Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3213 vulnerabilities reference this CWE, most recent first.

GHSA-5949-6PQ3-MP7G

Vulnerability from github – Published: 2026-06-30 06:31 – Updated: 2026-06-30 06:31
VLAI
Details

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.9.9.5. This is due to the plugin not validating a user_login on registration forms that don't contain this parameter, and not properly handling the error messages. This makes it possible for unauthenticated attackers to change email address of user account with ID=1 (usually an administrator), and leverage that to reset the user's password and gain access to their account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-12073"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-30T06:16:26Z",
    "severity": "CRITICAL"
  },
  "details": "The ProfileGrid \u2013 User Profiles, Groups and Communities plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.9.9.5. This is due to the plugin not validating a `user_login` on registration forms that don\u0027t contain this parameter, and not properly handling the error messages. This makes it possible for unauthenticated attackers to change email address of user account with ID=1 (usually an administrator), and leverage that to reset the user\u0027s password and gain access to their account.",
  "id": "GHSA-5949-6pq3-mp7g",
  "modified": "2026-06-30T06:31:20Z",
  "published": "2026-06-30T06:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12073"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3578435"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2d35279d-299e-4ca2-8f84-165284e058c8?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-597F-XH85-QC2H

Vulnerability from github – Published: 2024-03-20 15:32 – Updated: 2024-03-20 15:32
VLAI
Details

The Permalink Manager Lite plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_save_permalink' function in all versions up to, and including, 2.4.3.1. This makes it possible for authenticated attackers, with author access and above, to modify the permalinks of arbitrary posts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-2538"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-20T06:15:12Z",
    "severity": "MODERATE"
  },
  "details": "The Permalink Manager Lite plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the \u0027ajax_save_permalink\u0027 function in all versions up to, and including, 2.4.3.1. This makes it possible for authenticated attackers, with author access and above, to modify the permalinks of arbitrary posts.",
  "id": "GHSA-597f-xh85-qc2h",
  "modified": "2024-03-20T15:32:47Z",
  "published": "2024-03-20T15:32:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2538"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/Xib3rR4dAr/b1eec00e844932c6f2f30a63024b404e"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3052848#file35"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/70cd028d-122d-4e3c-ac09-150dec07a2cd?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-59VX-PP3G-92Q8

Vulnerability from github – Published: 2022-06-03 00:01 – Updated: 2022-06-13 00:00
VLAI
Details

An insecure direct object reference (IDOR) in Online Market Place Site v1.0 allows attackers to modify products that are owned by other sellers.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-29627"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-02T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An insecure direct object reference (IDOR) in Online Market Place Site v1.0 allows attackers to modify products that are owned by other sellers.",
  "id": "GHSA-59vx-pp3g-92q8",
  "modified": "2022-06-13T00:00:20Z",
  "published": "2022-06-03T00:01:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29627"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nsparker1337/OpenSource/blob/main/exploit_idor.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5CFJ-8JX9-XJ6X

Vulnerability from github – Published: 2025-06-26 21:31 – Updated: 2025-06-26 21:31
VLAI
Details

PHPGurukul Online DJ Booking Management System 2.0 is vulnerable to Insecure Direct Object Reference (IDOR) in odms/request-details.php.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-50693"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-24T16:15:29Z",
    "severity": "MODERATE"
  },
  "details": "PHPGurukul Online DJ Booking Management System 2.0 is vulnerable to Insecure Direct Object Reference (IDOR) in odms/request-details.php.",
  "id": "GHSA-5cfj-8jx9-xj6x",
  "modified": "2025-06-26T21:31:09Z",
  "published": "2025-06-26T21:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-50693"
    },
    {
      "type": "WEB",
      "url": "https://github.com/blackm4c/cve/blob/master/phpgurukul/odms/idor/README.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5CQM-HJCP-75C4

Vulnerability from github – Published: 2025-12-31 18:30 – Updated: 2026-04-28 21:35
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in Eduardo Villão MyD Delivery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MyD Delivery: from n/a through 1.3.7.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-49334"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-31T16:15:42Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Eduardo Vill\u00e3o MyD Delivery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MyD Delivery: from n/a through 1.3.7.",
  "id": "GHSA-5cqm-hjcp-75c4",
  "modified": "2026-04-28T21:35:52Z",
  "published": "2025-12-31T18:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49334"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/myd-delivery/vulnerability/wordpress-myd-delivery-plugin-1-3-7-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://vdp.patchstack.com/database/wordpress/plugin/myd-delivery/vulnerability/wordpress-myd-delivery-plugin-1-3-7-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5CW3-X746-WHWQ

Vulnerability from github – Published: 2024-03-18 03:30 – Updated: 2024-03-18 03:30
VLAI
Details

A vulnerability classified as critical was found in SourceCodester Employee Task Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /edit-task.php. The manipulation of the argument task_id leads to authorization bypass. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257077 was assigned to this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-2574"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-18T02:15:06Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability classified as critical was found in SourceCodester Employee Task Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /edit-task.php. The manipulation of the argument task_id leads to authorization bypass. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257077 was assigned to this vulnerability.",
  "id": "GHSA-5cw3-x746-whwq",
  "modified": "2024-03-18T03:30:32Z",
  "published": "2024-03-18T03:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2574"
    },
    {
      "type": "WEB",
      "url": "https://github.com/skid-nochizplz/skid-nochizplz/blob/main/TrashBin/CVE/SOURCECODESTER%20Employee%20Task%20Management%20System/IDOR%20-%20edit-task.php.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.257077"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.257077"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5F44-QRRG-G8CM

Vulnerability from github – Published: 2025-10-17 12:31 – Updated: 2025-10-17 12:31
VLAI
Details

The Binary MLM Plan plugin for WordPress is vulnerable to insecure direct object reference in versions up to, and including, 3.0. This is due to the bmp_user_payout_detail_of_current_user() function selecting payout records solely by id without verifying ownership. This makes it possible for authenticated attackers with the bmp_user role (often subscribers) to view other members' payout summaries via direct requests to the /bmp-account-detail/ endpoint with a crafted payout-id parameter granted they can access the shortcode output.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-11895"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-17T10:15:33Z",
    "severity": "MODERATE"
  },
  "details": "The Binary MLM Plan plugin for WordPress is vulnerable to insecure direct object reference in versions up to, and including, 3.0. This is due to the bmp_user_payout_detail_of_current_user() function selecting payout records solely by id without verifying ownership. This makes it possible for authenticated attackers with the bmp_user role (often subscribers) to view other members\u0027 payout summaries via direct requests to the /bmp-account-detail/ endpoint with a crafted payout-id parameter granted they can access the shortcode output.",
  "id": "GHSA-5f44-qrrg-g8cm",
  "modified": "2025-10-17T12:31:17Z",
  "published": "2025-10-17T12:31:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11895"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/binary-mlm-plan/trunk/includes/bmp-hook-functions.php#L833"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/adba7d0c-29ca-49c5-ac75-bb79d62f6107?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5F4H-2WR9-WFG6

Vulnerability from github – Published: 2025-09-30 12:30 – Updated: 2025-10-08 18:30
VLAI
Details

Insecure Direct Object Reference (IDOR) vulnerability in BOLD Workplanner in versions prior to 2.5.25 (4935b438f9b), consisting of a lack of adequate validation of user input, allowing an authenticated user to access to time records details using unauthorised internal identifiers.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-41092"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-30T11:37:39Z",
    "severity": "HIGH"
  },
  "details": "Insecure Direct Object Reference (IDOR) vulnerability in BOLD Workplanner in versions prior to 2.5.25 (4935b438f9b), consisting of a lack of adequate validation of user input, allowing an authenticated user to\u00a0access to time records details using unauthorised internal identifiers.",
  "id": "GHSA-5f4h-2wr9-wfg6",
  "modified": "2025-10-08T18:30:15Z",
  "published": "2025-09-30T12:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41092"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/insecure-direct-object-reference-gps-bold-workplanner"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-5FFV-CQPM-6P2J

Vulnerability from github – Published: 2022-05-24 17:39 – Updated: 2022-08-06 00:00
VLAI
Details

Adobe Bridge version 11.0 (and earlier) is affected by an out-of-bounds write vulnerability when parsing TTF files that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-21013"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-787",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-01-13T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "Adobe Bridge version 11.0 (and earlier) is affected by an out-of-bounds write vulnerability when parsing TTF files that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
  "id": "GHSA-5ffv-cqpm-6p2j",
  "modified": "2022-08-06T00:00:37Z",
  "published": "2022-05-24T17:39:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21013"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/bridge/apsb21-07.html"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5FW2-MWHH-9947

Vulnerability from github – Published: 2026-04-17 21:35 – Updated: 2026-04-24 21:00
VLAI
Summary
Flowise: Unauthenticated TTS endpoint accepts arbitrary credential IDs — enables API credit abuse via stored credentials
Details

Summary

The text-to-speech generation endpoint (POST /api/v1/text-to-speech/generate) is whitelisted (no auth) and accepts a credentialId directly in the request body. When called without a chatflowId, the endpoint uses the provided credentialId to decrypt the stored credential (e.g., OpenAI or ElevenLabs API key) and generate speech.

Root Cause

// packages/server/src/controllers/text-to-speech/index.ts:58-64
} else {
    // Use TTS config from request body
    provider = bodyProvider
    credentialId = bodyCredentialId  // ← attacker-controlled credential ID
    voice = bodyVoice
    model = bodyModel
}

Docker Validation

POST /api/v1/text-to-speech/generate with arbitrary credentialId in body: endpoint processes request, sends SSE tts_start event, only fails when credential doesn't exist — proves code path runs without authentication.

Impact

  • Use victim's API keys (OpenAI, ElevenLabs, Azure, Google) without authorization
  • Burn API credits on the victim's account
  • Generate unlimited speech content at victim's expense
  • Combined with credential ID leak from Finding 2, this is trivially exploitable

Suggested Fix

Remove the TTS endpoint from WHITELIST_URLS or validate that the credential belongs to the chatflow being used:

// Only allow credentialId when it matches the chatflow's TTS configuration
if (!chatflowId) {
    return res.status(401).json({ message: 'Authentication required' })
}

References

  • packages/server/src/controllers/text-to-speech/index.ts lines 10-162
  • packages/server/src/utils/constants.ts line 41 (whitelist entry)

Credits

  • Shinobi Security - https://github.com/shinobisecurity
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.13"
      },
      "package": {
        "ecosystem": "npm",
        "name": "flowise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41279"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-17T21:35:14Z",
    "nvd_published_at": "2026-04-23T20:16:16Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nThe text-to-speech generation endpoint (`POST /api/v1/text-to-speech/generate`) is whitelisted (no auth) and accepts a `credentialId` directly in the request body. When called without a `chatflowId`, the endpoint uses the provided `credentialId` to decrypt the stored credential (e.g., OpenAI or ElevenLabs API key) and generate speech.\n\n### Root Cause\n\n```typescript\n// packages/server/src/controllers/text-to-speech/index.ts:58-64\n} else {\n    // Use TTS config from request body\n    provider = bodyProvider\n    credentialId = bodyCredentialId  // \u2190 attacker-controlled credential ID\n    voice = bodyVoice\n    model = bodyModel\n}\n```\n\n### Docker Validation\n\n`POST /api/v1/text-to-speech/generate` with arbitrary `credentialId` in body: endpoint processes request, sends SSE `tts_start` event, only fails when credential doesn\u0027t exist \u2014 proves code path runs without authentication.\n\n### Impact\n\n- Use victim\u0027s API keys (OpenAI, ElevenLabs, Azure, Google) without authorization\n- Burn API credits on the victim\u0027s account\n- Generate unlimited speech content at victim\u0027s expense\n- Combined with credential ID leak from Finding 2, this is trivially exploitable\n\n### Suggested Fix\n\nRemove the TTS endpoint from `WHITELIST_URLS` or validate that the credential belongs to the chatflow being used:\n\n```typescript\n// Only allow credentialId when it matches the chatflow\u0027s TTS configuration\nif (!chatflowId) {\n    return res.status(401).json({ message: \u0027Authentication required\u0027 })\n}\n```\n\n---\n\n## References\n\n- `packages/server/src/controllers/text-to-speech/index.ts` lines 10-162\n- `packages/server/src/utils/constants.ts` line 41 (whitelist entry)\n\n## Credits\n- Shinobi Security - https://github.com/shinobisecurity",
  "id": "GHSA-5fw2-mwhh-9947",
  "modified": "2026-04-24T21:00:53Z",
  "published": "2026-04-17T21:35:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-5fw2-mwhh-9947"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41279"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FlowiseAI/Flowise"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Flowise: Unauthenticated TTS endpoint accepts arbitrary credential IDs \u2014 enables API credit abuse via stored credentials"
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.