CWE-284— Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.— MITRE CWE catalog
4,711 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-284page 87 of 95
- CVE-2026-42832HIGHCVSS 7.7EG 7.72026-05-12
Improper access control in Microsoft Office allows an unauthorized attacker to perform spoofing locally.
- CVE-2026-42861CRITICALCVSS 9.6EG 9.62026-06-08
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the variable update endpoint of FlowiseAI. The endpoint allows authenticated users t…
- CVE-2026-42862MEDIUMCVSS 5.0EG 5.02026-06-08
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the tool update endpoint of FlowiseAI. The endpoint allows authenticated users to mo…
- CVE-2026-42863HIGHCVSS 8.1EG 8.12026-06-08
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the chatflow update endpoint of FlowiseAI. The endpoint allows clients to modify ser…
- CVE-2026-43652HIGHCVSS 7.5EG 7.52026-05-11
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.5. An app may be able to access protected user data.
- CVE-2026-43701HIGHCVSS 7.1EG 8.32026-06-29
The issue was addressed with improved checks. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. A malicious website may be able to process restricted web content outside the sandbox.
- CVE-2026-43713MEDIUMCVSS 6.5EG 6.52026-06-29
A permissions issue was addressed with additional restrictions. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Visiting a website may leak sensitive data.
- CVE-2026-43934MEDIUMCVSS 6.5EG 6.52026-05-26
e107 is a content management system (CMS). Prior to 2.3.4, a Broken Access Control vulnerability exists in the application, allowing an unauthorized authenticated user to edit comments posted by others. This stems from inadequate server-si…
- CVE-2026-44007CRITICALCVSS 9.1EG 9.12026-05-13
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.1, when a NodeVM is created with nesting: true, sandbox code can unconditionally require('vm2') regardless of the outer VM's require configuration — including require: false. Wi…
- CVE-2026-44208MEDIUMCVSS 6.9EG 6.92026-06-12
Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, lack of validations in the "submit_discussion()" endpoint allows for unauthorized access to resources. This issue has been patched in versions 15.107…
- CVE-2026-44225CRITICALCVSS 9.3EG 9.32026-05-12
Pulpy is a lightweight, cross-platform desktop application packager for web apps. Prior to 0.1.1, Pulpy injects a pulpy.fs JavaScript API into every packaged web application, giving it access to the host filesystem. A validateFsPath() func…
- CVE-2026-44249HIGHCVSS 8.1EG 8.12026-06-08
Netty is a network application framework for development of protocol servers and clients. In netty-handler prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can bypass IPv6 subnet rules due to an incorrect masking operation in …
- CVE-2026-44277CRITICALCVSS 9.8EG 9.82026-05-12
A improper access control vulnerability in Fortinet FortiAuthenticator 8.0.2, FortiAuthenticator 8.0.0, FortiAuthenticator 6.6.0 through 6.6.8, FortiAuthenticator 6.5.0 through 6.5.6 may allow attacker to execute unauthorized code or comma…
- CVE-2026-44341MEDIUMCVSS 5.3EG 5.32026-05-12
GoJobs is a REST API for a Job Board platform. The application exposes a job retrieval endpoint that allows unauthenticated users to access job details by directly manipulating object identifiers. The endpoint lacks proper authentication a…
- CVE-2026-44352MEDIUMCVSS 5.3EG 5.32026-05-12
Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, Broken Access Control allows reading of sketch logs from any user. This vulnerability is fixe…
- CVE-2026-44478HIGHCVSS 7.5EG 7.52026-05-13
hoppscotch is an open source API development ecosystem. The fix for CVE-2026-28215 in version 2026.2.0 addresses the unauthenticated POST /v1/onboarding/config endpoint by checking onboardingCompleted and canReRunOnboarding before allowing…
- CVE-2026-44556HIGHCVSS 7.1EG 7.12026-05-15
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the /responses endpoint in the OpenAI router accepts any authenticated user and forwards requests directly to upstream LLM p…
- CVE-2026-44730HIGHCVSS 7.2EG 7.22026-05-26
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.9.7, an organization admin can escalate their privileges by adding a user from a different organization with higher privileges,…
- CVE-2026-44774CRITICALCVSS 9.9EG 9.92026-05-15
Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.46, 3.6.17, and 3.7.1, Traefik's Kubernetes Gateway API provider allows a tenant with HTTPRoute creation permissions to expose the REST provider handler, bypassing the provi…
- CVE-2026-44783MEDIUMCVSS 5.4EG 5.42026-06-12
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, a flaw in how replies to whisper posts are handled allows authen…
- CVE-2026-44874MEDIUMCVSS 4.9EG 4.92026-05-12
A vulnerability exists in the web-based management interface of an AOS-10 Gateway that could allow an authenticated remote attacker to access sensitive files on the underlying operating system. Successful exploitation of this vulnerability…
- CVE-2026-44926HIGHCVSS 8.8EG 8.82026-05-20
InfoScale CmdServer before 7.4.2 mishandles access control.
- CVE-2026-44957MEDIUMCVSS 4.3EG 4.32026-06-23
A missing access control check when invoking various modify methods in the XML‑RPC API of Revive Adserver 6.0.6 and earlier. The API allowed entities to be reassigned to different parent entities, leading to inconsistent ownership relati…
- CVE-2026-44958MEDIUMCVSS 5.4EG 5.42026-06-23
An access control bypass allows an advertiser‑level user to activate or deactivate a banner in Revive Adserver 6.0.6 and earlier, even when such permissions were not granted. The banner-edit.php script allowed the banner status to be ove…
- CVE-2026-44976MEDIUMCVSS 5.3EG 5.32026-06-12
Frappe is a full-stack web application framework. Prior to version 16.17.4, any user can modify any field in any Onboarding Step record. This issue has been patched in version 16.17.4.
- CVE-2026-45043CRITICALCVSS 9.3EG 9.32026-05-29
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, improper validation in the PUT /rustfs/admin/v3/import-iam endpoint allows a user with ImportIAMAction to create service accounts under arbitrary parent id…
- CVE-2026-4505MEDIUMCVSS 6.3EG 6.32026-03-20
A vulnerability has been found in eosphoros-ai DB-GPT up to 0.7.5. This issue affects the function module_plugin.refresh_plugins of the file packages/dbgpt-serve/src/dbgpt_serve/agent/hub/controller.py of the component FastAPI Endpoint. Su…
- CVE-2026-45080MEDIUMCVSS 6.9EG 6.92026-06-02
Klaw is a self-service Apache Kafka Topic Management/Governance tool/portal. Prior to version 2.10.4, improper access control allows disclosure of password hash. This issue has been patched in version 2.10.4.
- CVE-2026-45154LOWCVSS 2.6EG 2.62026-06-01
Nextcloud is an open source content collaboration platform. From version 2.6.0 to before version 4.3.0, when a previous collective pages was deleted and the collective was shared view-only, guests with access to the collective were able to…
- CVE-2026-45157MEDIUMCVSS 6.3EG 6.32026-06-01
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, when a malicious user has access to a file share of a user, they could use this share token…
- CVE-2026-45177CRITICALCVSS 9.1EG 9.12026-06-11
Idira Secrets Manager SaaS Edge versions prior to 1.8 exhibit improper access control within its internal authentication components. A remote, unauthenticated attacker could exploit this by submitting a specially crafted request. Under spe…
- CVE-2026-45178HIGHCVSS 8.1EG 8.12026-06-11
Idira Secrets Manager Self-Hosted versions 13.8.0 and lower exhibit improper access control within internal cluster endpoints. A remote, authenticated attacker possessing standard node-level credentials could leverage these endpoints to po…
- CVE-2026-45264MEDIUMCVSS 4.3EG 4.32026-06-01
Nextcloud is an open source content collaboration platform. From versions 17.0.0 to before 17.0.15, 18.0.0 to before 18.1.12, 19.0.0 to before 19.1.16, 20.0.0 to before 20.1.11, and 21.0.0 to before 21.0.4, a user with READ and CREATE perm…
- CVE-2026-45266LOWCVSS 3.5EG 3.52026-06-01
Nextcloud is an open source content collaboration platform. Prior to versions 21.1.10, 22.0.11, and 23.0.3, a low-privileged user can force other user's microphones to be muted in calls when no High-performance Backend is installed. This i…
- CVE-2026-45282MEDIUMCVSS 6.5EG 6.52026-06-01
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, an authenticated attacker can access attachments of link shares when knowing the share toke…
- CVE-2026-45284HIGHCVSS 8.8EG 8.82026-06-01
Nextcloud is an open source content collaboration platform. From version 1.3.6 to before version 8.4.0, an improper check allowed users that where provided by LDAP to still authenticate towards user OIDC after they where deleted. This issu…
- CVE-2026-45296HIGHCVSS 7.7EG 7.72026-05-28
OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, OpenReplay's Python API exposes several app_apikey routes that trust a caller-provided projectKey after validating only that the API key itself is valid and that the target…
- CVE-2026-45301HIGHCVSS 8.1EG 8.12026-05-15
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.3.16, a missing permission check in all files related API endpoints allows any authenticated user to list, access and delete ever…
- CVE-2026-45313HIGHCVSS 7.7EG 7.72026-07-15
Sandboxie-Plus is an open source sandbox-based isolation software for Windows. Prior to 1.17.6, GuiServer::WndHookRegisterSlave in Sandboxie/core/svc/GuiServer.cpp stores attacker-supplied hthread and hproc fields from a GUI_WND_HOOK_REGIS…
- CVE-2026-4536HIGHCVSS 7.3EG 7.32026-03-22
A vulnerability was found in Acrel Environmental Monitoring Cloud Platform 1.1.0. This issue affects some unknown processing. Performing a manipulation results in unrestricted upload. The attack may be initiated remotely. The exploit has b…
- CVE-2026-45649HIGHCVSS 7.1EG 7.12026-06-09
Improper access control in Office for Android allows an unauthorized attacker to perform spoofing locally.
- CVE-2026-45654HIGHCVSS 7.9EG 7.92026-06-09
Improper access control in Windows Secure Boot allows an authorized attacker to bypass a security feature locally.
- CVE-2026-45658HIGHCVSS 7.8EG 7.82026-06-09
Improper access control in Windows BitLocker allows an authorized attacker to bypass a security feature locally.
- CVE-2026-45707HIGHCVSS 8.1EG 8.12026-05-18
n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to 2.51.2, when ENABLE_MULTI_TENANT=true, the HTTP transport documents that the target n8n instance is selected per-re…
- CVE-2026-45746CRITICALCVSS 9.0EG 9.02026-06-05
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the File Manager functionality in Termix contains a critical Broken Access Control vulnerability due to i…
- CVE-2026-45776MEDIUMCVSS 4.3EG 4.32026-06-05
OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Prior to version 11.0.3, a flaw in Open XDMoD's access control logic allows an attacker to submit a crafted HTTPS POST request that sets a session variable used for a…
- CVE-2026-4586MEDIUMCVSS 6.3EG 6.32026-03-23
A vulnerability was found in CodePhiliaX Chat2DB up to 0.3.7. This affects the function Upload of the file chat2db-server/chat2db-server-web/chat2db-server-web-api/src/main/java/ai/chat2db/server/web/api/controller/driver/JdbcDriverControl…
- CVE-2026-46337MEDIUMCVSS 5.3EG 5.32026-05-19
WWBN AVideo is an open source video platform. In 29.0 and earlier, an unauthenticated remote attacker can read arbitrary image files anywhere on disk that the PHP user can open — including private user-profile photos that the application…
- CVE-2026-46353HIGHCVSS 8.12026-07-16
BigBlueButton is an open-source virtual classroom. Prior to 3.0.21, bbb-web checksum validation could be bypassed when a presentationUploadExternalUrl parameter was supplied to API request handling in CreateMeeting.java and ValidationServi…
- CVE-2026-46416MEDIUMCVSS 6.3EG 6.32026-05-27
Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO creates one shared UFOWebSocketHandler instance and reuses it for multiple authenticated WebSocket connections…
Map vulnerabilities like CWE-284 to your infrastructure
EchelonGraph correlates every CVE — across CWE-284 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →