CWE-284— Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.— MITRE CWE catalog
4,700 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-284page 80 of 94
- CVE-2026-21635MEDIUMCVSS 5.3EG 5.32026-01-05
An Improper Access Control could allow a malicious actor in Wi-Fi range to the EV Station Lite (v1.5.2 and earlier) to use WiFi AutoLink feature on a device that was only adopted via Ethernet.
- CVE-2026-21636CRITICALCVSS 10.0EG 5.82026-01-20
A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can…
- CVE-2026-2164HIGHCVSS 7.3EG 7.32026-02-08
A security flaw has been discovered in detronetdip E-commerce 1.0.0. This issue affects some unknown processing of the file /seller/assets/backend/profile/addadhar.php. Performing a manipulation of the argument File results in unrestricted…
- CVE-2026-21694MEDIUMCVSS 6.8EG 6.82026-01-08
Titra is open source project time tracking software. Versions 0.99.49 and below have Improper Access Control, allowing users to view and edit other users' time entries in private projects they have not been granted access to. This issue is…
- CVE-2026-2183MEDIUMCVSS 6.3EG 6.32026-02-08
A security vulnerability has been detected in Great Developers Certificate Generation System up to 97171bb0e5e22e52eacf4e4fa81773e5f3cffb73. This affects an unknown part of the file /restructured/csv.php. The manipulation leads to unrestri…
- CVE-2026-21889HIGHCVSS 7.5EG 7.52026-01-14
Weblate is a web based localization tool. Prior to 5.15.2, the screenshot images were served directly by the HTTP server without proper access control. This could allow an unauthenticated user to access screenshots after guessing their fil…
- CVE-2026-21959MEDIUMCVSS 4.9EG 4.92026-01-20
Vulnerability in the Oracle Workflow product of Oracle E-Business Suite (component: Workflow Loader). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network a…
- CVE-2026-21960MEDIUMCVSS 6.5EG 6.52026-01-20
Vulnerability in the Oracle Applications DBA product of Oracle E-Business Suite (component: Java utils). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with networ…
- CVE-2026-21961MEDIUMCVSS 6.1EG 6.12026-01-20
Vulnerability in the PeopleSoft Enterprise HCM Human Resources product of Oracle PeopleSoft (component: Company Dir / Org Chart Viewer, Employee Snapshot). The supported version that is affected is 9.2. Easily exploitable vulnerability a…
- CVE-2026-21962CRITICALCVSS 10.0EG 10.02026-01-20
Vulnerability in the Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in product of Oracle Fusion Middleware (component: Weblogic Server Proxy Plug-in for Apache HTTP Server, Weblogic Server Proxy Plug-in for IIS). Supported versions…
- CVE-2026-21982HIGHCVSS 7.5EG 7.52026-01-20
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability allows unauthenticated attacker with access to th…
- CVE-2026-21984HIGHCVSS 7.5EG 7.52026-01-20
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability allows high privileged attacker with logon to the…
- CVE-2026-21994CRITICALCVSS 9.8EG 9.82026-03-17
Vulnerability in the Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit product of Oracle Open Source Projects (component: Desktop). The supported version that is affected is 0.3.0. Easily exploitable vulnerability allow…
- CVE-2026-21997HIGHCVSS 8.5EG 8.52026-04-21
Vulnerability in the Oracle Life Sciences Empirica Signal product of Oracle Life Science Applications (component: Common Core). Supported versions that are affected are 9.2.1-9.2.3. Easily exploitable vulnerability allows low privileged a…
- CVE-2026-22010HIGHCVSS 7.5EG 7.52026-04-21
Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: Platform). Supported versions that are affected are 8.0.7.9, 8.0.8.7 and 8.1.2.5. Easily …
- CVE-2026-22011HIGHCVSS 7.6EG 7.62026-04-21
Vulnerability in the Oracle Applications DBA product of Oracle E-Business Suite (component: ADPatch). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows high privileged attacker with network…
- CVE-2026-22014LOWCVSS 3.8EG 3.82026-04-21
Vulnerability in the Oracle User Management product of Oracle E-Business Suite (component: Workflow and Business Events). Supported versions that are affected are 12.2.7-12.2.15. Easily exploitable vulnerability allows high privileged att…
- CVE-2026-22019MEDIUMCVSS 5.4EG 5.42026-04-21
Vulnerability in the PeopleSoft Enterprise HCM Shared Components product of Oracle PeopleSoft (component: Person Search). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with…
- CVE-2026-22033MEDIUMCVSS 5.4EG 5.42026-01-12
Label Studio is a multi-type data labeling and annotation tool. In 1.22.0 and earlier, a persistent stored cross-site scripting (XSS) vulnerability exists in the custom_hotkeys functionality of the application. An authenticated attacker (o…
- CVE-2026-22043CRITICALCVSS 9.8EG 9.82026-01-08
RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 through 1.0.0-alpha.78, a flawed `deny_only` short-circuit in RustFS IAM allows a restricted service account or STS credential to self-issue an unrestr…
- CVE-2026-2205MEDIUMCVSS 4.3EG 4.32026-02-08
A vulnerability was identified in WeKan up to 8.20. This affects an unknown part of the file server/publications/cards.js of the component Meteor Publication Handler. Such manipulation leads to information disclosure. The attack may be per…
- CVE-2026-2206MEDIUMCVSS 6.3EG 6.32026-02-08
A security flaw has been discovered in WeKan up to 8.20. This vulnerability affects unknown code of the file server/methods/fixDuplicateLists.js of the component Administrative Repair Handler. Performing a manipulation results in improper …
- CVE-2026-2207MEDIUMCVSS 5.3EG 5.32026-02-08
A weakness has been identified in WeKan up to 8.20. This issue affects some unknown processing of the file server/publications/activities.js of the component Activity Publication Handler. Executing a manipulation can lead to information di…
- CVE-2026-2213MEDIUMCVSS 4.7EG 4.72026-02-09
A security flaw has been discovered in code-projects Online Music Site 1.0. Affected by this issue is some unknown functionality of the file /Administrator/PHP/AdminAddAlbum.php. The manipulation of the argument txtimage results in unrestr…
- CVE-2026-2226MEDIUMCVSS 4.7EG 4.72026-02-09
A vulnerability has been found in DouPHP up to 1.9. This issue affects some unknown processing of the file /admin/file.php of the component ZIP File Handler. Such manipulation of the argument sql_filename leads to unrestricted upload. The …
- CVE-2026-2250HIGHCVSS 7.5EG 7.52026-02-11
The /dbviewer/ web endpoint in METIS WIC devices is exposed without authentication. A remote attacker can access and export the internal telemetry SQLite database containing sensitive operational data. Additionally, the application is conf…
- CVE-2026-22555HIGHCVSS 8.1EG 8.12026-06-17
Gitea versions before 1.26.0 allow API users to fork a repository into an organization without first passing the CanCreateOrgRepo check, which can expose organization secrets.
- CVE-2026-22564CRITICALCVSS 9.8EG 9.82026-04-13
An Improper Access Control vulnerability could allow a malicious actor with access to the UniFi Play network to enable SSH to make unauthorized changes to the system. Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier)…
- CVE-2026-22566HIGHCVSS 7.5EG 7.52026-04-13
An Improper Access Control vulnerability could allow a malicious actor with access to the UniFi Play network to obtain UniFi Play WiFi credentials. Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier) UniFi Play Audi…
- CVE-2026-22605MEDIUMCVSS 4.3EG 4.32026-01-10
OpenProject is an open-source, web-based project management software. OpenProject versions prior to version 16.6.3, allowed users with the View Meetings permission on any project, to access meeting details of meetings that belonged to proj…
- CVE-2026-22628MEDIUMCVSS 5.3EG 5.32026-03-10
An improper access control vulnerability in Fortinet FortiSwitchAXFixed 1.0.0 through 1.0.1 may allow an authenticated admin to execute system commands via a specifically crafted SSH config file.
- CVE-2026-22692MEDIUMCVSS 4.9EG 4.92026-04-14
October is a Content Management System (CMS) and web platform. Versions prior to 3.7.13 and versions 4.0.0 through 4.1.4 contain a sandbox bypass vulnerability in the optional Twig safe mode feature (CMS_SAFE_MODE). Certain methods on the …
- CVE-2026-22754HIGHCVSS 7.5EG 7.52026-04-22
Vulnerability in Spring Spring Security. If an application uses <sec:intercept-url servlet-path="/servlet-path" pattern="/endpoint/**"/> to define the servlet path for computing a path matcher, then the servlet path is not included and t…
- CVE-2026-22909HIGHCVSS 7.5EG 7.52026-01-15
Certain system functions may be accessed without proper authorization, allowing attackers to start, stop, or delete installed applications, potentially disrupting system operations.
- CVE-2026-2311MEDIUMCVSS 6.4EG 6.42026-04-30
IBM i 7.6, 7.5, 7.4, 7.3, and 7.2 s vulnerable to privilege escalation caused by an invalid IBM i Web Administration GUI authorization check. A malicious actor could cause user-controlled code to run with administrator privilege.
- CVE-2026-23494MEDIUMCVSS 4.3EG 4.32026-01-15
Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for reading or listing static routes. In…
- CVE-2026-23495MEDIUMCVSS 4.3EG 4.32026-01-15
Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. Prior to 2.2.3 and 1.7.16, the API endpoint for listing Predefined Properties in the Pimcore platform lacks adequate server-side authorization checks. Predefined Properties …
- CVE-2026-23496MEDIUMCVSS 5.4EG 5.42026-01-15
Pimcore Web2Print Tools Bundle adds tools for web-to-print use cases to Pimcore. Prior to 5.2.2 and 6.1.1, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for managing "Favourite Out…
- CVE-2026-23522LOWCVSS 3.7EG 3.72026-01-19
LobeChat is an open source chat application platform. Prior to version 2.0.0-next.193, `knowledgeBase.removeFilesFromKnowledgeBase` tRPC ep allows authenticated users to delete files from any knowledge base without verifying ownership. `us…
- CVE-2026-2356MEDIUMCVSS 5.3EG 5.32026-02-26
The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2 via the 'register_member' func…
- CVE-2026-23660HIGHCVSS 7.8EG 7.82026-03-10
Improper access control in Azure Portal Windows Admin Center allows an authorized attacker to elevate privileges locally.
- CVE-2026-23782HIGHCVSS 7.5EG 7.52026-04-10
An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. An API management endpoint allows unauthenticated users to obtain both an API identifier and its corresponding secret value. With these exposed secrets, an attacker could …
- CVE-2026-23856HIGHCVSS 7.8EG 7.82026-02-12
Dell iDRAC Service Module (iSM) for Windows, versions prior to 6.0.3.1, and Dell iDRAC Service Module (iSM) for Linux, versions prior to 5.4.1.1, contain an Improper Access Control vulnerability. A low privileged attacker with local access…
- CVE-2026-23877MEDIUMCVSS 4.3EG 4.32026-01-19
Swing Music is a self-hosted music player for local audio files. Prior to version 2.1.4, Swing Music's `list_folders()` function in the `/folder/dir-browser` endpoint is vulnerable to directory traversal attacks. Any authenticated user (in…
- CVE-2026-23899HIGHCVSS 8.8EG 8.82026-04-01
An improper access check allows unauthorized access to webservice endpoints.
- CVE-2026-24014CRITICALCVSS 9.8EG 9.82026-07-06
Apache IoTDB DataNode’s internal RPC interface for creating Trigger instances uses the uploaded Trigger JAR name to build a file path without sufficient validation. If the internal DataNode RPC port is exposed to an untrusted network, an…
- CVE-2026-24035MEDIUMCVSS 4.3EG 4.32026-01-22
Horilla is a free and open source Human Resource Management System (HRMS). An Improper Access Control vulnerability exists in Horilla HR Software starting in version 1.4.0 and prior to version 1.5.0, allowing any authenticated employee to …
- CVE-2026-24036MEDIUMCVSS 5.3EG 5.32026-01-22
Horilla is a free and open source Human Resource Management System (HRMS). Versions 1.4.0 and above expose unpublished job postings through the /recruitment/recruitment-details// endpoint without authentication. The response includes draft…
- CVE-2026-24039MEDIUMCVSS 4.3EG 4.32026-01-22
Horilla is a free and open source Human Resource Management System (HRMS). Version 1.4.0 has Improper Access Control, allowing low-privileged employees to self-approve documents they have uploaded. The document-approval UI is intended to b…
- CVE-2026-24055MEDIUMCVSS 5.3EG 5.32026-01-22
Langfuse is an open source large language model engineering platform. In versions 3.146.0 and below, the /api/public/slack/install endpoint initiates Slack OAuth using a projectId provided by the client without authentication or authorizat…
Map vulnerabilities like CWE-284 to your infrastructure
EchelonGraph correlates every CVE — across CWE-284 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →