Common Weakness Enumeration

CWE-863

Allowed-with-Review

Incorrect Authorization

Abstraction: Class · Status: Incomplete

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

5505 vulnerabilities reference this CWE, most recent first.

GHSA-X79X-9C8R-88HJ

Vulnerability from github – Published: 2024-02-12 18:31 – Updated: 2024-10-08 21:31
VLAI
Details

The Web3 WordPress plugin before 3.0.0 is vulnerable to an authentication bypass due to incorrect authentication checking in the login flow in functions 'handle_auth_request' and 'hadle_login_request'. This makes it possible for non authenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6036"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-12T16:15:07Z",
    "severity": "CRITICAL"
  },
  "details": "The Web3 WordPress plugin before 3.0.0 is vulnerable to an authentication bypass due to incorrect authentication checking in the login flow in functions \u0027handle_auth_request\u0027 and \u0027hadle_login_request\u0027. This makes it possible for non authenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.",
  "id": "GHSA-x79x-9c8r-88hj",
  "modified": "2024-10-08T21:31:05Z",
  "published": "2024-02-12T18:31:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6036"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/7f30ab20-805b-422c-a9a5-21d39c570ee4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X7FQ-6476-543V

Vulnerability from github – Published: 2022-02-10 00:00 – Updated: 2022-02-10 00:00
VLAI
Details

Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming signed JSON-LD activities. (JSON-LD signing has been supported since version 1.6.0.)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-24307"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-03T20:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming signed JSON-LD activities. (JSON-LD signing has been supported since version 1.6.0.)",
  "id": "GHSA-x7fq-6476-543v",
  "modified": "2022-02-10T00:00:52Z",
  "published": "2022-02-10T00:00:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24307"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mastodon/mastodon/releases/tag/v3.3.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mastodon/mastodon/releases/tag/v3.4.6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-X7M9-MV49-FV73

Vulnerability from github – Published: 2025-01-09 21:31 – Updated: 2025-01-10 18:38
VLAI
Summary
Vaultwarden vulnerable to user impersonation
Details

An issue in the component src/api/identity.rs of Vaultwarden prior to v1.32.5 allows attackers to impersonate users, including Administrators, via a crafted authorization request.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "vaultwarden"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.32.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-55225"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-09T23:13:58Z",
    "nvd_published_at": "2025-01-09T21:15:29Z",
    "severity": "HIGH"
  },
  "details": "An issue in the component src/api/identity.rs of Vaultwarden prior to v1.32.5 allows attackers to impersonate users, including Administrators, via a crafted authorization request.",
  "id": "GHSA-x7m9-mv49-fv73",
  "modified": "2025-01-10T18:38:01Z",
  "published": "2025-01-09T21:31:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55225"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dani-garcia/vaultwarden/commit/20d9e885bfcd7df7828d92c6e59ed5fe7b40a879"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dani-garcia/vaultwarden/commit/37c14c3c69b244ec50f5c62b4c9260171607c1d8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dani-garcia/vaultwarden"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dani-garcia/vaultwarden/releases/tag/1.32.4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dani-garcia/vaultwarden/releases/tag/1.32.5"
    },
    {
      "type": "WEB",
      "url": "https://insinuator.net/2024/11/vulnerability-disclosure-authentication-bypass-in-vaultwarden-versions-1-32-5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Vaultwarden vulnerable to user impersonation"
}

GHSA-X7P9-QFHH-R6X9

Vulnerability from github – Published: 2023-05-23 03:30 – Updated: 2024-04-04 04:17
VLAI
Details

Authentication bypass vulnerability in Qrio Lock (Q-SL2) firmware version 2.0.9 and earlier allows a network-adjacent attacker to analyze the product's communication data and conduct an arbitrary operation under certain conditions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-25946"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-23T02:15:09Z",
    "severity": "HIGH"
  },
  "details": "Authentication bypass vulnerability in Qrio Lock (Q-SL2) firmware version 2.0.9 and earlier allows a network-adjacent attacker to analyze the product\u0027s communication data and conduct an arbitrary operation under certain conditions.",
  "id": "GHSA-x7p9-qfhh-r6x9",
  "modified": "2024-04-04T04:17:41Z",
  "published": "2023-05-23T03:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25946"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN48687031"
    },
    {
      "type": "WEB",
      "url": "https://qrio.me/article/announce/2023/4140"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X7QH-XCF8-P6CQ

Vulnerability from github – Published: 2026-06-22 18:34 – Updated: 2026-06-28 00:30
VLAI
Details

Incorrect caching of authentication between different polkit methods in qSnapper before version 1.3.3 allowed a local attacker to use functions like "restore from snapshot" even if only allowed to do "delete snapshot".

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-41048"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-303",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-22T16:16:35Z",
    "severity": "HIGH"
  },
  "details": "Incorrect caching of authentication between different polkit methods in qSnapper before version 1.3.3 allowed a local attacker to use functions like \"restore from snapshot\" even if only allowed to do \"delete snapshot\".",
  "id": "GHSA-x7qh-xcf8-p6cq",
  "modified": "2026-06-28T00:30:56Z",
  "published": "2026-06-22T18:34:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41048"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.suse.com/show_bug.cgi?id=1262218"
    },
    {
      "type": "WEB",
      "url": "https://github.com/presire/qSnapper/releases/tag/v1.3.3"
    },
    {
      "type": "WEB",
      "url": "https://security.opensuse.org/2026/05/26/qsnapper-dbus-issues.html#issue-auth-caching"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-X7V8-7CPC-HV73

Vulnerability from github – Published: 2024-01-12 15:30 – Updated: 2024-01-12 15:30
VLAI
Details

Incorrect authorization checks in GitLab CE/EE from all versions starting from 8.13 before 16.5.6, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2, allows a user to abuse slack/mattermost integrations to execute slash commands as another user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-5356"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-12T14:15:48Z",
    "severity": "CRITICAL"
  },
  "details": "Incorrect authorization checks in GitLab CE/EE from all versions starting from 8.13 before 16.5.6, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2, allows a user to abuse slack/mattermost integrations to execute slash commands as another user.",
  "id": "GHSA-x7v8-7cpc-hv73",
  "modified": "2024-01-12T15:30:32Z",
  "published": "2024-01-12T15:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5356"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/2188868"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/427154"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X7WF-F6C9-X89J

Vulnerability from github – Published: 2025-01-28 00:32 – Updated: 2025-11-03 21:32
VLAI
Details

A logic issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.7.3, macOS Sequoia 15.3, macOS Sonoma 14.7.3. An app may be able to modify protected parts of the file system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-24121"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-27T22:15:17Z",
    "severity": "LOW"
  },
  "details": "A logic issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.7.3, macOS Sequoia 15.3, macOS Sonoma 14.7.3. An app may be able to modify protected parts of the file system.",
  "id": "GHSA-x7wf-f6c9-x89j",
  "modified": "2025-11-03T21:32:24Z",
  "published": "2025-01-28T00:32:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24121"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122068"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122069"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122070"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Jan/15"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Jan/16"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Jan/17"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X83W-23JP-G6PW

Vulnerability from github – Published: 2026-05-07 00:08 – Updated: 2026-05-07 00:08
VLAI
Summary
OpenSearch Security plugin: DLS not applied on documents linked by has_child or has_parent relation
Details

Description

A flaw was identified in the OpenSearch Security plugin's document-level security (DLS) implementation. DLS restrictions were not correctly applied to search queries that use has_parent or has_child join relations. This could allow an authenticated user to access document contents that should have been restricted by DLS rules.

Impact

An authenticated user with access to an index containing parent/child join relations could bypass DLS restrictions on documents linked by those relations, potentially accessing restricted document contents. This only affects clusters that use both DLS and the join field type on the same index.

Patches

This issue is fixed in OpenSearch 2.19.4 and 3.2.0.

Workarounds

Avoid using the join field type on indices that are subject to DLS rules.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.19.3"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.opensearch.plugin:opensearch-security"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "2.19.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.1.0"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.opensearch.plugin:opensearch-security"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.2.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-07T00:08:34Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Description\n\nA flaw was identified in the OpenSearch Security plugin\u0027s document-level security (DLS) implementation. DLS restrictions were not correctly applied to search queries that use has_parent or has_child join relations. This could allow an authenticated user to access document contents that should have been restricted by DLS rules.\n\n### Impact\n\nAn authenticated user with access to an index containing parent/child join relations could bypass DLS restrictions on documents linked by those relations, potentially accessing restricted document contents. This only affects clusters that use both DLS and the `join` field type on the same index.\n\n### Patches\n\n This issue is fixed in OpenSearch `2.19.4` and `3.2.0`.\n\n### Workarounds\n\nAvoid using the `join` field type on indices that are subject to DLS rules.",
  "id": "GHSA-x83w-23jp-g6pw",
  "modified": "2026-05-07T00:08:34Z",
  "published": "2026-05-07T00:08:34Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/opensearch-project/security/security/advisories/GHSA-x83w-23jp-g6pw"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/opensearch-project/security"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenSearch Security plugin: DLS not applied on documents linked by has_child or has_parent relation"
}

GHSA-X847-VXVJ-G6RJ

Vulnerability from github – Published: 2022-06-03 00:01 – Updated: 2022-06-14 00:00
VLAI
Details

An access control bypass vulnerability found in 389-ds-base. That mishandling of the filter that would yield incorrect results, but as that has progressed, can be determined that it actually is an access control bypass. This may allow any remote unauthenticated user to issue a filter that allows searching for database items they do not have access to, including but not limited to potentially userPassword hashes and other sensitive data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1949"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-02T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "An access control bypass vulnerability found in 389-ds-base. That mishandling of the filter that would yield incorrect results, but as that has progressed, can be determined that it actually is an access control bypass. This may allow any remote unauthenticated user to issue a filter that allows searching for database items they do not have access to, including but not limited to potentially userPassword hashes and other sensitive data.",
  "id": "GHSA-x847-vxvj-g6rj",
  "modified": "2022-06-14T00:00:37Z",
  "published": "2022-06-03T00:01:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1949"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2091781"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X84R-583W-G39W

Vulnerability from github – Published: 2022-05-24 22:33 – Updated: 2024-01-26 00:30
VLAI
Details

Access Restriction Bypass via referrer spoof was discovered in SolarWinds Web Help Desk 12.7.2. An attacker can access the “Web Help Desk Getting Started Wizard”, especially the admin account creationpage, from a non-privileged IP address network range or loopback address by intercepting the HTTP request and changing the referrer from the public IP address to the loopback.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-32076"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-26T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Access Restriction Bypass via referrer spoof was discovered in SolarWinds Web Help Desk 12.7.2. An attacker can access the \u201cWeb Help Desk Getting Started Wizard\u201d, especially the admin account creationpage, from a non-privileged IP address network range or loopback address by intercepting the HTTP request and changing the referrer from the public IP address to the loopback.",
  "id": "GHSA-x84r-583w-g39w",
  "modified": "2024-01-26T00:30:24Z",
  "published": "2022-05-24T22:33:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32076"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/208278"
    },
    {
      "type": "WEB",
      "url": "https://www.solarwinds.com/trust-center/security-advisories/cve-2021-32076"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

No CAPEC attack patterns related to this CWE.