CWE-284— Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.— MITRE CWE catalog
4,710 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-284page 86 of 95
- CVE-2026-40713MEDIUMCVSS 6.1EG 6.12026-06-02
Dell ThinOS 10, versions prior to ThinOS10 2602_10.0765, contain an Improper Access control vulnerability. An unauthenticated attacker with physical access could potentially exploit this vulnerability, leading to Information exposure.
- CVE-2026-40715HIGHCVSS 7.8EG 7.82026-06-02
Dell ThinOS 10, versions prior to ThinOS10 2602_10.0765, contain an Improper Access Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Privilege Escalation.
- CVE-2026-40865HIGHCVSS 7.1EG 7.12026-04-21
Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, an insecure direct object reference in the employee document viewer allows any authenticated user to access other employees’ uploaded documents by chang…
- CVE-2026-40866HIGHCVSS 8.6EG 8.62026-04-21
Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, an insecure direct object reference in the employee document upload endpoint allows any authenticated user to overwrite or replace or corrupt another empl…
- CVE-2026-40867HIGHCVSS 7.1EG 7.12026-04-21
Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, a broken access control vulnerability in the helpdesk attachment viewer allows any authenticated user to view attachments from other tickets by changing t…
- CVE-2026-40874MEDIUMCVSS 6.0EG 6.02026-04-21
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, no administrator verification takes place when deleting Forwarding Hosts with `/api/v1/delete/fwdhost`. Any authenticated user can …
- CVE-2026-40888MEDIUMCVSS 6.5EG 6.52026-04-21
Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.1 and 16.4.1, an authenticated user with default role can access unauthorized information by exploiting certain api endpoint. Versions 15.58.1 …
- CVE-2026-40889MEDIUMCVSS 6.5EG 6.52026-04-21
Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.2 and 16.4.2, authenticated users can access unauthorized files by exploiting certain api endpoint. Versions 15.58.2 and 16.4.2 contain a patch…
- CVE-2026-40904HIGHCVSS 8.1EG 8.12026-04-30
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes multiple dataset and dataRequest endpoints that authorize low-privileged pro…
- CVE-2026-40966MEDIUMCVSS 5.9EG 5.92026-04-28
In Spring AI, an attacker can bypass conversation isolation and exfiltrate sensitive memory from other users’ chat histories, including secrets and credentials, by injecting filter logic through conversationId. Only applications that use…
- CVE-2026-41006HIGHCVSS 7.5EG 7.52026-06-09
Spring HATEOAS's internal PropertyUtils.createObjectFromProperties method, used by the Collection+JSON and UBER media type deserializers, performs bean property binding via reflection without consulting Jackson access-control annotations. …
- CVE-2026-41086HIGHCVSS 8.8EG 8.82026-05-12
Improper access control in Windows Admin Center allows an authorized attacker to elevate privileges over a network.
- CVE-2026-41092HIGHCVSS 7.8EG 7.82026-06-09
Improper access control in Microsoft Kinect allows an authorized attacker to elevate privileges locally.
- CVE-2026-41100MEDIUMCVSS 4.4EG 4.42026-05-12
Improper access control in M365 Copilot allows an authorized attacker to perform spoofing locally.
- CVE-2026-41101HIGHCVSS 7.1EG 7.12026-05-12
Improper access control in Microsoft Office Word allows an authorized attacker to perform spoofing locally.
- CVE-2026-41102HIGHCVSS 7.1EG 7.12026-05-12
Improper access control in Microsoft Office PowerPoint allows an authorized attacker to perform spoofing locally.
- CVE-2026-41123MEDIUMCVSS 4.3EG 4.32026-07-03
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an improper access…
- CVE-2026-41160MEDIUMCVSS 4.3EG 4.32026-05-28
EspoCRM is an open source customer relationship management application. Prior to 9.3.5, a business logic flaw (Broken Access Control) in EspoCRM 9.3.3 allows low-privileged users to pin arbitrary notes without having the required edit perm…
- CVE-2026-41166HIGHCVSS 7.0EG 7.02026-04-22
OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.1, a user who has `write:admin` in one Keycloak realm can call the Manager API to update Keycloak realm roles for users in another realm, including `master`. T…
- CVE-2026-41243MEDIUMCVSS 5.4EG 5.42026-04-23
OpenLearn is open-source educational forum software. Prior to commit 844b2a40a69d0c4911580fe501923f0b391313ab, when `safeMode` is enabled, unapproved forum posts are hidden from the public list, but the direct post-read procedure still ret…
- CVE-2026-41270HIGHCVSS 7.1EG 7.12026-04-23
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) protection bypass vulnerability exists in the Custom Function feature. While the application impl…
- CVE-2026-41277HIGHCVSS 8.8EG 8.82026-04-23
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Mass Assignment vulnerability in the DocumentStore creation endpoint allows authenticated users to control the primary key (id) and …
- CVE-2026-41487MEDIUMCVSS 5.4EG 5.42026-05-08
Langfuse is an open source large language model engineering platform. From version 3.68.0 to before version 3.167.0, there is a role-based-access control flaw in the LLM connection update flow. An authenticated, low-privileged user of rol…
- CVE-2026-41491HIGHCVSS 8.1EG 8.12026-05-08
Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. From versions 1.3.0 to before 1.15.14, 1.16.0-rc.1 to before 1.16.14, and 1.17.0-rc.1 to before 1.17.5, a vulnerability has been found i…
- CVE-2026-41614MEDIUMCVSS 6.2EG 6.22026-05-12
Improper access control in M365 Copilot for Desktop allows an unauthorized attacker to perform spoofing locally.
- CVE-2026-41641HIGHCVSS 7.2EG 7.22026-05-07
NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the checkSQL() validation function that blocks dangerous SQL keywords (e.g., pg_read_file, LOAD_FILE,…
- CVE-2026-41646MEDIUMCVSS 5.5EG 5.52026-05-08
Nuclei is a vulnerability scanner built on a simple YAML-based DSL. From version 3.0.0 to before version 3.8.0, a vulnerability in Nuclei's JavaScript protocol runtime allows JavaScript templates to read local .js and .json files through t…
- CVE-2026-41704MEDIUMCVSS 5.0EG 5.02026-05-27
AgentClient#handle_method (lines 264-303) processes every NATS reply. It calls inject_compile_log (line 273) on every response, which reads response['value']['result']['compile_log_id'] (line 332-338) and passes it to download_and_delete_b…
- CVE-2026-41728HIGHCVSS 7.5EG 7.52026-06-10
Spring Data REST's JSON Patch (application/json-patch+json) implementation does not apply the write-access filter to intermediate path segments when resolving a multi-segment JSON Pointer. Affected versions: Spring Data REST 3.7.0 through…
- CVE-2026-41837MEDIUMCVSS 5.3EG 5.32026-06-10
Spring Data REST's Querydsl integration accepts arbitrary persistent property paths as request-parameter filter keys and does not consider Jackson customizations before handing them to Querydsl. Affected versions: Spring Data REST 3.7.0 t…
- CVE-2026-41847MEDIUMCVSS 5.3EG 4.82026-06-09
Spring WebFlux applications may be vulnerable to a security bypass when using the Kotlin Router DSL. Affected versions: Spring Framework 5.3.0 through 5.3.48.
- CVE-2026-41856HIGHCVSS 7.5EG 7.52026-06-11
The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. When a…
- CVE-2026-41900HIGHCVSS 8.8EG 8.82026-05-08
OpenLearnX is an open-source, decentralized learning and assessment platform. Prior to version 2.0.3, a remote code execution (RCE) vulnerability was identified in the OpenLearnX code execution environment, allowing sandbox escape and arbi…
- CVE-2026-4191HIGHCVSS 7.3EG 7.32026-03-16
A flaw has been found in JawherKl node-api-postgres up to 2.5. Affected is the function path.extname of the file index.js of the component Profile Picture Handler. This manipulation causes unrestricted upload. The attack is possible to be …
- CVE-2026-41984MEDIUMCVSS 5.2EG 5.22026-06-09
UAF vulnerability in the package management module. Impact: Successful exploitation of this vulnerability may affect service integrity.
- CVE-2026-41985MEDIUMCVSS 5.1EG 5.12026-06-09
UAF vulnerability in the package management module. Impact: Successful exploitation of this vulnerability may affect service integrity.
- CVE-2026-41999MEDIUMCVSS 4.8EG 4.82026-05-21
Incorrect Behaviour of Views with TCP PROXY Requests
- CVE-2026-4201HIGHCVSS 7.3EG 7.32026-03-16
A weakness has been identified in glowxq glowxq-oj up to 6f7c723090472057252040fd2bbbdaa1b5ed2393. This vulnerability affects the function Upload of the file business/business-system/src/main/java/com/glowxq/system/admin/controller/SysFile…
- CVE-2026-42074CRITICALCVSS 9.8EG 9.82026-05-12
OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Prior to version 0.5.1, the dangerouslyDisableSandbox parameter is exposed as part of the BashTool input schema, meaning the LLM (an untr…
- CVE-2026-42158LOWCVSS 2.3EG 2.32026-05-12
Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, an adversary with knowledge of an investigation ID, could update the metadata of an investiga…
- CVE-2026-42177MEDIUMCVSS 5.3EG 5.32026-05-12
linux-entra-sso is a browser plugin for Linux to SSO on Microsoft Entra ID. Prior to 1.8.1, platform/chrome/js/platform-chrome.js:69-88 registers a single declarativeNetRequest rule whose urlFilter is Platform.SSO_URL + "/*", i.e. "https:/…
- CVE-2026-4220HIGHCVSS 7.3EG 7.32026-03-16
A vulnerability has been found in Technologies Integrated Management Platform 7.17.0. Affected by this issue is some unknown functionality of the file /SetWebpagePic.jsp. The manipulation of the argument targetPath/Suffix leads to unrestri…
- CVE-2026-42205HIGHCVSS 8.8EG 8.82026-05-08
Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.31.2, a broken access control vulnerability was identified in the ActionsController of the Avo framework. Due to insecure action lookup logic, an authenti…
- CVE-2026-4221HIGHCVSS 7.3EG 7.32026-03-16
A vulnerability was found in Tiandy Easy7 Integrated Management Platform 7.17.0. This affects an unknown part of the file /rest/file/uploadLedImage of the component Endpoint. The manipulation of the argument File results in unrestricted up…
- CVE-2026-42222HIGHCVSS 8.1EG 8.12026-05-04
Nginx UI is a web user interface for the Nginx web server. In version 2.3.5, an unauthenticated bootstrap takeover exists in nginx-ui during the initial installation window exposed by POST /api/install. At time of publication no public pat…
- CVE-2026-42278HIGHCVSS 8.8EG 8.82026-05-08
UltraDAG is a minimal DAG-BFT blockchain in Rust. Prior to commit fb6ef59, the UltraDAG StateEngine implementation of SmartTransferTx contains a critical logic flaw in its policy enforcement pipeline. When a transaction originates from a "…
- CVE-2026-42569CRITICALCVSS 9.4EG 9.42026-05-09
phpVMS is a PHP application to run and simulate an airline. Prior to version 7.0.6, a critical vulnerability in phpVMS allowed unauthenticated access to a legacy import feature. This issue has been patched in version 7.0.6.
- CVE-2026-42812CRITICALCVSS 9.9EG 9.92026-05-04
In Apache Iceberg, the table's metadata files are control files: they tell readers which data files belong to the table and which table version to read. `write.metadata.path` is an optional table property that tells Polaris where to wri…
- CVE-2026-42823CRITICALCVSS 9.9EG 9.92026-05-12
Improper access control in Azure Logic Apps allows an authorized attacker to elevate privileges over a network.
- CVE-2026-42829HIGHCVSS 7.8EG 7.82026-06-09
Improper access control in Windows Administrator Protection allows an authorized attacker to bypass a security feature locally.
Map vulnerabilities like CWE-284 to your infrastructure
EchelonGraph correlates every CVE — across CWE-284 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →