CWE-284— Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.— MITRE CWE catalog
4,712 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-284page 92 of 95
- CVE-2026-50495MEDIUMCVSS 6.1EG 6.12026-07-14
Improper access control in Microsoft Windows DNS allows an authorized attacker to perform tampering locally.
- CVE-2026-50545CRITICALCVSS 9.9EG 9.92026-06-10
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, the Environment.spec.runtime.podSpec / spec.builder.podSpec passthrough …
- CVE-2026-50563CRITICALCVSS 9.9EG 9.92026-06-10
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's Container Executor path lets a tenant supply Function.spec.pod…
- CVE-2026-50564CRITICALCVSS 9.9EG 9.92026-06-10
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's Environment CRD exposes spec.runtime.podSpec and spec.builder.…
- CVE-2026-50739MEDIUMCVSS 4.3EG 4.32026-06-26
A bypass for CVE‑2026‑34913 exists with proper ownership validation that had not been applied to the reverse operation of linking campaigns and trackers through the `tracker-campaigns.php` script in Revive Adserver 6.0.7 and earlier. A…
- CVE-2026-50744MEDIUMCVSS 4.3EG 4.32026-06-26
A bypass to the admin‑only restriction of the XML‑RPC API in Revive Adserver 6.0.7. The API response for the ox.login method returned a session ID cookie in the HTTP headers, and although the method correctly returned an error, the ass…
- CVE-2026-50746CRITICALCVSS 10.0EG 10.02026-07-02
A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi Connect Application to execute a Command Injection on the host device.
- CVE-2026-50875HIGHCVSS 8.1EG 8.12026-06-15
Incorrect access control in the /{form}/webhooks/{webhook} endpoint of Deck9 Input v2.0.1 allows authenticated attackers to arbitrarily modify or delete another tenant's webhook via a crafted request.
- CVE-2026-50881HIGHCVSS 8.1EG 8.12026-06-15
Incorrect access control in the impworks Bonsai v6.0 allows authenticated attackers with Editor privileges to escalate privileges to Administrator and execute unauthorized account, password, and configuration changes.
- CVE-2026-50884HIGHCVSS 8.8EG 8.82026-06-15
Incorrect access control in statping-ng v0.93.0 allows attackers to escalate privileges to Administrator and access sensitive components.
- CVE-2026-50885HIGHCVSS 7.5EG 7.52026-06-15
Incorrect access control in the share-based read endpoints of Sismics Docs (Teedy) v1.11 allow unauthorized attackers to access sensitive endpoints via a crafted request.
- CVE-2026-50886CRITICALCVSS 9.1EG 9.12026-06-15
Incorrect access control in the webhook management component of Project Firefly III v6.5.9 allows attackers to scan internal resources via a crafted POST request.
- CVE-2026-50891HIGHCVSS 8.1EG 8.12026-06-15
Incorrect access control in the /admin/api/config component of Filestash v0.4.0 allows attackers to escalate privileges via sending a crafted request.
- CVE-2026-50892MEDIUMCVSS 6.5EG 6.52026-06-15
Incorrect access control in the "Let's Encrypt" certificate download endpoint of Nginx Proxy Manager v2.14.0 allows authenticated attackers to obtain the TLS private key material via a crafted GET request.
- CVE-2026-51221HIGHCVSS 7.5EG 7.52026-06-29
A buffer overflow in the Get_Attribute_List function of EIPStackGroup OpENer commit 76b95c allows attackers to cause a Denial of Service (DoS) via supplying a crafted Common Packet Format (CPF) packet.
- CVE-2026-5141HIGHCVSS 8.8EG 8.82026-04-29
Improper Privilege Management, Improper Access Control, Incorrect privilege assignment vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus Software Center allows Hijacking a privileged process. This issue affec…
- CVE-2026-51538CRITICALCVSS 9.1EG 9.12026-07-13
EIPStackGroup OpENer 2.3.0 (commit 76b95cf) suffers from an Incorrect Access Control vulnerability in its handling of encapsulation sessions. When the server processes critical encapsulation commands, it verifies whether the provided sessi…
- CVE-2026-5171MEDIUMCVSS 4.3EG 4.32026-05-26
Improper access control in the entry activity log feature in Devolutions Server allows an... Improper access control in the entry activity log feature in Devolutions Server allows an authenticated user with access to an entry but without …
- CVE-2026-5181MEDIUMCVSS 6.3EG 6.32026-03-31
A vulnerability has been found in SourceCodester Simple Doctors Appointment System up to 1.0. This issue affects some unknown processing of the file /doctors_appointment/admin/ajax.php?action=save_category. Such manipulation of the argumen…
- CVE-2026-5228HIGHCVSS 8.8EG 8.82026-06-04
Improper Access Control, Missing Authorization vulnerability in Kurt Software Studio WriteUp Mobile App allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects WriteUp Mobile App: from 1.3.0 through 04062026.
- CVE-2026-5230HIGHCVSS 7.1EG 7.12026-06-15
Improper Access Control, Missing Authorization vulnerability in MIA Technology Inc. Pizzy Library allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.262…
- CVE-2026-5261HIGHCVSS 7.3EG 7.32026-04-01
A vulnerability was identified in Shandong Hoteam InforCenter PLM up to 8.3.8. The impacted element is the function uploadFileToIIS of the file /Base/BaseHandler.ashx. The manipulation of the argument File leads to unrestricted upload. It …
- CVE-2026-52810HIGHCVSS 7.1EG 7.12026-06-23
Gogs is an open source self-hosted Git service. Prior to 0.14.3, Git smart HTTP authorizes POST …/git-receive-pack using the client-supplied service query string (so ?service=git-upload-pack is evaluated as read access) while routing sti…
- CVE-2026-52844HIGHCVSS 7.5EG 7.52026-06-16
Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, on Windows, Caddy path matchers treat /private\secret.txt as outside /private/*, but file_server later resolves the same request path as private\secret.txt o…
- CVE-2026-5311MEDIUMCVSS 5.3EG 5.32026-04-01
A security flaw has been discovered in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DN…
- CVE-2026-5312MEDIUMCVSS 5.3EG 5.32026-04-01
A weakness has been identified in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-155…
- CVE-2026-5330MEDIUMCVSS 6.5EG 6.52026-04-02
A vulnerability was found in SourceCodester/mayuri_k Best Courier Management System 1.0. Affected by this issue is some unknown functionality of the file /ajax.php?action=delete_user of the component User Delete Handler. Performing a manip…
- CVE-2026-53520MEDIUMCVSS 6.5EG 6.52026-06-12
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 2.0.14 to before version 2.1.0, authenticated users can claim the dashboard Host through NAT and preempt all dashboard routing. Th…
- CVE-2026-53982MEDIUMCVSS 6.5EG 6.52026-06-12
Cap-go Console < 12.28.2 contains a denial-of-service vulnerability in its account deletion flow that allows an attacker to block authentication and onboarding functions by triggering account deletion while a device identifier is linked to…
- CVE-2026-54010HIGHCVSS 8.3EG 8.32026-06-17
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI lets an authenticated user attach arbitrary file_id values to their own chat message without checking whether the…
- CVE-2026-54012HIGHCVSS 7.1EG 7.12026-06-17
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI lets a user who can create, update, or import workspace models store arbitrary meta.knowledge entries on their mo…
- CVE-2026-54015MEDIUMCVSS 6.4EG 6.42026-06-17
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI's prompt version-history endpoints authorize the prompt_id in the URL but then act on caller-supplied history IDs…
- CVE-2026-5413LOWCVSS 3.7EG 3.72026-04-02
A vulnerability was identified in Newgen OmniDocs up to 12.0.00. Affected by this vulnerability is an unknown functionality of the file /omnidocs/GetWebApiConfiguration. The manipulation of the argument connectionDetails leads to informati…
- CVE-2026-54305CRITICALCVSS 9.9EG 9.92026-06-16
n8n is an open source workflow automation platform. Prior to 1.123.55, 2.25.7, and 2.26.2, three EE endpoints used by the Dynamic Credentials feature accepted any authenticated n8n session without performing per-resource ownership or scope…
- CVE-2026-54400CRITICALCVSS 9.1EG 9.12026-07-02
A malicious actor with access to the network and high privileges could exploit an Improper Access Control vulnerability found in UniFi Access Application to escalate privileges on the host device.
- CVE-2026-54407HIGHCVSS 8.6EG 8.62026-07-02
A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi Protect Application to bypass authentication in certain UniFi Protect Application API endpoints.
- CVE-2026-54408CRITICALCVSS 9.8EG 8.62026-07-02
A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi Protect Application to bypass authentication for data streaming.
- CVE-2026-54526HIGHCVSS 8.9EG 8.92026-07-16
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to 3.7.15 and 4.0.6, the allow-list fix for CVE-2026-31892 is incomplete because workflow/util/merge.go ValidateUserOver…
- CVE-2026-54533MEDIUMCVSS 6.9EG 6.92026-06-05
vantage6 is an open-source infrastructure for privacy preserving analysis. Prior to version 5.0.0, malicious algorithms can potentially access other algorithms input and output files. Version 5.0.0 fixes the issue. As a workaround, verify …
- CVE-2026-54628HIGHCVSS 8.6EG 8.62026-07-14
Anyquery: Server-Side Request Forgery (SSRF) via Unrestricted SQLite Virtual Table Modules in Server Mode ## Summary Anyquery's `server` mode does not restrict outbound HTTP requests initiated by its built-in SQLite virtual table modules …
- CVE-2026-54629HIGHCVSS 7.5EG 7.52026-07-14
Anyquery: Local File Read (LFR) via Unrestricted SQLite Virtual Table Modules in Server Mode ## Summary Anyquery's `server` mode lacks input sanitization and access control over its built-in SQLite virtual table modules (e.g., `csv_reader…
- CVE-2026-5472MEDIUMCVSS 6.3EG 6.32026-04-03
A flaw has been found in ProjectsAndPrograms School Management System up to 6b6fae5426044f89c08d0dd101c7fa71f9042a59. The affected element is an unknown function of the file /admin_panel/settings.php of the component Profile Picture Handle…
- CVE-2026-54761HIGHCVSS 7.1EG 7.12026-06-17
Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.21 and 3.7.5, there is a high severity vulnerability in Traefik's Kubernetes Gateway provider affecting the crossProviderNamespaces allowlist. For HTTPRoute rules that declar…
- CVE-2026-54765HIGHCVSS 8.5EG 8.52026-07-06
Traefik is an open source HTTP reverse proxy and load balancer. From v3.7.0 prior to v3.7.6, Traefik's Kubernetes Gateway API provider may resolve two accepted HTTPRoutes that target the same backend Service:port but configure different ba…
- CVE-2026-5484MEDIUMCVSS 5.3EG 5.32026-04-03
A weakness has been identified in BookStackApp BookStack up to 26.03. Affected is the function chapterToMarkdown of the file app/Exports/ExportFormatter.php of the component Chapter Export Handler. Executing a manipulation of the argument …
- CVE-2026-55014HIGHCVSS 7.8EG 7.82026-07-14
Improper access control in Windows Remote Help Defense allows an authorized attacker to elevate privileges locally.
- CVE-2026-55112HIGHCVSS 8.8EG 7.52026-07-02
A malicious actor with access to the network and low privileges and under certain conditions could exploit an Improper Access Control vulnerability found in UniFi OS with UniFi Protect Application to escalate privileges on the host device.
- CVE-2026-55114HIGHCVSS 8.8EG 8.82026-07-02
A malicious actor with access to the network and low privileges could exploit an Improper Access Control vulnerability found in UniFi Network Application to escalate privileges within the UniFi Network Application.
- CVE-2026-55116CRITICALCVSS 9.8EG 9.02026-07-02
A malicious actor with access to the network and under certain network configurations could exploit an Improper Access Control vulnerability found in certain devices running UniFi OS to make unauthorized changes to such UniFi OS devices.
- CVE-2026-55118HIGHCVSS 8.3EG 8.32026-07-02
A malicious actor with access to the network,low privileges and under certain conditions could exploit an Improper Access Control vulnerability found in UniFi Network Application to escalate privileges within the UniFi Network Application.
Map vulnerabilities like CWE-284 to your infrastructure
EchelonGraph correlates every CVE — across CWE-284 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →