CWE-639
Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CVE-2026-44400 (GCVE-0-2026-44400)
Vulnerability from cvelistv5 – Published: 2026-05-08 20:22 – Updated: 2026-05-25 23:42
VLAI
Title
MailEnable Enterprise Premium < 10.55 Authorization Bypass via WebAdmin
Summary
MailEnable Enterprise Premium 10.55 and earlier contains an improper authorization vulnerability in the WebAdmin mobile portal that allows attackers to bypass authentication checks by reusing AuthenticationToken cookies generated for low-privileged users. Attackers can obtain a token from the WebMail login endpoint using the PersistentLogin parameter and replay it against the WebAdmin portal to perform highly privileged administrative actions.
Severity
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.mailenable.com/Premium-ReleaseNotes.txt | release-notes |
| https://www.vulncheck.com/advisories/mailenable-e… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| MailEnable | MailEnable Enterprise Premium |
Affected:
0 , ≤ 10.55
(custom)
|
Date Public
2026-05-07 21:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44400",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T18:07:38.767996Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T18:17:13.086Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MailEnable Enterprise Premium",
"vendor": "MailEnable",
"versions": [
{
"lessThanOrEqual": "10.55",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "dninh of SACOMBANK"
}
],
"datePublic": "2026-05-07T21:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMailEnable Enterprise Premium 10.55 and earlier contains an improper authorization vulnerability in the WebAdmin mobile portal that allows attackers to bypass authentication checks by reusing AuthenticationToken cookies generated for low-privileged users. Attackers can obtain a token from the WebMail login endpoint using the PersistentLogin parameter and replay it against the WebAdmin portal to perform highly privileged administrative actions.\u003c/p\u003e"
}
],
"value": "MailEnable Enterprise Premium 10.55 and earlier contains an improper authorization vulnerability in the WebAdmin mobile portal that allows attackers to bypass authentication checks by reusing AuthenticationToken cookies generated for low-privileged users. Attackers can obtain a token from the WebMail login endpoint using the PersistentLogin parameter and replay it against the WebAdmin portal to perform highly privileged administrative actions."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-25T23:42:21.184Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://www.mailenable.com/Premium-ReleaseNotes.txt"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/mailenable-enterprise-premium-authorization-bypass-via-webadmin"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "MailEnable Enterprise Premium \u003c 10.55 Authorization Bypass via WebAdmin",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-44400",
"datePublished": "2026-05-08T20:22:43.554Z",
"dateReserved": "2026-05-05T21:38:43.137Z",
"dateUpdated": "2026-05-25T23:42:21.184Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44423 (GCVE-0-2026-44423)
Vulnerability from cvelistv5 – Published: 2026-05-13 21:07 – Updated: 2026-05-14 12:50
VLAI
Title
ShellHub: Cross-tenant IDOR in `GET /api/sessions/:uid` discloses SSH session data
Summary
ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/sessions/:uid returns the full session object for any authenticated caller, without scoping by the caller's tenant. An authenticated user can read session records (SSH username, device UID, remote IP, terminal type, authenticated flag, timestamps) belonging to any other namespace. This vulnerability is fixed in 0.24.2.
Severity
6.5 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/shellhub-io/shellhub/security/… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| shellhub-io | shellhub |
Affected:
< 0.24.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44423",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T12:50:34.800667Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T12:50:40.262Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/shellhub-io/shellhub/security/advisories/GHSA-9w9c-9w8m-w89q"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "shellhub",
"vendor": "shellhub-io",
"versions": [
{
"status": "affected",
"version": "\u003c 0.24.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/sessions/:uid returns the full session object for any authenticated caller, without scoping by the caller\u0027s tenant. An authenticated user can read session records (SSH username, device UID, remote IP, terminal type, authenticated flag, timestamps) belonging to any other namespace. This vulnerability is fixed in 0.24.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T21:07:33.174Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/shellhub-io/shellhub/security/advisories/GHSA-9w9c-9w8m-w89q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/shellhub-io/shellhub/security/advisories/GHSA-9w9c-9w8m-w89q"
}
],
"source": {
"advisory": "GHSA-9w9c-9w8m-w89q",
"discovery": "UNKNOWN"
},
"title": "ShellHub: Cross-tenant IDOR in `GET /api/sessions/:uid` discloses SSH session data"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44423",
"datePublished": "2026-05-13T21:07:33.174Z",
"dateReserved": "2026-05-06T14:40:00.953Z",
"dateUpdated": "2026-05-14T12:50:40.262Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44424 (GCVE-0-2026-44424)
Vulnerability from cvelistv5 – Published: 2026-05-13 21:06 – Updated: 2026-05-14 12:58
VLAI
Title
ShellHub: Cross-tenant IDOR in `GET /api/devices/:uid` discloses device data of any namespace
Summary
ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/devices/:uid returns the full device object whenever the caller is authenticated, without verifying that the device belongs to the caller's namespace (tenant). Any authenticated user (JWT or API Key) who knows or can guess a device UID can read device metadata from any other namespace. This vulnerability is fixed in 0.24.2.
Severity
6.5 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/shellhub-io/shellhub/security/… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| shellhub-io | shellhub |
Affected:
< 0.24.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44424",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T12:58:24.657144Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T12:58:51.178Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/shellhub-io/shellhub/security/advisories/GHSA-j72x-xfwg-783f"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "shellhub",
"vendor": "shellhub-io",
"versions": [
{
"status": "affected",
"version": "\u003c 0.24.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/devices/:uid returns the full device object whenever the caller is authenticated, without verifying that the device belongs to the caller\u0027s namespace (tenant). Any authenticated user (JWT or API Key) who knows or can guess a device UID can read device metadata from any other namespace. This vulnerability is fixed in 0.24.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T21:06:49.859Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/shellhub-io/shellhub/security/advisories/GHSA-j72x-xfwg-783f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/shellhub-io/shellhub/security/advisories/GHSA-j72x-xfwg-783f"
}
],
"source": {
"advisory": "GHSA-j72x-xfwg-783f",
"discovery": "UNKNOWN"
},
"title": "ShellHub: Cross-tenant IDOR in `GET /api/devices/:uid` discloses device data of any namespace"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44424",
"datePublished": "2026-05-13T21:06:49.859Z",
"dateReserved": "2026-05-06T14:40:00.953Z",
"dateUpdated": "2026-05-14T12:58:51.178Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44426 (GCVE-0-2026-44426)
Vulnerability from cvelistv5 – Published: 2026-05-13 21:06 – Updated: 2026-05-14 15:54
VLAI
Title
ShellHub: Cross-tenant IDOR in `GET /api/namespaces/:tenant` via API Key bypasses membership check
Summary
ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/namespaces/:tenant returns the full namespace object — including
the members list (user IDs, e-mails, roles), settings, and device counts — to any caller authenticated by an API Key, for any tenant, regardless of the API Key's own tenant scope. The handler conditionally skips the membership check when the user ID (X-ID) is absent, which is exactly the case for API Key authentication. This vulnerability is fixed in 0.24.2.
Severity
6.5 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/shellhub-io/shellhub/security/… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| shellhub-io | shellhub |
Affected:
< 0.24.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44426",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T15:54:14.455227Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T15:54:46.896Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/shellhub-io/shellhub/security/advisories/GHSA-vwx9-7qcf-gg7f"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "shellhub",
"vendor": "shellhub-io",
"versions": [
{
"status": "affected",
"version": "\u003c 0.24.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/namespaces/:tenant returns the full namespace object \u2014 including\nthe members list (user IDs, e-mails, roles), settings, and device counts \u2014 to any caller authenticated by an API Key, for any tenant, regardless of the API Key\u0027s own tenant scope. The handler conditionally skips the membership check when the user ID (X-ID) is absent, which is exactly the case for API Key authentication. This vulnerability is fixed in 0.24.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T21:06:06.222Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/shellhub-io/shellhub/security/advisories/GHSA-vwx9-7qcf-gg7f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/shellhub-io/shellhub/security/advisories/GHSA-vwx9-7qcf-gg7f"
}
],
"source": {
"advisory": "GHSA-vwx9-7qcf-gg7f",
"discovery": "UNKNOWN"
},
"title": "ShellHub: Cross-tenant IDOR in `GET /api/namespaces/:tenant` via API Key bypasses membership check"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44426",
"datePublished": "2026-05-13T21:06:06.222Z",
"dateReserved": "2026-05-06T14:40:00.953Z",
"dateUpdated": "2026-05-14T15:54:46.896Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44504 (GCVE-0-2026-44504)
Vulnerability from cvelistv5 – Published: 2026-05-14 15:52 – Updated: 2026-05-16 00:38
VLAI
Title
Aegra: Cross-user run injection in /threads/{thread_id}/runs (IDOR)
Summary
Aegra is a drop-in replacement for LangSmith Deployments. Prior to 0.9.7, with multiple authenticated users on a shared instance are vulnerable to a cross-tenant IDOR. Any authenticated attacker, given another user's thread_id, can execute graph runs against the user's thread, read the user's full checkpoint state, and inject arbitrary messages into the user's conversation history. This vulnerability is fixed in 0.9.7.
Severity
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/aegra/aegra/security/advisorie… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44504",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-16T00:38:07.708619Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-16T00:38:24.939Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "aegra",
"vendor": "aegra",
"versions": [
{
"status": "affected",
"version": "\u003c 0.9.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Aegra is a drop-in replacement for LangSmith Deployments. Prior to 0.9.7, with multiple authenticated users on a shared instance are vulnerable to a cross-tenant IDOR. Any authenticated attacker, given another user\u0027s thread_id, can execute graph runs against the user\u0027s thread, read the user\u0027s full checkpoint state, and inject arbitrary messages into the user\u0027s conversation history. This vulnerability is fixed in 0.9.7."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T15:52:30.547Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/aegra/aegra/security/advisories/GHSA-m98r-6667-4wq7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/aegra/aegra/security/advisories/GHSA-m98r-6667-4wq7"
}
],
"source": {
"advisory": "GHSA-m98r-6667-4wq7",
"discovery": "UNKNOWN"
},
"title": "Aegra: Cross-user run injection in /threads/{thread_id}/runs (IDOR)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44504",
"datePublished": "2026-05-14T15:52:30.547Z",
"dateReserved": "2026-05-06T18:28:20.886Z",
"dateUpdated": "2026-05-16T00:38:24.939Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44544 (GCVE-0-2026-44544)
Vulnerability from cvelistv5 – Published: 2026-05-14 17:34 – Updated: 2026-05-15 18:05
VLAI
Title
gittuf: Policy can be rolled back to prior valid version
Summary
gittuf is a platform-agnostic Git security system. Prior to 0.14.0, an attacker with push access to gittuf's Reference State Log (RSL) can roll back the current policy to any previous policy trusted by the current set of root keys. gittuf determines the policy to load by inspecting the RSL. Except for the very first policy (which is automatically trusted given gittuf's TOFU model, or verified against manually specified keys), whenever an RSL entry that points to a new policy is encountered, gittuf validates that this policy is trusted. This is done by checking that the new policy’s root metadata is signed by the required threshold of the current policy's root keys. Because of this, an attacker with push access to the RSL may create a new entry that references an old policy (that is trusted by the most recent policy's set of root keys), thereby rolling back gittuf's policy to the attacker's chosen state. This vulnerability is fixed in 0.14.0.
Severity
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/gittuf/gittuf/security/advisor… | x_refsource_CONFIRM |
| https://github.com/gittuf/gittuf/commit/dd76efa50… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44544",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-15T16:44:10.097846Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T18:05:22.406Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gittuf",
"vendor": "gittuf",
"versions": [
{
"status": "affected",
"version": "\u003c 0.14.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "gittuf is a platform-agnostic Git security system. Prior to 0.14.0, an attacker with push access to gittuf\u0027s Reference State Log (RSL) can roll back the current policy to any previous policy trusted by the current set of root keys. gittuf determines the policy to load by inspecting the RSL. Except for the very first policy (which is automatically trusted given gittuf\u0027s TOFU model, or verified against manually specified keys), whenever an RSL entry that points to a new policy is encountered, gittuf validates that this policy is trusted. This is done by checking that the new policy\u2019s root metadata is signed by the required threshold of the current policy\u0027s root keys. Because of this, an attacker with push access to the RSL may create a new entry that references an old policy (that is trusted by the most recent policy\u0027s set of root keys), thereby rolling back gittuf\u0027s policy to the attacker\u0027s chosen state. This vulnerability is fixed in 0.14.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T17:34:39.692Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gittuf/gittuf/security/advisories/GHSA-vxvc-cg7j-rwqj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gittuf/gittuf/security/advisories/GHSA-vxvc-cg7j-rwqj"
},
{
"name": "https://github.com/gittuf/gittuf/commit/dd76efa505f9137a4a9a625c5ac67b333365a1b8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gittuf/gittuf/commit/dd76efa505f9137a4a9a625c5ac67b333365a1b8"
}
],
"source": {
"advisory": "GHSA-vxvc-cg7j-rwqj",
"discovery": "UNKNOWN"
},
"title": "gittuf: Policy can be rolled back to prior valid version"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44544",
"datePublished": "2026-05-14T17:34:39.692Z",
"dateReserved": "2026-05-06T19:38:10.568Z",
"dateUpdated": "2026-05-15T18:05:22.406Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44570 (GCVE-0-2026-44570)
Vulnerability from cvelistv5 – Published: 2026-05-15 21:05 – Updated: 2026-05-19 03:55
VLAI
Title
Open WebUI: Inconsistent authorization controls within memories API
Summary
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.19, authorization controls surrounding the memories API were inconsistent, resulting in the ability of a standard user to delete, restore, and view the contents of other users' memories. Using a newly created non-admin user with no existing memories, it is possible to view existing memories via POST /api/v1/memories/query. Similarly, even if a non-admin user cannot modify another user's memory data via POST /api/v1/memories/{memory_id}/update, the endpoint's response improperly leaks the content of that memory if a valid memory_id is known. The DELETE /api/v1/memories/{memory_id} can also be used by any user to delete an existing memory. Deleted memories can then be restored by calling the POST /api/v1/memories/{memory_id}/update endpoint again. This vulnerability is fixed in 0.6.19.
Severity
8.3 (High)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/open-webui/open-webui/security… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| open-webui | open-webui |
Affected:
< 0.6.19
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44570",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-18T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T03:55:29.530Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-hmjq-crxp-7rjw"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "open-webui",
"vendor": "open-webui",
"versions": [
{
"status": "affected",
"version": "\u003c 0.6.19"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.19, authorization controls surrounding the memories API were inconsistent, resulting in the ability of a standard user to delete, restore, and view the contents of other users\u0027 memories. Using a newly created non-admin user with no existing memories, it is possible to view existing memories via POST /api/v1/memories/query. Similarly, even if a non-admin user cannot modify another user\u0027s memory data via POST /api/v1/memories/{memory_id}/update, the endpoint\u0027s response improperly leaks the content of that memory if a valid memory_id is known. The DELETE /api/v1/memories/{memory_id} can also be used by any user to delete an existing memory. Deleted memories can then be restored by calling the POST /api/v1/memories/{memory_id}/update endpoint again. This vulnerability is fixed in 0.6.19."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T21:05:17.343Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-hmjq-crxp-7rjw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-hmjq-crxp-7rjw"
}
],
"source": {
"advisory": "GHSA-hmjq-crxp-7rjw",
"discovery": "UNKNOWN"
},
"title": "Open WebUI: Inconsistent authorization controls within memories API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44570",
"datePublished": "2026-05-15T21:05:17.343Z",
"dateReserved": "2026-05-06T20:59:00.596Z",
"dateUpdated": "2026-05-19T03:55:29.530Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44678 (GCVE-0-2026-44678)
Vulnerability from cvelistv5 – Published: 2026-05-14 20:41 – Updated: 2026-05-16 01:03
VLAI
Title
Tuist: IDOR in preview deletion API allows cross-tenant deletion of any preview by UUID
Summary
Tuist is a virtual platform team for Swift app devs. In 1.180.8 and earlier, the DELETE /api/projects/{account_handle}/{project_handle}/previews/{preview_id} endpoint loads the preview by its UUID without verifying that the preview belongs to the project resolved from the URL path. The route's project-level authorization plug (AuthorizationPlug, :preview) authorizes the caller against the project encoded in account_handle/project_handle — which the attacker controls — and then the action deletes whichever preview's UUID is supplied. The check therefore guards the wrong project.
Severity
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/tuist/tuist/security/advisorie… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44678",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-16T01:03:01.024174Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-16T01:03:16.241Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "tuist",
"vendor": "tuist",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.180.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tuist is a virtual platform team for Swift app devs. In 1.180.8 and earlier, the DELETE /api/projects/{account_handle}/{project_handle}/previews/{preview_id} endpoint loads the preview by its UUID without verifying that the preview belongs to the project resolved from the URL path. The route\u0027s project-level authorization plug (AuthorizationPlug, :preview) authorizes the caller against the project encoded in account_handle/project_handle \u2014 which the attacker controls \u2014 and then the action deletes whichever preview\u0027s UUID is supplied. The check therefore guards the wrong project."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T20:41:40.956Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/tuist/tuist/security/advisories/GHSA-fqp5-hg46-cp2x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tuist/tuist/security/advisories/GHSA-fqp5-hg46-cp2x"
}
],
"source": {
"advisory": "GHSA-fqp5-hg46-cp2x",
"discovery": "UNKNOWN"
},
"title": "Tuist: IDOR in preview deletion API allows cross-tenant deletion of any preview by UUID"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44678",
"datePublished": "2026-05-14T20:41:40.956Z",
"dateReserved": "2026-05-07T16:20:08.660Z",
"dateUpdated": "2026-05-16T01:03:16.241Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44718 (GCVE-0-2026-44718)
Vulnerability from cvelistv5 – Published: 2026-05-15 18:23 – Updated: 2026-05-18 15:36
VLAI
Title
Mathesar: Missing collaborator checks allowed access to saved explorations in other databases
Summary
Mathesar is a web application that makes working with PostgreSQL databases both simple and powerful. From 0.2.0 to before 0.10.0, explorations.get, explorations.replace, and explorations.delete operate on an exploration_id without verifying that the requesting user was a collaborator on the exploration’s database. An authenticated user on the same Mathesar installation who knew or guessed an exploration ID could read, replace, or delete a saved exploration belonging to a database where they were not a collaborator. This affected Mathesar-managed saved exploration definitions, including names, descriptions, selected columns, display metadata, filters, sorting, and transformations. This vulnerability is fixed in 0.10.0.
Severity
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/mathesar-foundation/mathesar/s… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mathesar-foundation | mathesar |
Affected:
>= 0.2.0, < 0.10.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44718",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-18T15:35:04.118339Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T15:36:38.645Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mathesar",
"vendor": "mathesar-foundation",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.2.0, \u003c 0.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mathesar is a web application that makes working with PostgreSQL databases both simple and powerful. From 0.2.0 to before 0.10.0, explorations.get, explorations.replace, and explorations.delete operate on an exploration_id without verifying that the requesting user was a collaborator on the exploration\u2019s database. An authenticated user on the same Mathesar installation who knew or guessed an exploration ID could read, replace, or delete a saved exploration belonging to a database where they were not a collaborator. This affected Mathesar-managed saved exploration definitions, including names, descriptions, selected columns, display metadata, filters, sorting, and transformations. This vulnerability is fixed in 0.10.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T18:23:10.517Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mathesar-foundation/mathesar/security/advisories/GHSA-wf8r-g5rp-w69f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mathesar-foundation/mathesar/security/advisories/GHSA-wf8r-g5rp-w69f"
}
],
"source": {
"advisory": "GHSA-wf8r-g5rp-w69f",
"discovery": "UNKNOWN"
},
"title": "Mathesar: Missing collaborator checks allowed access to saved explorations in other databases"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44718",
"datePublished": "2026-05-15T18:23:10.517Z",
"dateReserved": "2026-05-07T18:04:17.308Z",
"dateUpdated": "2026-05-18T15:36:38.645Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44776 (GCVE-0-2026-44776)
Vulnerability from cvelistv5 – Published: 2026-05-26 17:29 – Updated: 2026-05-26 18:27
VLAI
Title
Kavita: IDOR in /api/Download/*
Summary
Kavita is a cross platform reading server. Prior to 0.9.0, the download, size-check, and chapter metadata endpoints do not enforce library-level authorization. A low-privileged user who knows or guesses a chapterId, volumeId, or seriesId belonging to a library they are not assigned to can download the full file contents, query file sizes, and read metadata for that content. This affects /api/Download/volume-size, /api/Download/chapter-size, /api/Download/series-size, /api/Download/volume, /api/Download/chapter, /api/Download/series, and /api/Chapter. This vulnerability is fixed in 0.9.0.
Severity
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Kareadita/Kavita/security/advi… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44776",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T18:27:22.523468Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T18:27:30.186Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Kareadita/Kavita/security/advisories/GHSA-x3jq-95xw-gwvr"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Kavita",
"vendor": "Kareadita",
"versions": [
{
"status": "affected",
"version": "\u003c 0.9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kavita is a cross platform reading server. Prior to 0.9.0, the download, size-check, and chapter metadata endpoints do not enforce library-level authorization. A low-privileged user who knows or guesses a chapterId, volumeId, or seriesId belonging to a library they are not assigned to can download the full file contents, query file sizes, and read metadata for that content. This affects /api/Download/volume-size, /api/Download/chapter-size, /api/Download/series-size, /api/Download/volume, /api/Download/chapter, /api/Download/series, and /api/Chapter. This vulnerability is fixed in 0.9.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T17:29:40.897Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Kareadita/Kavita/security/advisories/GHSA-x3jq-95xw-gwvr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Kareadita/Kavita/security/advisories/GHSA-x3jq-95xw-gwvr"
}
],
"source": {
"advisory": "GHSA-x3jq-95xw-gwvr",
"discovery": "UNKNOWN"
},
"title": "Kavita: IDOR in /api/Download/*"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44776",
"datePublished": "2026-05-26T17:29:40.897Z",
"dateReserved": "2026-05-07T19:20:44.689Z",
"dateUpdated": "2026-05-26T18:27:30.186Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Architecture and Design
Description:
- For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Phases: Architecture and Design, Implementation
Description:
- Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Phase: Architecture and Design
Description:
- Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.