CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3213 vulnerabilities reference this CWE, most recent first.
GHSA-5949-6PQ3-MP7G
Vulnerability from github – Published: 2026-06-30 06:31 – Updated: 2026-06-30 06:31The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.9.9.5. This is due to the plugin not validating a user_login on registration forms that don't contain this parameter, and not properly handling the error messages. This makes it possible for unauthenticated attackers to change email address of user account with ID=1 (usually an administrator), and leverage that to reset the user's password and gain access to their account.
{
"affected": [],
"aliases": [
"CVE-2026-12073"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-30T06:16:26Z",
"severity": "CRITICAL"
},
"details": "The ProfileGrid \u2013 User Profiles, Groups and Communities plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.9.9.5. This is due to the plugin not validating a `user_login` on registration forms that don\u0027t contain this parameter, and not properly handling the error messages. This makes it possible for unauthenticated attackers to change email address of user account with ID=1 (usually an administrator), and leverage that to reset the user\u0027s password and gain access to their account.",
"id": "GHSA-5949-6pq3-mp7g",
"modified": "2026-06-30T06:31:20Z",
"published": "2026-06-30T06:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12073"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3578435"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2d35279d-299e-4ca2-8f84-165284e058c8?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-597F-XH85-QC2H
Vulnerability from github – Published: 2024-03-20 15:32 – Updated: 2024-03-20 15:32The Permalink Manager Lite plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_save_permalink' function in all versions up to, and including, 2.4.3.1. This makes it possible for authenticated attackers, with author access and above, to modify the permalinks of arbitrary posts.
{
"affected": [],
"aliases": [
"CVE-2024-2538"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-20T06:15:12Z",
"severity": "MODERATE"
},
"details": "The Permalink Manager Lite plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the \u0027ajax_save_permalink\u0027 function in all versions up to, and including, 2.4.3.1. This makes it possible for authenticated attackers, with author access and above, to modify the permalinks of arbitrary posts.",
"id": "GHSA-597f-xh85-qc2h",
"modified": "2024-03-20T15:32:47Z",
"published": "2024-03-20T15:32:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2538"
},
{
"type": "WEB",
"url": "https://gist.github.com/Xib3rR4dAr/b1eec00e844932c6f2f30a63024b404e"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3052848#file35"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/70cd028d-122d-4e3c-ac09-150dec07a2cd?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-59VX-PP3G-92Q8
Vulnerability from github – Published: 2022-06-03 00:01 – Updated: 2022-06-13 00:00An insecure direct object reference (IDOR) in Online Market Place Site v1.0 allows attackers to modify products that are owned by other sellers.
{
"affected": [],
"aliases": [
"CVE-2022-29627"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-02T14:15:00Z",
"severity": "MODERATE"
},
"details": "An insecure direct object reference (IDOR) in Online Market Place Site v1.0 allows attackers to modify products that are owned by other sellers.",
"id": "GHSA-59vx-pp3g-92q8",
"modified": "2022-06-13T00:00:20Z",
"published": "2022-06-03T00:01:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29627"
},
{
"type": "WEB",
"url": "https://github.com/nsparker1337/OpenSource/blob/main/exploit_idor.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5CFJ-8JX9-XJ6X
Vulnerability from github – Published: 2025-06-26 21:31 – Updated: 2025-06-26 21:31PHPGurukul Online DJ Booking Management System 2.0 is vulnerable to Insecure Direct Object Reference (IDOR) in odms/request-details.php.
{
"affected": [],
"aliases": [
"CVE-2025-50693"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-24T16:15:29Z",
"severity": "MODERATE"
},
"details": "PHPGurukul Online DJ Booking Management System 2.0 is vulnerable to Insecure Direct Object Reference (IDOR) in odms/request-details.php.",
"id": "GHSA-5cfj-8jx9-xj6x",
"modified": "2025-06-26T21:31:09Z",
"published": "2025-06-26T21:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-50693"
},
{
"type": "WEB",
"url": "https://github.com/blackm4c/cve/blob/master/phpgurukul/odms/idor/README.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-5CQM-HJCP-75C4
Vulnerability from github – Published: 2025-12-31 18:30 – Updated: 2026-04-28 21:35Authorization Bypass Through User-Controlled Key vulnerability in Eduardo Villão MyD Delivery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MyD Delivery: from n/a through 1.3.7.
{
"affected": [],
"aliases": [
"CVE-2025-49334"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-31T16:15:42Z",
"severity": "MODERATE"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in Eduardo Vill\u00e3o MyD Delivery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MyD Delivery: from n/a through 1.3.7.",
"id": "GHSA-5cqm-hjcp-75c4",
"modified": "2026-04-28T21:35:52Z",
"published": "2025-12-31T18:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49334"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/myd-delivery/vulnerability/wordpress-myd-delivery-plugin-1-3-7-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://vdp.patchstack.com/database/wordpress/plugin/myd-delivery/vulnerability/wordpress-myd-delivery-plugin-1-3-7-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5CW3-X746-WHWQ
Vulnerability from github – Published: 2024-03-18 03:30 – Updated: 2024-03-18 03:30A vulnerability classified as critical was found in SourceCodester Employee Task Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /edit-task.php. The manipulation of the argument task_id leads to authorization bypass. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257077 was assigned to this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2024-2574"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-18T02:15:06Z",
"severity": "HIGH"
},
"details": "A vulnerability classified as critical was found in SourceCodester Employee Task Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /edit-task.php. The manipulation of the argument task_id leads to authorization bypass. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257077 was assigned to this vulnerability.",
"id": "GHSA-5cw3-x746-whwq",
"modified": "2024-03-18T03:30:32Z",
"published": "2024-03-18T03:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2574"
},
{
"type": "WEB",
"url": "https://github.com/skid-nochizplz/skid-nochizplz/blob/main/TrashBin/CVE/SOURCECODESTER%20Employee%20Task%20Management%20System/IDOR%20-%20edit-task.php.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.257077"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.257077"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-5F44-QRRG-G8CM
Vulnerability from github – Published: 2025-10-17 12:31 – Updated: 2025-10-17 12:31The Binary MLM Plan plugin for WordPress is vulnerable to insecure direct object reference in versions up to, and including, 3.0. This is due to the bmp_user_payout_detail_of_current_user() function selecting payout records solely by id without verifying ownership. This makes it possible for authenticated attackers with the bmp_user role (often subscribers) to view other members' payout summaries via direct requests to the /bmp-account-detail/ endpoint with a crafted payout-id parameter granted they can access the shortcode output.
{
"affected": [],
"aliases": [
"CVE-2025-11895"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-17T10:15:33Z",
"severity": "MODERATE"
},
"details": "The Binary MLM Plan plugin for WordPress is vulnerable to insecure direct object reference in versions up to, and including, 3.0. This is due to the bmp_user_payout_detail_of_current_user() function selecting payout records solely by id without verifying ownership. This makes it possible for authenticated attackers with the bmp_user role (often subscribers) to view other members\u0027 payout summaries via direct requests to the /bmp-account-detail/ endpoint with a crafted payout-id parameter granted they can access the shortcode output.",
"id": "GHSA-5f44-qrrg-g8cm",
"modified": "2025-10-17T12:31:17Z",
"published": "2025-10-17T12:31:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11895"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/binary-mlm-plan/trunk/includes/bmp-hook-functions.php#L833"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/adba7d0c-29ca-49c5-ac75-bb79d62f6107?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5F4H-2WR9-WFG6
Vulnerability from github – Published: 2025-09-30 12:30 – Updated: 2025-10-08 18:30Insecure Direct Object Reference (IDOR) vulnerability in BOLD Workplanner in versions prior to 2.5.25 (4935b438f9b), consisting of a lack of adequate validation of user input, allowing an authenticated user to access to time records details using unauthorised internal identifiers.
{
"affected": [],
"aliases": [
"CVE-2025-41092"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-30T11:37:39Z",
"severity": "HIGH"
},
"details": "Insecure Direct Object Reference (IDOR) vulnerability in BOLD Workplanner in versions prior to 2.5.25 (4935b438f9b), consisting of a lack of adequate validation of user input, allowing an authenticated user to\u00a0access to time records details using unauthorised internal identifiers.",
"id": "GHSA-5f4h-2wr9-wfg6",
"modified": "2025-10-08T18:30:15Z",
"published": "2025-09-30T12:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41092"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/insecure-direct-object-reference-gps-bold-workplanner"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-5FFV-CQPM-6P2J
Vulnerability from github – Published: 2022-05-24 17:39 – Updated: 2022-08-06 00:00Adobe Bridge version 11.0 (and earlier) is affected by an out-of-bounds write vulnerability when parsing TTF files that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2021-21013"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-787",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-13T23:15:00Z",
"severity": "HIGH"
},
"details": "Adobe Bridge version 11.0 (and earlier) is affected by an out-of-bounds write vulnerability when parsing TTF files that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-5ffv-cqpm-6p2j",
"modified": "2022-08-06T00:00:37Z",
"published": "2022-05-24T17:39:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21013"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/bridge/apsb21-07.html"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5FW2-MWHH-9947
Vulnerability from github – Published: 2026-04-17 21:35 – Updated: 2026-04-24 21:00Summary
The text-to-speech generation endpoint (POST /api/v1/text-to-speech/generate) is whitelisted (no auth) and accepts a credentialId directly in the request body. When called without a chatflowId, the endpoint uses the provided credentialId to decrypt the stored credential (e.g., OpenAI or ElevenLabs API key) and generate speech.
Root Cause
// packages/server/src/controllers/text-to-speech/index.ts:58-64
} else {
// Use TTS config from request body
provider = bodyProvider
credentialId = bodyCredentialId // ← attacker-controlled credential ID
voice = bodyVoice
model = bodyModel
}
Docker Validation
POST /api/v1/text-to-speech/generate with arbitrary credentialId in body: endpoint processes request, sends SSE tts_start event, only fails when credential doesn't exist — proves code path runs without authentication.
Impact
- Use victim's API keys (OpenAI, ElevenLabs, Azure, Google) without authorization
- Burn API credits on the victim's account
- Generate unlimited speech content at victim's expense
- Combined with credential ID leak from Finding 2, this is trivially exploitable
Suggested Fix
Remove the TTS endpoint from WHITELIST_URLS or validate that the credential belongs to the chatflow being used:
// Only allow credentialId when it matches the chatflow's TTS configuration
if (!chatflowId) {
return res.status(401).json({ message: 'Authentication required' })
}
References
packages/server/src/controllers/text-to-speech/index.tslines 10-162packages/server/src/utils/constants.tsline 41 (whitelist entry)
Credits
- Shinobi Security - https://github.com/shinobisecurity
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.0.13"
},
"package": {
"ecosystem": "npm",
"name": "flowise"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41279"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-17T21:35:14Z",
"nvd_published_at": "2026-04-23T20:16:16Z",
"severity": "HIGH"
},
"details": "### Summary\n\nThe text-to-speech generation endpoint (`POST /api/v1/text-to-speech/generate`) is whitelisted (no auth) and accepts a `credentialId` directly in the request body. When called without a `chatflowId`, the endpoint uses the provided `credentialId` to decrypt the stored credential (e.g., OpenAI or ElevenLabs API key) and generate speech.\n\n### Root Cause\n\n```typescript\n// packages/server/src/controllers/text-to-speech/index.ts:58-64\n} else {\n // Use TTS config from request body\n provider = bodyProvider\n credentialId = bodyCredentialId // \u2190 attacker-controlled credential ID\n voice = bodyVoice\n model = bodyModel\n}\n```\n\n### Docker Validation\n\n`POST /api/v1/text-to-speech/generate` with arbitrary `credentialId` in body: endpoint processes request, sends SSE `tts_start` event, only fails when credential doesn\u0027t exist \u2014 proves code path runs without authentication.\n\n### Impact\n\n- Use victim\u0027s API keys (OpenAI, ElevenLabs, Azure, Google) without authorization\n- Burn API credits on the victim\u0027s account\n- Generate unlimited speech content at victim\u0027s expense\n- Combined with credential ID leak from Finding 2, this is trivially exploitable\n\n### Suggested Fix\n\nRemove the TTS endpoint from `WHITELIST_URLS` or validate that the credential belongs to the chatflow being used:\n\n```typescript\n// Only allow credentialId when it matches the chatflow\u0027s TTS configuration\nif (!chatflowId) {\n return res.status(401).json({ message: \u0027Authentication required\u0027 })\n}\n```\n\n---\n\n## References\n\n- `packages/server/src/controllers/text-to-speech/index.ts` lines 10-162\n- `packages/server/src/utils/constants.ts` line 41 (whitelist entry)\n\n## Credits\n- Shinobi Security - https://github.com/shinobisecurity",
"id": "GHSA-5fw2-mwhh-9947",
"modified": "2026-04-24T21:00:53Z",
"published": "2026-04-17T21:35:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-5fw2-mwhh-9947"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41279"
},
{
"type": "PACKAGE",
"url": "https://github.com/FlowiseAI/Flowise"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Flowise: Unauthenticated TTS endpoint accepts arbitrary credential IDs \u2014 enables API credit abuse via stored credentials"
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.