Common Weakness Enumeration

CWE-863

Allowed-with-Review

Incorrect Authorization

Abstraction: Class · Status: Incomplete

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

5511 vulnerabilities reference this CWE, most recent first.

GHSA-XGHP-2WJ5-QCMQ

Vulnerability from github – Published: 2022-03-03 00:00 – Updated: 2022-03-17 00:04
VLAI
Details

Improper Authorization in GitHub repository webmin/webmin prior to 1.990.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-0829"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-02T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "Improper Authorization in GitHub repository webmin/webmin prior to 1.990.",
  "id": "GHSA-xghp-2wj5-qcmq",
  "modified": "2022-03-17T00:04:16Z",
  "published": "2022-03-03T00:00:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0829"
    },
    {
      "type": "WEB",
      "url": "https://github.com/webmin/webmin/commit/eeeea3c097f5cc473770119f7ac61f1dcfa671b9"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/f2d0389f-d7d1-4f34-9f9d-268b0a0da05e"
    },
    {
      "type": "WEB",
      "url": "https://notes.netbytesec.com/2022/03/webmin-broken-access-control-to-post-auth-rce.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XGRF-RHVW-H8MR

Vulnerability from github – Published: 2023-02-09 18:30 – Updated: 2025-03-25 15:31
VLAI
Details

The multi-screen collaboration module has a privilege escalation vulnerability. Successful exploitation of this vulnerability may affect data confidentiality.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-48286"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-09T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "The multi-screen collaboration module has a privilege escalation vulnerability. Successful exploitation of this vulnerability may affect data confidentiality.",
  "id": "GHSA-xgrf-rhvw-h8mr",
  "modified": "2025-03-25T15:31:12Z",
  "published": "2023-02-09T18:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48286"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2023/2"
    },
    {
      "type": "WEB",
      "url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-202302-0000001454769474"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XGWG-M42C-8Q62

Vulnerability from github – Published: 2026-03-21 03:31 – Updated: 2026-03-24 19:06
VLAI
Summary
Duplicate Advisory: OpenClaw: Slack system events bypass sender authorization in member and message subtype handlers
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-v8cg-4474-49v8. This link is maintained to preserve external references.

Original Description

OpenClaw versions prior to 2026.2.26 fail to enforce sender authorization in member and message subtype system event handlers, allowing unauthorized events to be enqueued. Attackers can bypass Slack DM allowlists and per-channel user allowlists by sending system events from non-allowlisted senders through message_changed, message_deleted, and thread_broadcast events.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2026.2.25"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-24T19:06:23Z",
    "nvd_published_at": "2026-03-21T01:17:10Z",
    "severity": "MODERATE"
  },
  "details": "## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-v8cg-4474-49v8. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw versions prior to 2026.2.26 fail to enforce sender authorization in member and message subtype system event handlers, allowing unauthorized events to be enqueued. Attackers can bypass Slack DM allowlists and per-channel user allowlists by sending system events from non-allowlisted senders through message_changed, message_deleted, and thread_broadcast events.",
  "id": "GHSA-xgwg-m42c-8q62",
  "modified": "2026-03-24T19:06:23Z",
  "published": "2026-03-21T03:31:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v8cg-4474-49v8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32895"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/3d30ba18a2aba1e1b302e77ff33145c3b06c01c8"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-sender-authorization-bypass-in-slack-system-event-handlers"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Duplicate Advisory: OpenClaw: Slack system events bypass sender authorization in member and message subtype handlers",
  "withdrawn": "2026-03-24T19:06:23Z"
}

GHSA-XH25-GX5F-4HQG

Vulnerability from github – Published: 2025-12-19 00:31 – Updated: 2025-12-19 00:31
VLAI
Details

Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to change a document's sharing type to "global," even though they do not have permission to do so, making it visible to everyone in the space via a crafted a HTTP request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-68386"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-18T23:15:49Z",
    "severity": "MODERATE"
  },
  "details": "Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to change a document\u0027s sharing type to \"global,\" even though they do not have permission to do so, making it visible to everyone in the space via a crafted a HTTP request.",
  "id": "GHSA-xh25-gx5f-4hqg",
  "modified": "2025-12-19T00:31:42Z",
  "published": "2025-12-19T00:31:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68386"
    },
    {
      "type": "WEB",
      "url": "https://discuss.elastic.co/t/kibana-8-19-8-9-1-8-and-9-2-2-security-update-esa-2025-38/384186"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XH2C-FH83-6HGX

Vulnerability from github – Published: 2022-10-01 00:00 – Updated: 2025-05-20 21:30
VLAI
Details

In affected versions of Octopus Deploy it is possible to bypass rate limiting on login using null bytes.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2778"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-30T04:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "In affected versions of Octopus Deploy it is possible to bypass rate limiting on login using null bytes.",
  "id": "GHSA-xh2c-fh83-6hgx",
  "modified": "2025-05-20T21:30:26Z",
  "published": "2022-10-01T00:00:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2778"
    },
    {
      "type": "WEB",
      "url": "https://advisories.octopus.com/post/2022/sa2022-15"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XH54-7XJP-2239

Vulnerability from github – Published: 2022-12-15 21:30 – Updated: 2022-12-21 18:30
VLAI
Details

An access issue was addressed with additional sandbox restrictions on third-party apps. This issue is fixed in macOS Ventura 13. An app may be able to record audio with paired AirPods.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-32945"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-15T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An access issue was addressed with additional sandbox restrictions on third-party apps. This issue is fixed in macOS Ventura 13. An app may be able to record audio with paired AirPods.",
  "id": "GHSA-xh54-7xjp-2239",
  "modified": "2022-12-21T18:30:24Z",
  "published": "2022-12-15T21:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32945"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213488"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT213489"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XH5J-7F7G-7G5C

Vulnerability from github – Published: 2022-05-24 17:35 – Updated: 2022-05-24 17:35
VLAI
Details

An information leak vulnerability exists in Gerrit versions prior to 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where a missing access check on the branch REST API allows an attacker with only the default set of priviledges to read all other user's personal account data as well as sub-trees with restricted access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-8919"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-10T11:15:00Z",
    "severity": "LOW"
  },
  "details": "An information leak vulnerability exists in Gerrit versions prior to 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where a missing access check on the branch REST API allows an attacker with only the default set of priviledges to read all other user\u0027s personal account data as well as sub-trees with restricted access.",
  "id": "GHSA-xh5j-7f7g-7g5c",
  "modified": "2022-05-24T17:35:58Z",
  "published": "2022-05-24T17:35:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8919"
    },
    {
      "type": "WEB",
      "url": "https://gerrit.googlesource.com/gerrit/+/0532fb876cb86bc091a91f78e6f28fff9e39ca65"
    },
    {
      "type": "WEB",
      "url": "https://www.gerritcodereview.com/2.15.html#21521"
    },
    {
      "type": "WEB",
      "url": "https://www.gerritcodereview.com/2.16.html#21625"
    },
    {
      "type": "WEB",
      "url": "https://www.gerritcodereview.com/3.0.html#3014"
    },
    {
      "type": "WEB",
      "url": "https://www.gerritcodereview.com/3.1.html#3110"
    },
    {
      "type": "WEB",
      "url": "https://www.gerritcodereview.com/3.2.html#325"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-XH7F-2C8G-37P4

Vulnerability from github – Published: 2022-03-11 00:02 – Updated: 2025-10-22 00:32
VLAI
Details

The TP-240 (aka tp240dvr) component in Mitel MiCollab before 9.4 SP1 FP1 and MiVoice Business Express through 8.1 allows remote attackers to obtain sensitive information and cause a denial of service (performance degradation and excessive outbound traffic). This was exploited in the wild in February and March 2022 for the TP240PhoneHome DDoS attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-26143"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-10T17:47:00Z",
    "severity": "CRITICAL"
  },
  "details": "The TP-240 (aka tp240dvr) component in Mitel MiCollab before 9.4 SP1 FP1 and MiVoice Business Express through 8.1 allows remote attackers to obtain sensitive information and cause a denial of service (performance degradation and excessive outbound traffic). This was exploited in the wild in February and March 2022 for the TP240PhoneHome DDoS attack.",
  "id": "GHSA-xh7f-2c8g-37p4",
  "modified": "2025-10-22T00:32:30Z",
  "published": "2022-03-11T00:02:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26143"
    },
    {
      "type": "WEB",
      "url": "https://arstechnica.com/information-technology/2022/03/ddosers-use-new-method-capable-of-amplifying-traffic-by-a-factor-of-4-billion"
    },
    {
      "type": "WEB",
      "url": "https://blog.cloudflare.com/cve-2022-26143"
    },
    {
      "type": "WEB",
      "url": "https://news.ycombinator.com/item?id=30614073"
    },
    {
      "type": "WEB",
      "url": "https://team-cymru.com/blog/2022/03/08/record-breaking-ddos-potential-discovered-cve-2022-26143"
    },
    {
      "type": "WEB",
      "url": "https://www.akamai.com/blog/security/phone-home-ddos-attack-vector"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26143"
    },
    {
      "type": "WEB",
      "url": "https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-22-0001"
    },
    {
      "type": "WEB",
      "url": "https://www.shadowserver.org/news/cve-2022-26143-tp240phonehome-reflection-amplification-ddos-attack-vector"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XH9Q-JVQ8-P253

Vulnerability from github – Published: 2023-07-13 00:30 – Updated: 2024-04-04 06:05
VLAI
Details

In showNextSecurityScreenOrFinish of KeyguardSecurityContainerController.java, there is a possible way to access the lock screen during device setup due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-21245"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-13T00:15:23Z",
    "severity": "HIGH"
  },
  "details": "In showNextSecurityScreenOrFinish of KeyguardSecurityContainerController.java, there is a possible way to access the lock screen during device setup due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.\n\n",
  "id": "GHSA-xh9q-jvq8-p253",
  "modified": "2024-04-04T06:05:19Z",
  "published": "2023-07-13T00:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21245"
    },
    {
      "type": "WEB",
      "url": "https://android.googlesource.com/platform/frameworks/base/+/a33159e8cb297b9eee6fa5c63c0e343d05fad622"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2023-07-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XHGQ-H98J-859V

Vulnerability from github – Published: 2025-01-22 18:31 – Updated: 2025-01-22 19:08
VLAI
Summary
Incorrect permission check in Jenkins GitLab Plugin allows enumerating credentials IDs
Details

The Jenkins GitLab Plugin 1.9.6 and earlier does not correctly perform a permission check in an HTTP endpoint.

This allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credential IDs of GitLab API token credentials and Secret text credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credential IDs in GitLab Plugin 1.9.7 requires Overall/Administer permission.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:gitlab-plugin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.9.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-24397"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-22T19:08:12Z",
    "nvd_published_at": "2025-01-22T17:15:13Z",
    "severity": "MODERATE"
  },
  "details": "The Jenkins GitLab Plugin 1.9.6 and earlier does not correctly perform a permission check in an HTTP endpoint.\n\nThis allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credential IDs of GitLab API token credentials and Secret text credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.\n\nAn enumeration of credential IDs in GitLab Plugin 1.9.7 requires Overall/Administer permission.\n",
  "id": "GHSA-xhgq-h98j-859v",
  "modified": "2025-01-22T19:08:13Z",
  "published": "2025-01-22T18:31:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24397"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/gitlab-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2025-01-22/#SECURITY-3260"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Incorrect permission check in Jenkins GitLab Plugin allows enumerating credentials IDs "
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

No CAPEC attack patterns related to this CWE.