CWE-285— Improper Authorization
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.— MITRE CWE catalog
1,352 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-285page 25 of 28
- CVE-2026-34656MEDIUMCVSS 4.3EG 4.32026-05-12
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vu…
- CVE-2026-35407MEDIUMCVSS 6.5EG 6.52026-04-08
Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, a business-logic and authorization flaw was found in the account email change workflow, the confirmation flow did not verify that the email c…
- CVE-2026-35476HIGHCVSS 7.2EG 7.22026-04-08
InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated user can elevate their account to a staff level via a POST request against their user account endpoint. The write permissions on t…
- CVE-2026-35479MEDIUMCVSS 6.6EG 6.62026-04-08
InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, any users who have staff access permissions can install plugins via the API, without requiring "superuser" account access. This level of permission requirem…
- CVE-2026-35610HIGHCVSS 8.8EG 8.82026-04-07
PolarLearn is a free and open-source learning program. In 0-PRERELEASE-14 and earlier, setCustomPassword(userId, password) and deleteUser(userId) in the account-management module used an inverted admin check. Because of the inverted condi…
- CVE-2026-38533MEDIUMCVSS 6.5EG 6.52026-04-14
An improper authorization vulnerability in the /api/v1/users/{id} endpoint of Snipe-IT v8.4.0 allows authenticated attackers with the users.edit permission to modify sensitive authentication and account-state fields of other non-admin user…
- CVE-2026-39347LOWCVSS 2.7EG 2.72026-04-07
OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source accepts changes to self-appraisal submissions for administrator users after those submissions have been marked completed, breaking …
- CVE-2026-39389MEDIUMCVSS 6.7EG 6.72026-04-08
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, This vulnerability is fixed in 0.31.4.0.
- CVE-2026-39901MEDIUMCVSS 5.7EG 5.72026-04-08
monetr is a budgeting application focused on planning for recurring expenses. Prior to 1.12.3, a transaction integrity flaw allows an authenticated tenant user to soft-delete synced non-manual transactions through the transaction update en…
- CVE-2026-40071MEDIUMCVSS 5.4EG 5.42026-04-09
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the /json/package_order, /json/link_order, and /json/abort_link WebUI JSON endpoints enforce weaker permissions than the core API methods they inv…
- CVE-2026-40246HIGHCVSS 7.5EG 7.52026-04-16
free5GC is an open-source implementation of the 5G core network. In versions 1.4.2 and below of the UDR service, the handler for deleting Traffic Influence Subscriptions checks whether the influenceId path segment equals subs-to-notify, bu…
- CVE-2026-40247HIGHCVSS 7.5EG 7.52026-04-16
free5GC is an open-source implementation of the 5G core network. In versions 4.2.1 and below of the UDR service, the handler for reading Traffic Influence Subscriptions checks whether the influenceId path segment equals subs-to-notify, but…
- CVE-2026-40248HIGHCVSS 7.5EG 7.52026-04-16
free5GC is an open-source implementation of the 5G core network. In versions 4.2.1 and below of the UDR service, the handler for creating or updating Traffic Influence Subscriptions checks whether the influenceId path segment equals subs-t…
- CVE-2026-40259HIGHCVSS 8.1EG 8.12026-04-16
SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, the /api/av/removeUnusedAttributeView endpoint is protected only by generic authentication that accepts publish-service RoleReader tokens. The hand…
- CVE-2026-40305MEDIUMCVSS 4.3EG 4.32026-04-17
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 6.0.0 and prior to version 10.2.2, in the friends feature, a user could craft a request that would force the …
- CVE-2026-40963LOWCVSS 3.1EG 3.12026-06-01
The structure_data endpoint in the Airflow UI returned external dependency graph nodes for linked Dags without checking whether the caller had read permission on those linked Dags. An authenticated UI/API user authorized for one Dag could …
- CVE-2026-41115MEDIUMCVSS 4.3EG 4.32026-06-02
An improper authorization vulnerability has been identified in Apache Kafka. The implementation of the CONSUMER_GROUP_DESCRIBE (69) API validates the DESCRIBE operation on the GROUP resource instead of the READ operation that documented i…
- CVE-2026-41522HIGHCVSS 7.1EG 7.12026-06-04
Iris is a web collaborative platform that helps incident responders share technical details during investigations. Prior to version 2.4.28, DFIR-IRIS exposes an optional GraphQL endpoint at `/graphql` that does not enforce the same authori…
- CVE-2026-41572MEDIUMCVSS 5.3EG 5.32026-05-04
Note Mark is an open-source note-taking application. Prior to version 0.19.3, after a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at /api/notes/{id}, /api/notes/{id}/content, the slug URL, and th…
- CVE-2026-4171MEDIUMCVSS 6.3EG 6.32026-03-16
A security vulnerability has been detected in CodeGenieApp serverless-express up to 4.17.1. Affected by this issue is some unknown functionality of the file examples/lambda-function-url/packages/api/models/TodoList.ts of the component API …
- CVE-2026-42202MEDIUMCVSS 6.5EG 6.52026-05-08
nova-toggle-5 enables fliping booleans in the index. Prior to version 1.3.0, the toggle endpoint (POST/nova-vendor/nova-toggle/toggle/{resource}/{resourceId}) was protected only by web + auth:<guard> middleware. Any user authenticated on t…
- CVE-2026-4248HIGHCVSS 8.0EG 8.02026-03-27
The Ultimate Member plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.11.2. This is due to the '{usermeta:password_reset_link}' template tag being processed within post content via…
- CVE-2026-42609HIGHCVSS 8.1EG 8.12026-05-11
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a business logic vulnerability in the Grav Admin Panel allows a low-privileged user (with only user creation permissions) to overwrite existing accounts, including the primary admin…
- CVE-2026-42875MEDIUMCVSS 5.3EG 5.32026-05-11
External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Prior to 2.4.0, Namespaced SecretStore resources that used CAProvider with type ConfigMap could resolve CA m…
- CVE-2026-42876MEDIUMCVSS 4.9EG 4.92026-05-11
External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Prior to 2.4.1, a user who only has permission to create ExternalSecret resources can cause the operator to …
- CVE-2026-42902HIGHCVSS 7.8EG 7.82026-06-09
Improper authorization in Microsoft PowerToys allows an authorized attacker to elevate privileges locally.
- CVE-2026-43515CRITICALCVSS 9.1EG 9.12026-05-12
Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.…
- CVE-2026-43912HIGHCVSS 8.7EG 8.72026-05-11
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden does not enforce that a groups_users.users_organizations_uuid entry belongs to the same organization as groups.groups_uuid, or a collections_groups.…
- CVE-2026-43983HIGHCVSS 8.1EG 8.12026-05-12
Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.6.0, The createTokenFromRefreshToken function (oidc_service.go) validates the refresh token's cryptographic integrity but does…
- CVE-2026-44208MEDIUMCVSS 6.9EG 6.92026-06-12
Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, lack of validations in the "submit_discussion()" endpoint allows for unauthorized access to resources. This issue has been patched in versions 15.107…
- CVE-2026-44362MEDIUMCVSS 5.5EG 5.52026-07-06
OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 3.20.0 and prior to version 4.11.0, a vulnerability in OP…
- CVE-2026-44504HIGHCVSS 8.6EG 8.62026-05-14
Aegra is a drop-in replacement for LangSmith Deployments. Prior to 0.9.7, with multiple authenticated users on a shared instance are vulnerable to a cross-tenant IDOR. Any authenticated attacker, given another user's thread_id, can execute…
- CVE-2026-45147MEDIUMCVSS 4.3EG 4.32026-05-14
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, POST /api/tag/getTag is registered with model.CheckAuth only, omitting both model.CheckAdminRole and model.CheckReadonly, despite the handler performing a confi…
- CVE-2026-45187MEDIUMCVSS 6.5EG 6.52026-05-19
Improper Authorization vulnerability in Apache OFBiz Webtools. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
- CVE-2026-45275MEDIUMCVSS 6.5EG 6.52026-06-01
Nextcloud is an open source content collaboration platform. Prior to version 2.7.2, a privilege escalation vulnerability exists in the Approval app that allows a user without sharing permissions to force the system to share a file with app…
- CVE-2026-45297MEDIUMCVSS 5.3EG 5.32026-05-28
OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, there is a cross-tenant IDOR on feature-flag and assist-stats routes via {project_id} case mismatch. ProjectAuthorizer.__call__ (OSS api/auth/auth_project.py:14-38 and EE e…
- CVE-2026-45345MEDIUMCVSS 6.5EG 6.52026-05-15
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.5.7, a user can modify another user's model even if its visibility is set to Private. By changing the access permissions during e…
- CVE-2026-45365MEDIUMCVSS 5.4EG 5.42026-05-15
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.11, an internal-only bypass_filter parameter is exposed on the /openai/chat/completions and /ollama/api/chat HTTP endpoints via…
- CVE-2026-45371HIGHCVSS 7.2EG 7.22026-05-14
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs. POST /api/graph/getGraph, POST /api/graph/getLocalGraph, POST /api/sync/setSyncInte…
- CVE-2026-4549LOWCVSS 3.1EG 3.12026-03-22
A flaw has been found in mickasmt next-saas-stripe-starter 1.0.0. Affected by this issue is the function openCustomerPortal of the file actions/open-customer-portal.ts of the component Stripe API. This manipulation causes authorization byp…
- CVE-2026-45490HIGHCVSS 7.8EG 7.82026-06-09
Improper authorization in .NET allows an authorized attacker to elevate privileges locally.
- CVE-2026-45503MEDIUMCVSS 6.5EG 8.12026-06-09
Improper authorization in Microsoft Exchange Server allows an authorized attacker to disclose information over a network.
- CVE-2026-45620MEDIUMCVSS 5.3EG 5.32026-05-18
WWBN AVideo is an open source video platform. In 29.0 and earlier, objects/mention.json.php has no User::loginCheck() or admin gate. It only has an entry guard: preg_match('/^@/', $_REQUEST['term']) and hard-coded rowCount=10. This enables…
- CVE-2026-4563MEDIUMCVSS 4.3EG 4.32026-03-23
A weakness has been identified in MacCMS up to 2025.1000.4052. This vulnerability affects the function order_info of the file application/index/controller/User.php of the component Member Order Detail Interface. This manipulation of the ar…
- CVE-2026-46484HIGHCVSS 8.1EG 8.12026-06-08
Headplane is a feature-complete Web UI for Headscale. Prior to versions 0.6.3 and 0.7.0-beta.3, Headplane was vulnerable to a path traversal / authorization bypass in the Headscale API client used by node and user rename operations. This i…
- CVE-2026-46552MEDIUMCVSS 5.8EG 5.82026-05-21
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, shared-base sessions were granted the same base-member capabilities as authenticated viewers. Using only the shared-base UUID (xc-shared-base-id), an attacker c…
- CVE-2026-46605MEDIUMCVSS 4.3EG 4.32026-06-01
Incomplete authorization by Apache ActiveMQ server before versions v6.2.6 and v5.19.7 allows authenticated connections to remove existing destinations with proper permissions. This issue affects Apache ActiveMQ Broker: before 5.19.7, from…
- CVE-2026-46620MEDIUMCVSS 6.5EG 6.52026-05-26
e107 is a content management system (CMS). Prior to 2.3.5, e107 CMS does not properly enforce CSRF token validation on comment moderation actions. The problem comes down to how session_handler::check() handles CSRF tokens. Instead of requi…
- CVE-2026-46656HIGHCVSS 8.8EG 8.82026-06-08
Bludit is a content management system. Versions prior to 3.22.0 have a Broken Access Control flaw where active sessions remain valid even after the corresponding user account has been physically deleted from the database. This "Ghost Sess…
- CVE-2026-46668LOWCVSS 2.3EG 2.32026-05-21
SpiceDB is an open source database system for creating and managing security-critical application permissions. From version 1.15.0 to before version 1.52.0, caveat structures with nested lists can result in improper cache reuse. This issue…
Map vulnerabilities like CWE-285 to your infrastructure
EchelonGraph correlates every CVE — across CWE-285 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →