CWE-639
Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CVE-2026-45671 (GCVE-0-2026-45671)
Vulnerability from cvelistv5 – Published: 2026-05-15 19:13 – Updated: 2026-05-19 03:55
VLAI
Title
Open WebUI: shared-chat branch ignores access_type, allowing unauthorized file deletion
Summary
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user can permanently delete files owned by other users via DELETE /api/v1/files/{id} when the target file is referenced in any shared chat. The has_access_to_file() authorization gate unconditionally grants access through its shared-chat branch. It checks neither the requesting user's identity nor the type of operation being performed. File UUIDs (which would otherwise be impractical to guess) are disclosed to any user with read access to a knowledge base via GET /api/v1/knowledge/{id}/files. This vulnerability is fixed in 0.9.0.
Severity
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/open-webui/open-webui/security… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| open-webui | open-webui |
Affected:
< 0.9.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45671",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-18T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T03:55:43.822Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-26g9-27vm-x3q8"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "open-webui",
"vendor": "open-webui",
"versions": [
{
"status": "affected",
"version": "\u003c 0.9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user can permanently delete files owned by other users via DELETE /api/v1/files/{id} when the target file is referenced in any shared chat. The has_access_to_file() authorization gate unconditionally grants access through its shared-chat branch. It checks neither the requesting user\u0027s identity nor the type of operation being performed. File UUIDs (which would otherwise be impractical to guess) are disclosed to any user with read access to a knowledge base via GET /api/v1/knowledge/{id}/files. This vulnerability is fixed in 0.9.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T19:13:42.052Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-26g9-27vm-x3q8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-26g9-27vm-x3q8"
}
],
"source": {
"advisory": "GHSA-26g9-27vm-x3q8",
"discovery": "UNKNOWN"
},
"title": "Open WebUI: shared-chat branch ignores access_type, allowing unauthorized file deletion"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45671",
"datePublished": "2026-05-15T19:13:42.052Z",
"dateReserved": "2026-05-12T21:59:25.666Z",
"dateUpdated": "2026-05-19T03:55:43.822Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45760 (GCVE-0-2026-45760)
Vulnerability from cvelistv5 – Published: 2026-05-21 11:43 – Updated: 2026-05-23 02:17
VLAI
Title
Apache Camel K: Camel K Cross-Namespace Build Deputy Attack
Summary
(Externally Controlled Reference to a Resource in Another Sphere), (Authorization Bypass Through User-Controlled Key) vulnerability in Apache Camel K. Authorized users in a Kubernetes namespace can create a Build resource, controlling the Pod generation in a namespace of their choice, including the operator namespace.
This issue affects Apache Camel K: from 2.0.0 before 2.8.1, from 2.9.0 before 2.9.2, from 2.10.0 before 2.10.1.
Users are recommended to upgrade to version 2.10.1 (or 2.8.1 or 2.9.2), which fixes the issue.
Severity
No CVSS data available.
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://camel.apache.org/security/CVE-2026-45760.html | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Camel K |
Affected:
2.0.0 , < 2.8.1
(semver)
Affected: 2.9.0 , < 2.9.2 (semver) Affected: 2.10.0 , < 2.10.1 (semver) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-21T18:37:31.227Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/21/8"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-45760",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-23T02:15:43.714371Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T02:17:48.106Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://hub.docker.com",
"defaultStatus": "unaffected",
"packageName": "apache/camel-k",
"product": "Apache Camel K",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.8.1",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
},
{
"lessThan": "2.9.2",
"status": "affected",
"version": "2.9.0",
"versionType": "semver"
},
{
"lessThan": "2.10.1",
"status": "affected",
"version": "2.10.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "@j311yl0v3u (2439839508@qq.com)"
},
{
"lang": "en",
"type": "finder",
"value": "@b0b0haha (603571786@qq.com)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e(Externally Controlled Reference to a Resource in Another Sphere), (Authorization Bypass Through User-Controlled Key) vulnerability in Apache Camel K. Authorized users in a Kubernetes namespace can create a Build resource, controlling the Pod generation in a namespace of their choice, including the operator namespace.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Camel K: from 2.0.0 before 2.8.1, from 2.9.0 before 2.9.2, from 2.10.0 before 2.10.1.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.10.1 (or 2.8.1 or 2.9.2), which fixes the issue.\u003c/p\u003e"
}
],
"value": "(Externally Controlled Reference to a Resource in Another Sphere), (Authorization Bypass Through User-Controlled Key) vulnerability in Apache Camel K. Authorized users in a Kubernetes namespace can create a Build resource, controlling the Pod generation in a namespace of their choice, including the operator namespace.\n\nThis issue affects Apache Camel K: from 2.0.0 before 2.8.1, from 2.9.0 before 2.9.2, from 2.10.0 before 2.10.1.\n\nUsers are recommended to upgrade to version 2.10.1 (or 2.8.1 or 2.9.2), which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-610",
"description": "CWE-610 (Externally Controlled Reference to a Resource in Another Sphere)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 (Authorization Bypass Through User-Controlled Key)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T11:43:44.844Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://camel.apache.org/security/CVE-2026-45760.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Camel K: Camel K Cross-Namespace Build Deputy Attack",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-45760",
"datePublished": "2026-05-21T11:43:44.844Z",
"dateReserved": "2026-05-13T07:38:04.636Z",
"dateUpdated": "2026-05-23T02:17:48.106Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4630 (GCVE-0-2026-4630)
Vulnerability from cvelistv5 – Published: 2026-05-19 10:28 – Updated: 2026-05-20 16:08
VLAI
Title
Keycloak: keycloak: unauthorized resource access and data modification via insecure direct object reference
Summary
A flaw was found in Keycloak. An authenticated client could exploit an Insecure Direct Object Reference (IDOR) vulnerability in the Authorization Services Protection API endpoint. By knowing or obtaining a resource's unique identifier (UUID) belonging to another Resource Server within the same realm, the client could bypass authorization checks. This allows the client to perform unauthorized GET, PUT, and DELETE operations on resources, leading to information disclosure and potential unauthorized modification or deletion of data.
Severity
6.8 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://access.redhat.com/errata/RHSA-2026:19596 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:19597 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/security/cve/CVE-2026-4630 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2450245 | issue-trackingx_refsource_REDHAT |
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| Red Hat | Red Hat build of Keycloak 26.4 |
Unaffected:
26.4.12-1 , < *
(rpm)
cpe:/a:redhat:build_keycloak:26.4::el9 |
|
| Red Hat | Red Hat build of Keycloak 26.4 |
Unaffected:
26.4-17 , < *
(rpm)
cpe:/a:redhat:build_keycloak:26.4::el9 |
|
| Red Hat | Red Hat build of Keycloak 26.4 |
Unaffected:
26.4-17 , < *
(rpm)
cpe:/a:redhat:build_keycloak:26.4::el9 |
|
| Red Hat | Red Hat build of Keycloak 26.4.12 |
cpe:/a:redhat:build_keycloak:26.4::el9 |
Date Public
2026-04-15 12:34
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4630",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-19T16:33:12.614371Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T16:33:22.235Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.4::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-operator-bundle",
"product": "Red Hat build of Keycloak 26.4",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.4.12-1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.4::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-rhel9",
"product": "Red Hat build of Keycloak 26.4",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.4-17",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.4::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-rhel9-operator",
"product": "Red Hat build of Keycloak 26.4",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.4-17",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.4::el9"
],
"defaultStatus": "unaffected",
"packageName": "rhbk/keycloak-rhel9",
"product": "Red Hat build of Keycloak 26.4.12",
"vendor": "Red Hat"
}
],
"datePublic": "2026-04-15T12:34:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Keycloak. An authenticated client could exploit an Insecure Direct Object Reference (IDOR) vulnerability in the Authorization Services Protection API endpoint. By knowing or obtaining a resource\u0027s unique identifier (UUID) belonging to another Resource Server within the same realm, the client could bypass authorization checks. This allows the client to perform unauthorized GET, PUT, and DELETE operations on resources, leading to information disclosure and potential unauthorized modification or deletion of data."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T16:08:47.221Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2026:19596",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19596"
},
{
"name": "RHSA-2026:19597",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19597"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-4630"
},
{
"name": "RHBZ#2450245",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450245"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-23T08:10:40.944Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-04-15T12:34:00.000Z",
"value": "Made public."
}
],
"title": "Keycloak: keycloak: unauthorized resource access and data modification via insecure direct object reference",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-639: Authorization Bypass Through User-Controlled Key"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2026-4630",
"datePublished": "2026-05-19T10:28:15.936Z",
"dateReserved": "2026-03-23T08:12:45.479Z",
"dateUpdated": "2026-05-20T16:08:47.221Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46407 (GCVE-0-2026-46407)
Vulnerability from cvelistv5 – Published: 2026-05-15 18:45 – Updated: 2026-05-18 16:08
VLAI
Title
Vvveb: admin/auth-token IDOR allows unauthorized disclosure of administrator REST API tokens
Summary
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the backend admin/auth-token endpoint allows an authenticated administrator to load another administrator's REST API token list by supplying that user's admin_id. This can disclose sensitive API tokens belonging to other administrators. This vulnerability is fixed in 1.0.8.3.
Severity
8.1 (High)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/givanz/Vvveb/security/advisori… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-46407",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-18T16:08:20.825059Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T16:08:56.739Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Vvveb",
"vendor": "givanz",
"versions": [
{
"status": "affected",
"version": "\u003c 1.0.8.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the backend admin/auth-token endpoint allows an authenticated administrator to load another administrator\u0027s REST API token list by supplying that user\u0027s admin_id. This can disclose sensitive API tokens belonging to other administrators. This vulnerability is fixed in 1.0.8.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T18:45:43.129Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/givanz/Vvveb/security/advisories/GHSA-5g3g-x6mf-pwr6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/givanz/Vvveb/security/advisories/GHSA-5g3g-x6mf-pwr6"
}
],
"source": {
"advisory": "GHSA-5g3g-x6mf-pwr6",
"discovery": "UNKNOWN"
},
"title": "Vvveb: admin/auth-token IDOR allows unauthorized disclosure of administrator REST API tokens"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-46407",
"datePublished": "2026-05-15T18:45:43.129Z",
"dateReserved": "2026-05-13T21:04:10.932Z",
"dateUpdated": "2026-05-18T16:08:56.739Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46408 (GCVE-0-2026-46408)
Vulnerability from cvelistv5 – Published: 2026-05-15 18:46 – Updated: 2026-05-15 19:53
VLAI
Title
Vvveb: checkout IDOR allows unauthorized reuse of another user's cart
Summary
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the checkout endpoint accepts a user-controlled cart_id and uses it to enter the payment flow without verifying cart ownership. A logged-in attacker can therefore reuse another user's cart data in their own checkout session. This vulnerability is fixed in 1.0.8.3.
Severity
7.6 (High)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/givanz/Vvveb/security/advisori… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-46408",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-15T19:52:41.934191Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T19:53:13.706Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/givanz/Vvveb/security/advisories/GHSA-rmh2-wv73-xpqh"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Vvveb",
"vendor": "givanz",
"versions": [
{
"status": "affected",
"version": "\u003c 1.0.8.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the checkout endpoint accepts a user-controlled cart_id and uses it to enter the payment flow without verifying cart ownership. A logged-in attacker can therefore reuse another user\u0027s cart data in their own checkout session. This vulnerability is fixed in 1.0.8.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T18:46:31.693Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/givanz/Vvveb/security/advisories/GHSA-rmh2-wv73-xpqh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/givanz/Vvveb/security/advisories/GHSA-rmh2-wv73-xpqh"
}
],
"source": {
"advisory": "GHSA-rmh2-wv73-xpqh",
"discovery": "UNKNOWN"
},
"title": "Vvveb: checkout IDOR allows unauthorized reuse of another user\u0027s cart"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-46408",
"datePublished": "2026-05-15T18:46:31.693Z",
"dateReserved": "2026-05-13T21:04:10.932Z",
"dateUpdated": "2026-05-15T19:53:13.706Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46414 (GCVE-0-2026-46414)
Vulnerability from cvelistv5 – Published: 2026-05-27 21:54 – Updated: 2026-05-27 21:54
VLAI
Title
Microsoft UFO WebSocket role spoofing allows authenticated peer task hijacking
Summary
Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO's WebSocket control plane trusts client-supplied identity and role fields in task messages. A client connection can register as a normal device, but later send a TASK message claiming client_type="constellation" and target_id=<victim-device-id>. The server trusts the role and target values from the wire message rather than enforcing the role registered for that WebSocket connection. As a result, any authenticated WebSocket client with the shared server token can spoof the higher-privilege constellation role and dispatch attacker-controlled tasks to another connected device. The same client registry also allows duplicate client_id registration, overwriting an existing live client's stored websocket, role, and task protocol. This is an authenticated WebSocket role/identity spoofing issue leading to peer task hijacking.
Severity
8.8 (High)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/microsoft/UFO/security/advisor… | x_refsource_CONFIRM |
{
"containers": {
"cna": {
"affected": [
{
"product": "UFO",
"vendor": "microsoft",
"versions": [
{
"status": "affected",
"version": "3.0.1-4-ge2626659"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO\u0027s WebSocket control plane trusts client-supplied identity and role fields in task messages. A client connection can register as a normal device, but later send a TASK message claiming client_type=\"constellation\" and target_id=\u003cvictim-device-id\u003e. The server trusts the role and target values from the wire message rather than enforcing the role registered for that WebSocket connection. As a result, any authenticated WebSocket client with the shared server token can spoof the higher-privilege constellation role and dispatch attacker-controlled tasks to another connected device. The same client registry also allows duplicate client_id registration, overwriting an existing live client\u0027s stored websocket, role, and task protocol. This is an authenticated WebSocket role/identity spoofing issue leading to peer task hijacking."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290: Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T21:54:51.681Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/microsoft/UFO/security/advisories/GHSA-qgx6-cvhg-jw7p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/microsoft/UFO/security/advisories/GHSA-qgx6-cvhg-jw7p"
}
],
"source": {
"advisory": "GHSA-qgx6-cvhg-jw7p",
"discovery": "UNKNOWN"
},
"title": "Microsoft UFO WebSocket role spoofing allows authenticated peer task hijacking"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-46414",
"datePublished": "2026-05-27T21:54:51.681Z",
"dateReserved": "2026-05-13T21:04:10.933Z",
"dateUpdated": "2026-05-27T21:54:51.681Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4654 (GCVE-0-2026-4654)
Vulnerability from cvelistv5 – Published: 2026-04-08 07:43 – Updated: 2026-04-08 18:50
VLAI
Title
Awesome Support <= 6.3.7 - Authenticated (Subscriber+) Insecure Direct Object Reference to Unauthorized Ticket Reply Access via 'ticket_id' Parameter
Summary
The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 6.3.7. This is due to the wpas_get_ticket_replies_ajax() function failing to verify whether the authenticated user has permission to view the specific ticket being requested. This makes it possible for authenticated attackers, with subscriber-level access and above, to access sensitive information from all support tickets in the system by manipulating the ticket_id parameter.
Severity
5.3 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| awesomesupport | Awesome Support – WordPress HelpDesk & Support Plugin |
Affected:
0 , ≤ 6.3.7
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4654",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-08T18:50:01.418065Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T18:50:47.666Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Awesome Support \u2013 WordPress HelpDesk \u0026 Support Plugin",
"vendor": "awesomesupport",
"versions": [
{
"lessThanOrEqual": "6.3.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Iden"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Awesome Support \u2013 WordPress HelpDesk \u0026 Support Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 6.3.7. This is due to the wpas_get_ticket_replies_ajax() function failing to verify whether the authenticated user has permission to view the specific ticket being requested. This makes it possible for authenticated attackers, with subscriber-level access and above, to access sensitive information from all support tickets in the system by manipulating the ticket_id parameter."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:12:01.277Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9f9015fa-b3f0-4312-8acd-02b715e26f33?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/awesome-support/trunk/includes/functions-post.php#L1851"
},
{
"url": "https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.7/includes/functions-post.php#L1851"
},
{
"url": "https://plugins.trac.wordpress.org/browser/awesome-support/trunk/includes/functions-post.php#L1823"
},
{
"url": "https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.7/includes/functions-post.php#L1823"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3497662%40awesome-support\u0026new=3497662%40awesome-support\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-23T15:15:19.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-04-07T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Awesome Support \u003c= 6.3.7 - Authenticated (Subscriber+) Insecure Direct Object Reference to Unauthorized Ticket Reply Access via \u0027ticket_id\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4654",
"datePublished": "2026-04-08T07:43:02.627Z",
"dateReserved": "2026-03-23T15:00:10.423Z",
"dateUpdated": "2026-04-08T18:50:47.666Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46544 (GCVE-0-2026-46544)
Vulnerability from cvelistv5 – Published: 2026-05-27 21:53 – Updated: 2026-05-28 13:18
VLAI
Title
Microsoft UFO reuses client-supplied WebSocket session IDs and replays stale task results to new authenticated requesters
Summary
Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO accepts client-supplied session_id values in WebSocket task messages and reuses an existing in-memory session object if that session_id already exists. If a prior session has completed and remains in memory with populated results, a different authenticated client can send a new TASK message using the same session_id. The server re-enters the existing session object and sends the stale stored result to the new requester through the normal send_task_end() callback path. This is an authenticated cross-client stale result replay issue. The issue requires that the attacker knows or can predict a live or recently completed session_id.
Severity
5.3 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/microsoft/UFO/security/advisor… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-46544",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T13:17:46.401553Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T13:18:09.622Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/microsoft/UFO/security/advisories/GHSA-29gc-vqjp-7fqf"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "UFO",
"vendor": "microsoft",
"versions": [
{
"status": "affected",
"version": "3.0.1-4-ge2626659"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO accepts client-supplied session_id values in WebSocket task messages and reuses an existing in-memory session object if that session_id already exists. If a prior session has completed and remains in memory with populated results, a different authenticated client can send a new TASK message using the same session_id. The server re-enters the existing session object and sends the stale stored result to the new requester through the normal send_task_end() callback path. This is an authenticated cross-client stale result replay issue. The issue requires that the attacker knows or can predict a live or recently completed session_id."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T21:53:11.257Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/microsoft/UFO/security/advisories/GHSA-29gc-vqjp-7fqf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/microsoft/UFO/security/advisories/GHSA-29gc-vqjp-7fqf"
}
],
"source": {
"advisory": "GHSA-29gc-vqjp-7fqf",
"discovery": "UNKNOWN"
},
"title": "Microsoft UFO reuses client-supplied WebSocket session IDs and replays stale task results to new authenticated requesters"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-46544",
"datePublished": "2026-05-27T21:53:11.257Z",
"dateReserved": "2026-05-14T20:42:31.368Z",
"dateUpdated": "2026-05-28T13:18:09.622Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46721 (GCVE-0-2026-46721)
Vulnerability from cvelistv5 – Published: 2026-05-19 09:19 – Updated: 2026-05-19 13:21
VLAI
Title
Broken Access Control in extension "Frontend User Registration" (sf_register)
Summary
The create and edit flows do not restrict which user properties may be submitted and do not enforce access control on the frontend user group assignment. As a result, an attacker can assign an arbitrary frontend user group to a newly registered or edited account, gaining unauthorized access to content and functionality restricted to privileged frontend user groups.
Severity
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://typo3.org/security/advisory/typo3-ext-sa-… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TYPO3 | Extension "Frontend User Registration" |
Affected:
14.0.0 , < 14.0.2
(semver)
Affected: 0 , < 13.2.4 (semver) |
Date Public
2026-05-19 09:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-46721",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-19T13:21:27.294366Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T13:21:39.704Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://packagist.org/",
"defaultStatus": "unaffected",
"packageName": "evoweb/sf-register",
"product": "Extension \"Frontend User Registration\"",
"repo": "https://github.com/evoWeb/sf_register",
"vendor": "TYPO3",
"versions": [
{
"lessThan": "14.0.2",
"status": "affected",
"version": "14.0.0",
"versionType": "semver"
},
{
"lessThan": "13.2.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Seungbin Yang"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Sebastian Fischer"
}
],
"datePublic": "2026-05-19T09:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The create and edit flows do not restrict which user properties may be submitted and do not enforce access control on the frontend user group assignment. As a result, an attacker can assign an arbitrary frontend user group to a newly registered or edited account, gaining unauthorized access to content and functionality restricted to privileged frontend user groups."
}
],
"value": "The create and edit flows do not restrict which user properties may be submitted and do not enforce access control on the frontend user group assignment. As a result, an attacker can assign an arbitrary frontend user group to a newly registered or edited account, gaining unauthorized access to content and functionality restricted to privileged frontend user groups."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "CWE-915",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-639",
"description": "CWE-639",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T09:19:10.688Z",
"orgId": "f4fb688c-4412-4426-b4b8-421ecf27b14a",
"shortName": "TYPO3"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://typo3.org/security/advisory/typo3-ext-sa-2026-009"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Broken Access Control in extension \"Frontend User Registration\" (sf_register)",
"x_generator": {
"engine": "Vulnogram 1.0.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f4fb688c-4412-4426-b4b8-421ecf27b14a",
"assignerShortName": "TYPO3",
"cveId": "CVE-2026-46721",
"datePublished": "2026-05-19T09:19:10.688Z",
"dateReserved": "2026-05-16T09:55:27.478Z",
"dateUpdated": "2026-05-19T13:21:39.704Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47068 (GCVE-0-2026-47068)
Vulnerability from cvelistv5 – Published: 2026-05-20 13:35 – Updated: 2026-05-27 15:41
VLAI
Title
Cross-session PubSub topic injection via URL parameter in phoenix_storybook
Summary
Authorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenix_storybook allows cross-session PubSub topic injection via a URL query parameter.
'Elixir.PhoenixStorybook.Story.ComponentIframeLive':handle_params/3 in lib/phoenix_storybook/live/story/component_iframe_live.ex reads a PubSub topic directly from params["topic"] and broadcasts {:component_iframe_pid, self()} on it with no check that the topic belongs to the requesting session. The shared PhoenixStorybook.PubSub is used to coordinate playground LiveViews with their iframes: a playground subscribes to a session-specific topic and uses the received iframe pid to direct subsequent control messages (variation state, theme switches, extra-assign payloads) via send/2. Because the iframe trusts the query parameter, an attacker who loads /storybook/iframe/<story>?topic=<victim_topic> causes their iframe process pid to be announced on the victim's topic. The victim's playground then addresses its private messages to the attacker's iframe process.
This issue affects phoenix_storybook from 0.4.0 before 1.1.0.
Severity
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/phenixdigital/phoenix_storyboo… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-47068.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-47068 | related |
| https://github.com/phenixdigital/phoenix_storyboo… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| phenixdigital | phoenix_storybook |
Affected:
0.4.0 , < 1.1.0
(semver)
cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:* |
|
| phenixdigital | phoenix_storybook |
Affected:
8c2c97b0f505780fee4069988bf86736f51d35d7 , < 6ee03f1c738d4436dde1b066cf65c80663d489f5
(git)
cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47068",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-21T13:59:23.206364Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T13:59:48.062Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-mrhx-6pw9-q5fh"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.PhoenixStorybook.Story.ComponentIframeLive\u0027"
],
"packageName": "phoenix_storybook",
"packageURL": "pkg:hex/phoenix_storybook",
"product": "phoenix_storybook",
"programFiles": [
"lib/phoenix_storybook/live/story/component_iframe_live.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.PhoenixStorybook.Story.ComponentIframeLive\u0027:handle_params/3"
}
],
"repo": "https://github.com/phenixdigital/phoenix_storybook",
"vendor": "phenixdigital",
"versions": [
{
"lessThan": "1.1.0",
"status": "affected",
"version": "0.4.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.PhoenixStorybook.Story.ComponentIframeLive\u0027"
],
"packageName": "phenixdigital/phoenix_storybook",
"packageURL": "pkg:github/phenixdigital/phoenix_storybook",
"product": "phoenix_storybook",
"programFiles": [
"lib/phoenix_storybook/live/story/component_iframe_live.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.PhoenixStorybook.Story.ComponentIframeLive\u0027:handle_params/3"
}
],
"repo": "https://github.com/phenixdigital/phoenix_storybook",
"vendor": "phenixdigital",
"versions": [
{
"lessThan": "6ee03f1c738d4436dde1b066cf65c80663d489f5",
"status": "affected",
"version": "8c2c97b0f505780fee4069988bf86736f51d35d7",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.1.0",
"versionStartIncluding": "0.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Christian Blavier"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAuthorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenix_storybook allows cross-session PubSub topic injection via a URL query parameter.\u003c/p\u003e\u003cp\u003e\u003ctt\u003e\u0027Elixir.PhoenixStorybook.Story.ComponentIframeLive\u0027:handle_params/3\u003c/tt\u003e in \u003ctt\u003elib/phoenix_storybook/live/story/component_iframe_live.ex\u003c/tt\u003e reads a PubSub topic directly from \u003ctt\u003eparams[\"topic\"]\u003c/tt\u003e and broadcasts \u003ctt\u003e{:component_iframe_pid, self()}\u003c/tt\u003e on it with no check that the topic belongs to the requesting session. The shared \u003ctt\u003ePhoenixStorybook.PubSub\u003c/tt\u003e is used to coordinate playground LiveViews with their iframes: a playground subscribes to a session-specific topic and uses the received iframe pid to direct subsequent control messages (variation state, theme switches, extra-assign payloads) via \u003ctt\u003esend/2\u003c/tt\u003e. Because the iframe trusts the query parameter, an attacker who loads \u003ctt\u003e/storybook/iframe/\u0026lt;story\u0026gt;?topic=\u0026lt;victim_topic\u0026gt;\u003c/tt\u003e causes their iframe process pid to be announced on the victim\u0027s topic. The victim\u0027s playground then addresses its private messages to the attacker\u0027s iframe process.\u003c/p\u003e\u003cp\u003eThis issue affects phoenix_storybook from 0.4.0 before 1.1.0.\u003c/p\u003e"
}
],
"value": "Authorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenix_storybook allows cross-session PubSub topic injection via a URL query parameter.\n\n\u0027Elixir.PhoenixStorybook.Story.ComponentIframeLive\u0027:handle_params/3 in lib/phoenix_storybook/live/story/component_iframe_live.ex reads a PubSub topic directly from params[\"topic\"] and broadcasts {:component_iframe_pid, self()} on it with no check that the topic belongs to the requesting session. The shared PhoenixStorybook.PubSub is used to coordinate playground LiveViews with their iframes: a playground subscribes to a session-specific topic and uses the received iframe pid to direct subsequent control messages (variation state, theme switches, extra-assign payloads) via send/2. Because the iframe trusts the query parameter, an attacker who loads /storybook/iframe/\u003cstory\u003e?topic=\u003cvictim_topic\u003e causes their iframe process pid to be announced on the victim\u0027s topic. The victim\u0027s playground then addresses its private messages to the attacker\u0027s iframe process.\n\nThis issue affects phoenix_storybook from 0.4.0 before 1.1.0."
}
],
"impacts": [
{
"capecId": "CAPEC-12",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-12 Choosing Message Identifier"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T15:41:37.339Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-mrhx-6pw9-q5fh"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-47068.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-47068"
},
{
"tags": [
"patch"
],
"url": "https://github.com/phenixdigital/phoenix_storybook/commit/6ee03f1c738d4436dde1b066cf65c80663d489f5"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Cross-session PubSub topic injection via URL parameter in phoenix_storybook",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-47068",
"datePublished": "2026-05-20T13:35:33.215Z",
"dateReserved": "2026-05-18T17:28:08.321Z",
"dateUpdated": "2026-05-27T15:41:37.339Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Architecture and Design
Description:
- For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Phases: Architecture and Design, Implementation
Description:
- Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Phase: Architecture and Design
Description:
- Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.