CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5544 vulnerabilities reference this CWE, most recent first.
GHSA-PHGC-94QM-68PX
Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-05-24 22:28In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the various AJAX actions in the plugin to do a variety of things. For example, an attacker could use wpcf7r_reset_settings to reset the plugin’s settings, wpcf7r_add_action to add actions to a form, and more.
{
"affected": [],
"aliases": [
"CVE-2021-24282"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-14T12:15:00Z",
"severity": "MODERATE"
},
"details": "In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the various AJAX actions in the plugin to do a variety of things. For example, an attacker could use wpcf7r_reset_settings to reset the plugin\u2019s settings, wpcf7r_add_action to add actions to a form, and more.",
"id": "GHSA-phgc-94qm-68px",
"modified": "2022-05-24T22:28:51Z",
"published": "2022-05-24T22:28:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24282"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/def87e69-bade-431b-b101-d463a26406e9"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-PHGF-827R-FV8X
Vulnerability from github – Published: 2022-11-04 12:00 – Updated: 2022-11-04 19:01Auth. (subscriber+) Broken Access Control vulnerability in David Cole Simple SEO plugin <= 1.8.12 on WordPress allows attackers to create or delete sitemap.
{
"affected": [],
"aliases": [
"CVE-2022-36404"
],
"database_specific": {
"cwe_ids": [
"CWE-352",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-03T20:15:00Z",
"severity": "MODERATE"
},
"details": "Auth. (subscriber+) Broken Access Control vulnerability in David Cole Simple SEO plugin \u003c= 1.8.12 on WordPress allows attackers to create or delete sitemap.",
"id": "GHSA-phgf-827r-fv8x",
"modified": "2022-11-04T19:01:16Z",
"published": "2022-11-04T12:00:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36404"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/cds-simple-seo/wordpress-simple-seo-plugin-1-8-12-authenticated-sitemap-deletion-creation-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/cds-simple-seo/#developers"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-PHJ6-W4WF-6MRR
Vulnerability from github – Published: 2024-08-06 15:30 – Updated: 2024-08-06 15:30Incorrect Authorization vulnerability identified in OpenText ArcSight Intelligence.
{
"affected": [],
"aliases": [
"CVE-2024-6358"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-06T13:15:56Z",
"severity": "MODERATE"
},
"details": "Incorrect Authorization vulnerability identified in OpenText ArcSight Intelligence.",
"id": "GHSA-phj6-w4wf-6mrr",
"modified": "2024-08-06T15:30:53Z",
"published": "2024-08-06T15:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6358"
},
{
"type": "WEB",
"url": "https://portal.microfocus.com/s/article/KM000032595"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PHR2-VR74-WHPX
Vulnerability from github – Published: 2026-07-03 00:31 – Updated: 2026-07-03 00:31Incorrect authorization in Microsoft Exchange Online allows an authorized attacker to elevate privileges over a network.
{
"affected": [],
"aliases": [
"CVE-2026-54998"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-02T23:16:51Z",
"severity": "HIGH"
},
"details": "Incorrect authorization in Microsoft Exchange Online allows an authorized attacker to elevate privileges over a network.",
"id": "GHSA-phr2-vr74-whpx",
"modified": "2026-07-03T00:31:53Z",
"published": "2026-07-03T00:31:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54998"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-54998"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PJ74-HXF7-XF99
Vulnerability from github – Published: 2023-05-22 00:30 – Updated: 2024-04-04 04:15There is an LDAP bind credentials exposure on KACE Systems Deployment and Remote Site appliances 9.0.146. The captured credentials may provide a higher privilege level on the Active Directory domain. To exploit this, an authenticated attacker edits the user-authentication settings to specify an attacker-controlled LDAP server, clicks the Test Settings button, and captures the cleartext credentials.
{
"affected": [],
"aliases": [
"CVE-2023-33254"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-21T22:15:15Z",
"severity": "MODERATE"
},
"details": "There is an LDAP bind credentials exposure on KACE Systems Deployment and Remote Site appliances 9.0.146. The captured credentials may provide a higher privilege level on the Active Directory domain. To exploit this, an authenticated attacker edits the user-authentication settings to specify an attacker-controlled LDAP server, clicks the Test Settings button, and captures the cleartext credentials.",
"id": "GHSA-pj74-hxf7-xf99",
"modified": "2024-04-04T04:15:50Z",
"published": "2023-05-22T00:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33254"
},
{
"type": "WEB",
"url": "https://www.stevencampbell.info/KACE-LDAP-Bind-Credential-Exposure"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PJ96-XH2W-FGQX
Vulnerability from github – Published: 2025-04-25 15:31 – Updated: 2025-05-08 17:15A flaw was found in Moodle. Insufficient capability checks in a messaging web service allowed users to view other users' names and online statuses.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.18"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "4.3.0-beta"
},
{
"fixed": "4.3.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "4.4.0-beta"
},
{
"fixed": "4.4.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "4.5.0-beta"
},
{
"fixed": "4.5.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-3645"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-25T17:28:36Z",
"nvd_published_at": "2025-04-25T15:15:38Z",
"severity": "MODERATE"
},
"details": "A flaw was found in Moodle. Insufficient capability checks in a messaging web service allowed users to view other users\u0027 names and online statuses.",
"id": "GHSA-pj96-xh2w-fgqx",
"modified": "2025-05-08T17:15:44Z",
"published": "2025-04-25T15:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3645"
},
{
"type": "WEB",
"url": "https://github.com/moodle/moodle/commit/2fd810c8981f9b10087467a3b8fce779b157200f"
},
{
"type": "WEB",
"url": "https://github.com/moodle/moodle/commit/a8179842b450659c288f284e06361a4fbab8742a"
},
{
"type": "WEB",
"url": "https://github.com/moodle/moodle/commit/bb65effe41524d8373c1dc499c3323ac469ea558"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-3645"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359761"
},
{
"type": "PACKAGE",
"url": "https://github.com/moodle/moodle"
},
{
"type": "WEB",
"url": "https://github.com/search?q=repo%3Amoodle%2Fmoodle+MDL-72704\u0026type=commits"
},
{
"type": "WEB",
"url": "https://moodle.org/mod/forum/discuss.php?d=467606"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Moodle has an IDOR in messaging web service which allows access to some user details"
}
GHSA-PJ99-JGM5-C727
Vulnerability from github – Published: 2023-10-26 06:30 – Updated: 2024-04-04 08:56The admin panel for Obl.ong before 1.1.2 allows authorization bypass because the email OTP feature accepts arbitrary numerical values.
{
"affected": [],
"aliases": [
"CVE-2023-46754"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-26T05:15:26Z",
"severity": "MODERATE"
},
"details": "The admin panel for Obl.ong before 1.1.2 allows authorization bypass because the email OTP feature accepts arbitrary numerical values.",
"id": "GHSA-pj99-jgm5-c727",
"modified": "2024-04-04T08:56:40Z",
"published": "2023-10-26T06:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46754"
},
{
"type": "WEB",
"url": "https://github.com/obl-ong/admin/releases/tag/v1.1.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PJG7-VMGM-6QRP
Vulnerability from github – Published: 2022-05-24 17:07 – Updated: 2022-05-24 17:07In Kronos Web Time and Attendance (webTA) 3.8.x and later 3.x versions before 4.0, the com.threeis.webta.H491delegate servlet allows an attacker with Timekeeper or Supervisor privileges to gain unauthorized administrative privileges within the application via the delegate, delegateRole, and delegatorUserId parameters.
{
"affected": [],
"aliases": [
"CVE-2020-8495"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-01-30T22:15:00Z",
"severity": "MODERATE"
},
"details": "In Kronos Web Time and Attendance (webTA) 3.8.x and later 3.x versions before 4.0, the com.threeis.webta.H491delegate servlet allows an attacker with Timekeeper or Supervisor privileges to gain unauthorized administrative privileges within the application via the delegate, delegateRole, and delegatorUserId parameters.",
"id": "GHSA-pjg7-vmgm-6qrp",
"modified": "2022-05-24T17:07:48Z",
"published": "2022-05-24T17:07:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8495"
},
{
"type": "WEB",
"url": "https://www.kronos.com/products/kronos-webta"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/156215/Kronos-WebTA-4.0-Privilege-Escalation-Cross-Site-Scripting.html"
},
{
"type": "WEB",
"url": "http://www.nolanbkennedy.com/post/privilege-escalation-in-kronos-web-time-and-attendance-webta"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-PJG9-QWH6-G7W9
Vulnerability from github – Published: 2024-10-28 21:30 – Updated: 2026-04-02 21:31The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. A malicious application may be able to modify protected parts of the file system.
{
"affected": [],
"aliases": [
"CVE-2024-44247"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-28T21:15:06Z",
"severity": "MODERATE"
},
"details": "The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. A malicious application may be able to modify protected parts of the file system.",
"id": "GHSA-pjg9-qwh6-g7w9",
"modified": "2026-04-02T21:31:59Z",
"published": "2024-10-28T21:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44247"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121564"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121568"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121570"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Oct/11"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Oct/12"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Oct/13"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PJVX-RX66-R3FG
Vulnerability from github – Published: 2026-03-09 19:54 – Updated: 2026-03-09 19:54Summary
/allowlist ... --store resolved the selected channel accountId for reads, but store writes still dropped that accountId and wrote into the legacy unscoped pairing allowlist store.
Because default-account reads still merge legacy unscoped entries, a store entry intended for one account could silently authorize the same sender on the default account.
This is a real cross-account sender-authorization scoping bug. Severity is set to medium because exploitation requires an already-authorized user who can run /allowlist edits.
Affected Packages / Versions
- Package:
openclaw(npm) - Latest published version checked:
2026.3.2 - Affected versions:
<= 2026.3.2 - Fixed on
main: March 7, 2026 in70da80bcb5574a10925469048d2ebb2abf882e73 - Patched release:
2026.3.7
Details
The affected path was:
- src/auto-reply/reply/commands-allowlist.ts:386-393 resolved accountId and read store state with it
- src/auto-reply/reply/commands-allowlist.ts:697-702 and src/auto-reply/reply/commands-allowlist.ts:730-733 wrote store state without passing accountId
- src/pairing/pairing-store.ts:231-234 and src/pairing/pairing-store.ts:534-554 still merged legacy unscoped allowlist entries into the default account
The fix scopes /allowlist ... --store writes to the resolved account and clears legacy default-account store entries on removal so legacy reads no longer create cross-account authorization bleed-through.
Impact
- Vulnerability class: improper authorization scoping / incorrect authorization
- Exploitation requires: an already-authorized sender who can run
/allowlistedits - Security effect: unintended authorization expansion from one channel account into
default
Fix Commit(s)
70da80bcb5574a10925469048d2ebb2abf882e73— scope/allowlist ... --storewrites by account and clean up legacy default-account removals
Release Process Note
npm 2026.3.7 was published on March 8, 2026. This advisory is fixed in the released package.
Thanks @tdjackey for reporting.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.3.2"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-09T19:54:08Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n`/allowlist ... --store` resolved the selected channel `accountId` for reads, but store writes still dropped that `accountId` and wrote into the legacy unscoped pairing allowlist store.\n\nBecause default-account reads still merge legacy unscoped entries, a store entry intended for one account could silently authorize the same sender on the `default` account.\n\nThis is a real cross-account sender-authorization scoping bug. Severity is set to **medium** because exploitation requires an already-authorized user who can run `/allowlist` edits.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published version checked: `2026.3.2`\n- Affected versions: `\u003c= 2026.3.2`\n- Fixed on `main`: March 7, 2026 in `70da80bcb5574a10925469048d2ebb2abf882e73`\n- Patched release: `2026.3.7`\n\n### Details\nThe affected path was:\n- `src/auto-reply/reply/commands-allowlist.ts:386-393` resolved `accountId` and read store state with it\n- `src/auto-reply/reply/commands-allowlist.ts:697-702` and `src/auto-reply/reply/commands-allowlist.ts:730-733` wrote store state without passing `accountId`\n- `src/pairing/pairing-store.ts:231-234` and `src/pairing/pairing-store.ts:534-554` still merged legacy unscoped allowlist entries into the `default` account\n\nThe fix scopes `/allowlist ... --store` writes to the resolved account and clears legacy default-account store entries on removal so legacy reads no longer create cross-account authorization bleed-through.\n\n### Impact\n- Vulnerability class: improper authorization scoping / incorrect authorization\n- Exploitation requires: an already-authorized sender who can run `/allowlist` edits\n- Security effect: unintended authorization expansion from one channel account into `default`\n\n### Fix Commit(s)\n- `70da80bcb5574a10925469048d2ebb2abf882e73` \u2014 scope `/allowlist ... --store` writes by account and clean up legacy default-account removals\n\n### Release Process Note\nnpm `2026.3.7` was published on March 8, 2026. This advisory is fixed in the released package.\n\nThanks @tdjackey for reporting.",
"id": "GHSA-pjvx-rx66-r3fg",
"modified": "2026-03-09T19:54:08Z",
"published": "2026-03-09T19:54:08Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-pjvx-rx66-r3fg"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/70da80bcb5574a10925469048d2ebb2abf882e73"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "OpenClaw: Cross-account sender authorization expansion in `/allowlist ... --store` account scoping"
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.