Common Weakness Enumeration

CWE-863

Allowed-with-Review

Incorrect Authorization

Abstraction: Class · Status: Incomplete

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

5556 vulnerabilities reference this CWE, most recent first.

GHSA-R2X6-4XHX-P3QC

Vulnerability from github – Published: 2023-09-27 15:30 – Updated: 2025-11-04 21:30
VLAI
Details

An authorization issue was addressed with improved state management. This issue is fixed in macOS Sonoma 14. An app may be able to bypass certain Privacy preferences.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-41078"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-27T15:19:26Z",
    "severity": "MODERATE"
  },
  "details": "An authorization issue was addressed with improved state management. This issue is fixed in macOS Sonoma 14. An app may be able to bypass certain Privacy preferences.",
  "id": "GHSA-r2x6-4xhx-p3qc",
  "modified": "2025-11-04T21:30:42Z",
  "published": "2023-09-27T15:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41078"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213940"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT213940"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2023/Oct/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R2X7-P32R-G3VJ

Vulnerability from github – Published: 2022-05-01 23:31 – Updated: 2025-04-09 03:52
VLAI
Details

dbus-daemon in D-Bus before 1.0.3, and 1.1.x before 1.1.20, recognizes send_interface attributes in allow directives in the security policy only for fully qualified method calls, which allows local users to bypass intended access restrictions via a method call with a NULL interface.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-0595"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-02-29T19:44:00Z",
    "severity": "MODERATE"
  },
  "details": "dbus-daemon in D-Bus before 1.0.3, and 1.1.x before 1.1.20, recognizes send_interface attributes in allow directives in the security policy only for fully qualified method calls, which allows local users to bypass intended access restrictions via a method call with a NULL interface.",
  "id": "GHSA-r2x7-p32r-g3vj",
  "modified": "2025-04-09T03:52:03Z",
  "published": "2022-05-01T23:31:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-0595"
    },
    {
      "type": "WEB",
      "url": "https://issues.rpath.com/browse/RPL-2282"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9353"
    },
    {
      "type": "WEB",
      "url": "https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00893.html"
    },
    {
      "type": "WEB",
      "url": "https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00911.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.freedesktop.org/archives/dbus/2008-February/009401.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00004.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2012-10/msg00094.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/29148"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/29160"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/29171"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/29173"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/29281"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/29323"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/30869"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/32281"
    },
    {
      "type": "WEB",
      "url": "http://securitytracker.com/id?1019512"
    },
    {
      "type": "WEB",
      "url": "http://wiki.rpath.com/Advisories:rPSA-2008-0099"
    },
    {
      "type": "WEB",
      "url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0099"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2008/dsa-1599"
    },
    {
      "type": "WEB",
      "url": "http://www.j5live.com/2008/02/27/announce-d-bus-1120-conisten-water-released"
    },
    {
      "type": "WEB",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:054"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2008-0159.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/489280/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/28023"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/usn-653-1"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2008/0694"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-R32R-J5JQ-3W4M

Vulnerability from github – Published: 2026-03-04 20:07 – Updated: 2026-03-04 20:07
VLAI
Summary
Vaultwarden has Privilege Escalation via Bulk Permission Update to Unauthorized Collections by Manager
Details

Summary

A Manager account (access_all=false) was able to escalate privileges by directly invoking the bulk-access API against collections that were not originally assigned to them. The API allowed changing assigned=false to assigned=true, resulting in unauthorized access.

Additionally, prior to the bulk-access call, the regular single-update API correctly returned 401 Unauthorized for the same collection. After executing the bulk-access API, the same update API returned 200 OK, confirming an authorization gap at the HTTP level.


Description

  • The endpoint accepts ManagerHeadersLoose and does not validate access rights for the specified collectionIds. src/api/core/organizations.rs:551

rust headers: ManagerHeadersLoose,

  • The received collection_ids are processed directly without per-collection authorization checks. src/api/core/organizations.rs:564

rust for col_id in data.collection_ids {

  • Existing group assignments for the collection are deleted. src/api/core/organizations.rs:583

rust CollectionGroup::delete_all_by_collection(&col_id, &conn).await?;

  • Existing user assignments for the collection are deleted. src/api/core/organizations.rs:590

rust CollectionUser::delete_all_by_collection(&col_id, &conn).await?;

  • By comparison, another bulk-processing endpoint performs per-collection validation using from_loose. src/api/core/organizations.rs:787

rust let headers = ManagerHeaders::from_loose(headers, &collections, &conn).await?;

  • The actual access control logic is implemented in can_access_collection, which is not invoked in the bulk-access endpoint. src/auth.rs:911

rust if !Collection::can_access_collection(&h.membership, col_id, conn).await {


Preconditions

  • The attacker possesses a valid Manager account within the target organization.
  • The organization contains collections that are not assigned to the attacker.
  • The attacker can authenticate through the standard API login process (Owner/Admin privileges are not required).

Steps to Reproduce

  1. Log in as a Manager and obtain a Bearer token. image

  2. Confirm the current values of assigned, manage, readOnly, and hidePasswords for the target collection. image

  3. Verify that the standard update API returns 401 Unauthorized when attempting to modify the unassigned collection. image

  4. Invoke the bulk-access API, including: image

  5. collectionIds containing the target collection

  6. users containing the attacker’s own membership_id Confirm that the API returns 200 OK.

  7. Re-run the standard update API. Confirm that it now succeeds and that the previously unauthorized modification is applied. image


Required Minimum Privileges

  • Manager role within the target organization (the issue occurs even when access_all=false)

Attack Scenario

A delegated administrator or department-level Manager within an organization directly calls the API to add themselves to unauthorized collections and gain access to confidential information.

Because the bulk update process deletes and reassigns existing permissions, the attacker can also remove other users’ access, enabling denial-of-service or sabotage within the organization.


Potential Impact

  • Confidentiality: Unauthorized access to sensitive information within restricted collections.
  • Integrity: Unauthorized modification of collection permission settings and arbitrary changes to access controls.
  • Availability: Deletion of existing assignments may cause legitimate users to lose access.
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.35.3"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "vaultwarden"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.35.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27802"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-04T20:07:21Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nA Manager account (`access_all=false`) was able to escalate privileges by directly invoking the **bulk-access API** against collections that were not originally assigned to them.\nThe API allowed changing `assigned=false` to `assigned=true`, resulting in unauthorized access.\n\nAdditionally, prior to the bulk-access call, the regular single-update API correctly returned **401 Unauthorized** for the same collection. After executing the bulk-access API, the same update API returned **200 OK**, confirming an authorization gap at the HTTP level.\n\n---\n\n## Description\n\n* The endpoint accepts `ManagerHeadersLoose` and does not validate access rights for the specified `collectionIds`.\n  src/api/core/organizations.rs:551\n\n  ```rust\n  headers: ManagerHeadersLoose,\n  ```\n\n* The received `collection_ids` are processed directly without per-collection authorization checks.\n  src/api/core/organizations.rs:564\n\n  ```rust\n  for col_id in data.collection_ids {\n  ```\n\n* Existing group assignments for the collection are deleted.\n  src/api/core/organizations.rs:583\n\n  ```rust\n  CollectionGroup::delete_all_by_collection(\u0026col_id, \u0026conn).await?;\n  ```\n\n* Existing user assignments for the collection are deleted.\n  src/api/core/organizations.rs:590\n\n  ```rust\n  CollectionUser::delete_all_by_collection(\u0026col_id, \u0026conn).await?;\n  ```\n\n* By comparison, another bulk-processing endpoint performs per-collection validation using `from_loose`.\n  src/api/core/organizations.rs:787\n\n  ```rust\n  let headers = ManagerHeaders::from_loose(headers, \u0026collections, \u0026conn).await?;\n  ```\n\n* The actual access control logic is implemented in `can_access_collection`, which is not invoked in the bulk-access endpoint.\n  src/auth.rs:911\n\n  ```rust\n  if !Collection::can_access_collection(\u0026h.membership, col_id, conn).await {\n  ```\n\n---\n\n## Preconditions\n\n* The attacker possesses a valid **Manager account** within the target organization.\n* The organization contains collections that are **not assigned** to the attacker.\n* The attacker can authenticate through the standard API login process (Owner/Admin privileges are not required).\n\n---\n\n## Steps to Reproduce\n\n1. Log in as a Manager and obtain a Bearer token.\n\u003cimg width=\"4016\" height=\"1690\" alt=\"image\" src=\"https://github.com/user-attachments/assets/218f05e2-6a2e-4066-8f8d-6bbef1cc5858\" /\u003e\n\n2. Confirm the current values of `assigned`, `manage`, `readOnly`, and `hidePasswords` for the target collection.\n\u003cimg width=\"4026\" height=\"1694\" alt=\"image\" src=\"https://github.com/user-attachments/assets/a6d2fc70-5370-4984-85bd-a6f74febdfa3\" /\u003e\n\n3. Verify that the standard update API returns **401 Unauthorized** when attempting to modify the unassigned collection.\n\u003cimg width=\"4030\" height=\"1708\" alt=\"image\" src=\"https://github.com/user-attachments/assets/802f0d2b-d474-44d2-beef-b4f7f3335225\" /\u003e\n\n4. Invoke the bulk-access API, including:\n\u003cimg width=\"4036\" height=\"1120\" alt=\"image\" src=\"https://github.com/user-attachments/assets/1d3caa01-3ac2-4636-9ed0-189e5923c986\" /\u003e\n\n   * `collectionIds` containing the target collection\n   * `users` containing the attacker\u2019s own `membership_id`\n     Confirm that the API returns **200 OK**.\n\n5. Re-run the standard update API.\n   Confirm that it now succeeds and that the previously unauthorized modification is applied.\n\u003cimg width=\"4040\" height=\"1440\" alt=\"image\" src=\"https://github.com/user-attachments/assets/340e9676-d802-404c-b894-9986a176360a\" /\u003e\n\n---\n\n## Required Minimum Privileges\n\n* Manager role within the target organization\n  (the issue occurs even when `access_all=false`)\n\n---\n\n## Attack Scenario\n\nA delegated administrator or department-level Manager within an organization directly calls the API to add themselves to unauthorized collections and gain access to confidential information.\n\nBecause the bulk update process deletes and reassigns existing permissions, the attacker can also remove other users\u2019 access, enabling denial-of-service or sabotage within the organization.\n\n---\n\n## Potential Impact\n\n* **Confidentiality:** Unauthorized access to sensitive information within restricted collections.\n* **Integrity:** Unauthorized modification of collection permission settings and arbitrary changes to access controls.\n* **Availability:** Deletion of existing assignments may cause legitimate users to lose access.",
  "id": "GHSA-r32r-j5jq-3w4m",
  "modified": "2026-03-04T20:07:21Z",
  "published": "2026-03-04T20:07:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-r32r-j5jq-3w4m"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dani-garcia/vaultwarden"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Vaultwarden has Privilege Escalation via Bulk Permission Update to Unauthorized Collections by Manager"
}

GHSA-R32W-VRGX-96X6

Vulnerability from github – Published: 2023-06-29 21:30 – Updated: 2024-04-04 05:18
VLAI
Details

A security defect was identified in Foundry workspace-server that enabled a user to bypass an authorization check and view settings related to 'Developer Mode'. This enabled users with insufficient privilege the ability to view and interact with Developer Mode settings in a limited capacity. A fix was deployed with workspace-server 7.7.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-30955"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-602",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-29T19:15:08Z",
    "severity": "MODERATE"
  },
  "details": "A security defect was identified in Foundry workspace-server that enabled a user to bypass an authorization check and view settings related to \u0027Developer Mode\u0027. This enabled users with insufficient privilege the ability to view and interact with Developer Mode settings in a limited capacity. A fix was deployed with workspace-server 7.7.0.",
  "id": "GHSA-r32w-vrgx-96x6",
  "modified": "2024-04-04T05:18:14Z",
  "published": "2023-06-29T21:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30955"
    },
    {
      "type": "WEB",
      "url": "https://palantir.safebase.us/?tcuUid=0c3f6c33-4eb0-48b5-ab87-fe48c46a4170"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R355-75HW-R8JF

Vulnerability from github – Published: 2025-10-14 21:30 – Updated: 2025-10-20 21:05
VLAI
Summary
Magento allows incorrect authorization
Details

Magento versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerability. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue does not require user interaction.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "magento/community-edition"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.9-alpha1"
            },
            {
              "fixed": "2.4.9-alpha3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "magento/community-edition"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.8-beta1"
            },
            {
              "fixed": "2.4.8-p3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "magento/community-edition"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.7-beta1"
            },
            {
              "fixed": "2.4.7-p8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "magento/community-edition"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.4.6-p13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "magento/community-edition"
      },
      "versions": [
        "2.4.8"
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "magento/community-edition"
      },
      "versions": [
        "2.4.7"
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "magento/community-edition"
      },
      "versions": [
        "2.4.6"
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "magento/project-community-edition"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54265"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-20T21:05:53Z",
    "nvd_published_at": "2025-10-14T21:15:35Z",
    "severity": "MODERATE"
  },
  "details": "Magento versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerability. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue does not require user interaction.",
  "id": "GHSA-r355-75hw-r8jf",
  "modified": "2025-10-20T21:05:53Z",
  "published": "2025-10-14T21:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54265"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/magento/magento2"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/magento/apsb25-94.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Magento allows incorrect authorization"
}

GHSA-R382-73HV-R5J2

Vulnerability from github – Published: 2024-04-08 09:31 – Updated: 2024-08-01 15:31
VLAI
Details

Vulnerability of package name verification being bypassed in the HwIms module. Impact: Successful exploitation of this vulnerability will affect availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-52538"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-08T09:15:08Z",
    "severity": "CRITICAL"
  },
  "details": "Vulnerability of package name verification being bypassed in the HwIms module.\nImpact: Successful exploitation of this vulnerability will affect availability.",
  "id": "GHSA-r382-73hv-r5j2",
  "modified": "2024-08-01T15:31:37Z",
  "published": "2024-04-08T09:31:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52538"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2024/3"
    },
    {
      "type": "WEB",
      "url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-202403-0000001667644725"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R38R-HVG8-XQHF

Vulnerability from github – Published: 2026-05-27 21:31 – Updated: 2026-05-27 21:31
VLAI
Details

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an unauthorized user to enumerate private projects due to incorrect authorization checks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-6713"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-27T19:16:24Z",
    "severity": "MODERATE"
  },
  "details": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an unauthorized user to enumerate private projects due to incorrect authorization checks.",
  "id": "GHSA-r38r-hvg8-xqhf",
  "modified": "2026-05-27T21:31:25Z",
  "published": "2026-05-27T21:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6713"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/3644605"
    },
    {
      "type": "WEB",
      "url": "https://about.gitlab.com/releases/2026/05/27/patch-release-gitlab-19-0-1-released"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/597490"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R39C-VF2W-53J7

Vulnerability from github – Published: 2026-06-29 18:31 – Updated: 2026-06-29 18:31
VLAI
Details

ruoyi-vue-pro through 2026.05, fixed in commit 5d1fd70 contains a broken access control vulnerability in ErpSaleOrderController that allows attackers with erp:sale-out permissions to gain unauthorized access to sale order operations by exploiting an incorrect permission namespace enforcement. Attackers holding shipment-level permissions can perform unauthorized create, update, delete, and read operations on financially sensitive sale orders due to the controller enforcing erp:sale-out instead of the intended erp:sale-order namespace.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-57950"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-29T18:16:40Z",
    "severity": "HIGH"
  },
  "details": "ruoyi-vue-pro through 2026.05, fixed in commit 5d1fd70 contains a broken access control vulnerability in ErpSaleOrderController that allows attackers with erp:sale-out permissions to gain unauthorized access to sale order operations by exploiting an incorrect permission namespace enforcement. Attackers holding shipment-level permissions can perform unauthorized create, update, delete, and read operations on financially sensitive sale orders due to the controller enforcing erp:sale-out instead of the intended erp:sale-order namespace.",
  "id": "GHSA-r39c-vf2w-53j7",
  "modified": "2026-06-29T18:31:56Z",
  "published": "2026-06-29T18:31:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57950"
    },
    {
      "type": "WEB",
      "url": "https://github.com/YunaiV/ruoyi-vue-pro/issues/1161"
    },
    {
      "type": "WEB",
      "url": "https://github.com/YunaiV/ruoyi-vue-pro/commit/5d1fd70dc3e61bf64e7ce3328a71cc60001175c6"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/ruoyi-vue-pro-incorrect-permission-namespace-in-erpsaleordercontroller"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-R3GM-FV85-XJQJ

Vulnerability from github – Published: 2026-03-21 03:31 – Updated: 2026-03-21 03:31
VLAI
Details

OpenClaw versions 2026.2.22 prior to 2026.2.25 contain a privilege escalation vulnerability allowing unpaired device identities to bypass operator pairing requirements and self-assign elevated operator scopes including operator.admin. Attackers with valid shared gateway authentication can present a self-signed unpaired device identity to request and obtain higher operator scopes before pairing approval is granted.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-32042"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-21T01:17:06Z",
    "severity": "HIGH"
  },
  "details": "OpenClaw versions 2026.2.22 prior to 2026.2.25 contain a privilege escalation vulnerability allowing unpaired device identities to bypass operator pairing requirements and self-assign elevated operator scopes including operator.admin. Attackers with valid shared gateway authentication can present a self-signed unpaired device identity to request and obtain higher operator scopes before pairing approval is granted.",
  "id": "GHSA-r3gm-fv85-xjqj",
  "modified": "2026-03-21T03:31:13Z",
  "published": "2026-03-21T03:31:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-553v-f69r-656j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32042"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/8d1481cb4a9d31bd617e52dc8c392c35689d9dea"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-unpaired-device-identity-in-shared-gateway-authentication"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-R3HX-QFH5-R9M7

Vulnerability from github – Published: 2024-03-27 18:32 – Updated: 2024-03-27 21:56
VLAI
Summary
Elasticsearch Incorrect Authorization vulnerability
Details

Incorrect Authorization issue exists in the API key based security model for Remote Cluster Security, which is currently in Beta, in Elasticsearch 8.10.0 and before 8.13.0. This allows a malicious user with a valid API key for a remote cluster configured to use the new Remote Cluster Security to read arbitrary documents from any index on the remote cluster, and only if they use the Elasticsearch custom transport protocol to issue requests with the target index ID, the shard ID and the document ID. None of Elasticsearch REST API endpoints are affected by this issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.elasticsearch:elasticsearch"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.10.0"
            },
            {
              "fixed": "8.13.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-23451"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-27T21:56:03Z",
    "nvd_published_at": "2024-03-27T18:15:10Z",
    "severity": "MODERATE"
  },
  "details": "Incorrect Authorization issue exists in the API key based security model for Remote Cluster Security, which is currently in Beta, in Elasticsearch 8.10.0 and before 8.13.0. This allows a\u00a0malicious user with a valid API key for a remote cluster configured to use the new Remote Cluster Security to read arbitrary documents from any index on the remote cluster, and only if they use the Elasticsearch custom transport protocol to issue requests with the target index ID, the shard ID and the document ID. None of Elasticsearch REST API endpoints are affected by this issue.",
  "id": "GHSA-r3hx-qfh5-r9m7",
  "modified": "2024-03-27T21:56:03Z",
  "published": "2024-03-27T18:32:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23451"
    },
    {
      "type": "WEB",
      "url": "https://discuss.elastic.co/t/elasticsearch-8-13-0-security-update-esa-2024-07/356315"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/elastic/elasticsearch"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Elasticsearch Incorrect Authorization vulnerability"
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

No CAPEC attack patterns related to this CWE.