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PC82-888M-PQ3G
Vulnerability from github – Published: 2022-05-13 01:10 – Updated: 2022-05-13 01:10Improper authorization vulnerability in SYNO.Cal.Event in Calendar before 2.1.2-0511 allows remote authenticated users to create arbitrary events via the (1) cal_id or (2) original_cal_id parameter.
{
"affected": [],
"aliases": [
"CVE-2018-8927"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-06-14T14:29:00Z",
"severity": "MODERATE"
},
"details": "Improper authorization vulnerability in SYNO.Cal.Event in Calendar before 2.1.2-0511 allows remote authenticated users to create arbitrary events via the (1) cal_id or (2) original_cal_id parameter.",
"id": "GHSA-pc82-888m-pq3g",
"modified": "2022-05-13T01:10:20Z",
"published": "2022-05-13T01:10:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8927"
},
{
"type": "WEB",
"url": "https://www.synology.com/en-global/support/security/Synology_SA_18_16"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PC84-8MJQ-PCG8
Vulnerability from github – Published: 2026-02-04 15:30 – Updated: 2026-02-11 18:31A vulnerability has been discovered in eladmin v2.7 and before. This vulnerability allows for an arbitrary user password reset under any user permission level.
{
"affected": [],
"aliases": [
"CVE-2025-70997"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-04T15:16:13Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been discovered in eladmin v2.7 and before. This vulnerability allows for an arbitrary user password reset under any user permission level.",
"id": "GHSA-pc84-8mjq-pcg8",
"modified": "2026-02-11T18:31:26Z",
"published": "2026-02-04T15:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-70997"
},
{
"type": "WEB",
"url": "https://github.com/fofo137/CVE/issues/1"
},
{
"type": "WEB",
"url": "https://github.com/elunez/eladmin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PCFP-5FRW-85M7
Vulnerability from github – Published: 2024-04-16 00:30 – Updated: 2024-04-16 00:30An incorrect authorization vulnerability exists in the lunary-ai/lunary repository, specifically within the evaluations.get route in the evaluations API endpoint. This vulnerability allows unauthorized users to retrieve the results of any organization's evaluation by simply knowing the evaluation ID, due to the lack of project ID verification in the SQL query. As a result, attackers can gain access to potentially private data contained within the evaluation results.
{
"affected": [],
"aliases": [
"CVE-2024-1738"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-16T00:15:10Z",
"severity": "CRITICAL"
},
"details": "An incorrect authorization vulnerability exists in the lunary-ai/lunary repository, specifically within the evaluations.get route in the evaluations API endpoint. This vulnerability allows unauthorized users to retrieve the results of any organization\u0027s evaluation by simply knowing the evaluation ID, due to the lack of project ID verification in the SQL query. As a result, attackers can gain access to potentially private data contained within the evaluation results.",
"id": "GHSA-pcfp-5frw-85m7",
"modified": "2024-04-16T00:30:33Z",
"published": "2024-04-16T00:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1738"
},
{
"type": "WEB",
"url": "https://github.com/lunary-ai/lunary/commit/a4e61122e61dc31460cfbe54d15fae389cc440ce"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/f68ef361-7a5d-4272-9c2f-414baf074309"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-PCG9-54G9-MP86
Vulnerability from github – Published: 2022-05-24 19:08 – Updated: 2022-05-24 19:08Certain Shenzhen PENGLIXIN components on DEPSTECH WiFi Digital Microscope 3, as used by Shekar Endoscope, allow a TELNET connection with the molinkadmin password for the molink account.
{
"affected": [],
"aliases": [
"CVE-2020-12733"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-15T16:15:00Z",
"severity": "HIGH"
},
"details": "Certain Shenzhen PENGLIXIN components on DEPSTECH WiFi Digital Microscope 3, as used by Shekar Endoscope, allow a TELNET connection with the molinkadmin password for the molink account.",
"id": "GHSA-pcg9-54g9-mp86",
"modified": "2022-05-24T19:08:11Z",
"published": "2022-05-24T19:08:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12733"
},
{
"type": "WEB",
"url": "https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Depstech%20Microscope%20Smart%20Kid%20Toy.pdf"
},
{
"type": "WEB",
"url": "https://www.depstech.com/mw001-s02-wifi-usb-digital-microscope"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-PCHC-86F6-8758
Vulnerability from github – Published: 2026-02-17 21:33 – Updated: 2026-02-20 16:44Summary
In affected versions, the optional BlueBubbles iMessage channel plugin could accept webhook requests as authenticated based only on the TCP peer address being loopback (127.0.0.1, ::1, ::ffff:127.0.0.1) even when the configured webhook secret was missing or incorrect. This does not affect the default iMessage integration unless BlueBubbles is installed and enabled.
Affected Packages / Versions
- npm:
openclaw< 2026.2.13 - npm:
@openclaw/bluebubbles< 2026.2.13
Details
If a deployment exposes the BlueBubbles webhook endpoint through a same-host reverse proxy (or an attacker can reach loopback via SSRF), an unauthenticated party may be able to inject inbound webhook events into the agent pipeline.
Fix Commit(s)
- f836c385ffc746cb954e8ee409f99d079bfdcd2f
- 743f4b28495cdeb0d5bf76f6ebf4af01f6a02e5a (defense-in-depth)
Mitigations
- Set a non-empty BlueBubbles webhook password.
- Avoid deployments where a public-facing reverse proxy forwards to a loopback-bound Gateway without strong upstream authentication.
Thanks @MegaManSec (https://joshua.hu) of AISLE Research Team for reporting.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@openclaw/bluebubbles"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.13"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-26316"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-17T21:33:51Z",
"nvd_published_at": "2026-02-19T22:16:47Z",
"severity": "HIGH"
},
"details": "### Summary\n\nIn affected versions, the optional BlueBubbles iMessage channel plugin could accept webhook requests as authenticated based only on the TCP peer address being loopback (`127.0.0.1`, `::1`, `::ffff:127.0.0.1`) even when the configured webhook secret was missing or incorrect. This does not affect the default iMessage integration unless BlueBubbles is installed and enabled.\n\n### Affected Packages / Versions\n\n- npm: `openclaw` `\u003c 2026.2.13`\n- npm: `@openclaw/bluebubbles` `\u003c 2026.2.13`\n\n### Details\n\nIf a deployment exposes the BlueBubbles webhook endpoint through a same-host reverse proxy (or an attacker can reach loopback via SSRF), an unauthenticated party may be able to inject inbound webhook events into the agent pipeline.\n\n### Fix Commit(s)\n\n- f836c385ffc746cb954e8ee409f99d079bfdcd2f\n- 743f4b28495cdeb0d5bf76f6ebf4af01f6a02e5a (defense-in-depth)\n\n### Mitigations\n\n- Set a non-empty BlueBubbles webhook password.\n- Avoid deployments where a public-facing reverse proxy forwards to a loopback-bound Gateway without strong upstream authentication.\n\nThanks @MegaManSec (https://joshua.hu) of [AISLE Research Team](https://aisle.com/) for reporting.",
"id": "GHSA-pchc-86f6-8758",
"modified": "2026-02-20T16:44:12Z",
"published": "2026-02-17T21:33:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-pchc-86f6-8758"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26316"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/743f4b28495cdeb0d5bf76f6ebf4af01f6a02e5a"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/f836c385ffc746cb954e8ee409f99d079bfdcd2f"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.12"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.13"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "OpenClaw BlueBubbles webhook auth bypass via loopback proxy trust"
}
GHSA-PCJ4-9FCJ-56C8
Vulnerability from github – Published: 2025-03-03 18:31 – Updated: 2025-04-25 15:31OpenID Connect Core through 1.0 errata set 2 allows audience injection in certain situations. When the private_key_jwt authentication mechanism is used, a malicious Authorization Server could trick a Client into writing attacker-controlled values into the audience, including token endpoints or issuer identifiers of other Authorization Servers. The malicious Authorization Server could then use these private key JWTs to impersonate the Client.
{
"affected": [],
"aliases": [
"CVE-2025-27370"
],
"database_specific": {
"cwe_ids": [
"CWE-305",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-03T18:15:40Z",
"severity": "MODERATE"
},
"details": "OpenID Connect Core through 1.0 errata set 2 allows audience injection in certain situations. When the private_key_jwt authentication mechanism is used, a malicious Authorization Server could trick a Client into writing attacker-controlled values into the audience, including token endpoints or issuer identifiers of other Authorization Servers. The malicious Authorization Server could then use these private key JWTs to impersonate the Client.",
"id": "GHSA-pcj4-9fcj-56c8",
"modified": "2025-04-25T15:31:20Z",
"published": "2025-03-03T18:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27370"
},
{
"type": "WEB",
"url": "https://github.com/OWASP/ASVS/issues/2678"
},
{
"type": "WEB",
"url": "https://eprint.iacr.org/2025/629"
},
{
"type": "WEB",
"url": "https://openid.net/notice-of-a-security-vulnerability"
},
{
"type": "WEB",
"url": "https://openid.net/wp-content/uploads/2025/01/OIDF-Responsible-Disclosure-Notice-on-Security-Vulnerability-for-private_key_jwt.pdf"
},
{
"type": "WEB",
"url": "https://talks.secworkshop.events/osw2025/talk/R8D9BS"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PCW8-H376-Q646
Vulnerability from github – Published: 2022-05-24 17:48 – Updated: 2022-09-21 00:00An improper authorization vulnerability in the Simple Network Management Protocol daemon (snmpd) service of Juniper Networks Junos OS leads an unauthenticated attacker being able to perform SNMP read actions, an Exposure of System Data to an Unauthorized Control Sphere, or write actions to OIDs that support write operations, against the device without authentication. This issue affects: Juniper Networks Junos OS: 17.2 version 17.2R1 and later versions; 17.3 versions prior to 17.3R3-S9; 17.4 versions prior to 17.4R2-S12, 17.4R3-S5; 18.1 versions prior to 18.1R3-S13; 18.2 versions prior to 18.2R3-S8; 18.3 versions prior to 18.3R3-S5; 18.4 versions prior to 18.4R1-S8, 18.4R2-S5, 18.4R3; 19.1 versions prior to 19.1R2; 19.2 versions prior to 19.2R1-S6, 19.2R2; 19.3 versions prior to 19.3R2. This issue does not affect Juniper Networks Junos OS versions prior to 17.2R1.
{
"affected": [],
"aliases": [
"CVE-2021-0260"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-22T20:15:00Z",
"severity": "HIGH"
},
"details": "An improper authorization vulnerability in the Simple Network Management Protocol daemon (snmpd) service of Juniper Networks Junos OS leads an unauthenticated attacker being able to perform SNMP read actions, an Exposure of System Data to an Unauthorized Control Sphere, or write actions to OIDs that support write operations, against the device without authentication. This issue affects: Juniper Networks Junos OS: 17.2 version 17.2R1 and later versions; 17.3 versions prior to 17.3R3-S9; 17.4 versions prior to 17.4R2-S12, 17.4R3-S5; 18.1 versions prior to 18.1R3-S13; 18.2 versions prior to 18.2R3-S8; 18.3 versions prior to 18.3R3-S5; 18.4 versions prior to 18.4R1-S8, 18.4R2-S5, 18.4R3; 19.1 versions prior to 19.1R2; 19.2 versions prior to 19.2R1-S6, 19.2R2; 19.3 versions prior to 19.3R2. This issue does not affect Juniper Networks Junos OS versions prior to 17.2R1.",
"id": "GHSA-pcw8-h376-q646",
"modified": "2022-09-21T00:00:41Z",
"published": "2022-05-24T17:48:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0260"
},
{
"type": "WEB",
"url": "https://kb.juniper.net/JSA11151"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.