CWE-285— Improper Authorization
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.— MITRE CWE catalog
1,353 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-285page 26 of 28
- CVE-2026-46668LOWCVSS 2.3EG 2.32026-05-21
SpiceDB is an open source database system for creating and managing security-critical application permissions. From version 1.15.0 to before version 1.52.0, caveat structures with nested lists can result in improper cache reuse. This issue…
- CVE-2026-46700MEDIUMCVSS 4.3EG 4.32026-06-22
Actual is a local-first personal finance tool. Prior to 26.6.0, the GET /secret/:name endpoint in @actual-app/sync-server checks only that the caller has a valid session and does not verify the caller is an admin, while the sibling POST /s…
- CVE-2026-47298HIGHCVSS 8.0EG 8.02026-06-09
Improper authorization in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
- CVE-2026-47342HIGHCVSS 8.8EG 8.82026-06-11
A privilege escalation vulnerability in Apache OFBiz allows a low-privileged authenticated user to obtain higher privileges This issue affects Apache OFBiz: before 24.09.07. Users are recommended to upgrade to version 24.09.07, which f…
- CVE-2026-47673MEDIUMCVSS 4.8EG 4.82026-05-28
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the jwt and jwk middlewares do not verify that the Authorization header value uses theBearer scheme. Any two-part header value — rega…
- CVE-2026-47713MEDIUMCVSS 4.3EG 4.32026-05-28
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, an approved mobile device token created in single-user mode can survive single-user -> multi-user …
- CVE-2026-47740HIGHCVSS 8.1EG 8.12026-05-29
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Multiple Filament actions on the admin Order detail and Order shipments table were callable by an authenticated low-privilege user without the permission required to mutate orde…
- CVE-2026-47744CRITICALCVSS 9.9EG 9.92026-05-29
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, two distinct authorization defects in the team settings allowed any authenticated panel user to take over the RBAC system. Settings/Team/Index had no mount() authorization. Any …
- CVE-2026-48089HIGHCVSS 7.1EG 7.12026-06-11
DevGuard provides vulnerability management for the full software supply chain. Prior to 1.4.2, on a DevGuard API instance with one or more public assets, any authenticated user — including users from a different organization with no memb…
- CVE-2026-4818MEDIUMCVSS 6.8EG 6.82026-03-31
In Search Guard FLX versions from 3.0.0 up to 4.0.1, there exists an issue which allows users without the necessary privileges to execute some management operations against data streams.
- CVE-2026-48579CRITICALCVSS 9.1EG 9.12026-06-04
Improper authorization in Microsoft Exchange Online allows an unauthorized attacker to disclose information over a network.
- CVE-2026-48810MEDIUMCVSS 4.3EG 4.32026-05-29
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.221, while investigating the ThreadPolicy::delete issue reported previously, the same missing mailbox membership check was found in the sibling…
- CVE-2026-49278MEDIUMCVSS 6.7EG 6.72026-06-24
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, in the visitors.info endpoint, https://developer.rocket.chat/apidocs/get-visitor-inf…
- CVE-2026-49338HIGHCVSS 7.1EG 7.12026-06-19
gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, the Subsonic API endpoints `/rest/deletePlaylist.view` and `/rest/getPlaylist.view` perform no per-resource authorization. Once …
- CVE-2026-49397MEDIUMCVSS 5.3EG 5.32026-06-10
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 2.0.0 to before version 2.0.14, private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking n…
- CVE-2026-4958LOWCVSS 3.1EG 3.12026-03-27
A vulnerability has been found in OpenBMB XAgent 1.0.0. This affects the function ReplayServer.on_connect/ReplayServer.send_data of the file XAgentServer/application/websockets/replayer.py of the component WebSocket Endpoint. Such manipula…
- CVE-2026-49877HIGHCVSS 8.1EG 8.12026-06-30
Improper Authorization vulnerability in Apache ActiveMQ. An authenticated low-privilege Web Console user by default can access /admin/* paths in the Web Console. The default Jetty settings incorrectly did not limit those paths to only adm…
- CVE-2026-50201MEDIUMCVSS 6.5EG 6.52026-06-17
Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Management.Endpoint prior to version 4.2.0 and Steeltoe.Management.EndpointCore prior to version 3.4.0…
- CVE-2026-50279HIGHCVSS 7.6EG 7.62026-07-02
Craft CMS is a content management system (CMS). IN versions 5.0.0-RC1 and above prior to 5.9.21, theEntriesController::actionSaveEntry() performs entry-edit permission checks before request-controlled author changes are applied to the mode…
- CVE-2026-5246MEDIUMCVSS 5.6EG 5.62026-04-02
A vulnerability was determined in Cesanta Mongoose up to 7.20. Affected is the function mg_tls_verify_cert_signature of the file mongoose.c of the component P-384 Public Key Handler. Executing a manipulation can lead to authorization bypas…
- CVE-2026-5283MEDIUMCVSS 6.5EG 6.52026-04-01
Inappropriate implementation in ANGLE in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
- CVE-2026-5326MEDIUMCVSS 5.3EG 5.32026-04-02
A vulnerability was identified in SourceCodester Leave Application System 1.0. Impacted is an unknown function of the file /index.php?page=manage_user of the component User Information Handler. Such manipulation of the argument ID leads to…
- CVE-2026-54012HIGHCVSS 7.1EG 7.12026-06-17
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI lets a user who can create, update, or import workspace models store arbitrary meta.knowledge entries on their mo…
- CVE-2026-5412CRITICALCVSS 9.9EG 9.92026-04-10
In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in the Controller facade. An authenticated user can call the CloudSpec API method to extract the cloud credentials used to bootstrap the controller. This allows a l…
- CVE-2026-55077HIGHCVSS 7.2EG 7.22026-07-06
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the `PUT /api/v2/users/{user}/password` endpoint authorized only `ActionUpdatePersonal` and did no…
- CVE-2026-55212HIGHCVSS 7.1EG 7.12026-07-09
Pimcore is an Open Source Data & Experience Management Platform. Prior to 2025.4.6 and 2026.1.6, the Studio API class definition creation endpoint POST /pimcore-studio/api/class/definition/configuration-view/detail/create is guarded by the…
- CVE-2026-5529MEDIUMCVSS 4.3EG 4.32026-04-05
A vulnerability was detected in Dromara lamp-cloud up to 5.8.1. This vulnerability affects the function pageUser of the file /defUser/pageUser of the component DefUserController. Performing a manipulation results in improper authorization.…
- CVE-2026-55428HIGHCVSS 8.2EG 8.22026-07-06
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the tailnet coordinator validates that an agent's `Addresses` derive from its authenticated UUID b…
- CVE-2026-55664MEDIUMCVSS 4.3EG 4.32026-07-10
Grist is spreadsheet software using Python as its formula language. Prior to 1.7.15, the GET /forms endpoint read table and column metadata without applying the document's access rules and did not check that the requested section was actua…
- CVE-2026-55956MEDIUMCVSS 6.5EG 6.52026-06-29
Improper Authorization vulnerability in Apache Tomcat leads to security constraints specified for the default servlet ignoring any method or method omission configured as part of the constraint. This issue affects Apache Tomcat: from 11.0…
- CVE-2026-56231HIGHCVSS 7.6EG 7.62026-06-24
Capgo before 12.128.2 contains a broken object level authorization (BOLA) vulnerability in the POST /build/start/:jobId and POST /build/cancel/:jobId endpoints. The handlers authorize the request based only on the attacker-controlled app_i…
- CVE-2026-56240MEDIUMCVSS 4.3EG 4.32026-07-11
Capgo before 12.128.12 contains a billing authorization bypass vulnerability in the plan_valid calculation that allows organizations with exhausted or expired usage credit grants to bypass billing gates. Attackers can exploit the divergenc…
- CVE-2026-56241HIGHCVSS 8.3EG 8.32026-07-12
Capgo before 12.128.2 contains a privilege escalation vulnerability where demoted super_admin users retain access to delete_non_compliant_bundles and count_non_compliant_bundles RPCs due to stale org_users.user_right column not being clear…
- CVE-2026-56246HIGHCVSS 8.1EG 8.12026-07-08
Capgo before 12.128.2 contains a broken access control vulnerability in the organization management API where a scoped API key (limited_to_orgs) inherits its owner-user's permissions, allowing destructive cross-organization actions. When a…
- CVE-2026-56249HIGHCVSS 7.6EG 7.62026-07-01
Capgo before 12.128.2 contains an authorization bypass vulnerability in the channel creation endpoint that allows authenticated users to overwrite existing channels by reusing their names. Attackers with app.create_channel permission can e…
- CVE-2026-56293MEDIUMCVSS 5.4EG 5.42026-07-08
Capgo before 12.128.2 contains an authorization flaw in transfer_app() that fails to update deploy_history.owner_org when transferring applications between organizations. Attackers can exploit this omission to retain unauthorized access to…
- CVE-2026-56295MEDIUMCVSS 6.3EG 6.32026-06-20
Capgo before 12.128.2 contains an authorization bypass vulnerability in webhook management endpoints that allows non-expiring API keys to bypass the require_apikey_expiration organization policy. The checkWebhookPermission function fails t…
- CVE-2026-56310MEDIUMCVSS 4.3EG 4.32026-06-24
Cap-go before 12.128.2 contains an authorization bypass vulnerability in the GET /organization/members endpoint that allows org-limited API keys to bypass limited_to_orgs restrictions. Attackers with org-limited API keys can read membershi…
- CVE-2026-56311MEDIUMCVSS 5.3EG 5.32026-06-22
Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.get_current_plan_max_org RPC function that allows unauthenticated attackers to retrieve arbitrary organization plan limits. Attackers can call the RPC endpo…
- CVE-2026-56313HIGHCVSS 8.1EG 8.12026-07-12
Capgo before 12.128.2 contains a cross-organization account disruption vulnerability in the SSO prelink endpoint that allows enterprise administrators to delete password identities of users in foreign organizations. Attackers with org.upda…
- CVE-2026-56320HIGHCVSS 7.1EG 7.12026-07-01
Capgo before 12.128.2 contains an authorization flaw in POST /private/create_device that accepts a caller-supplied org_id parameter without validating it matches the target app's owner organization. Authenticated attackers can create devic…
- CVE-2026-56350HIGHCVSS 7.7EG 6.32026-07-01
n8n before 2.8.0 contains an authentication bypass vulnerability allowing authenticated SSO users to disable SSO enforcement through the API. Attackers can create local password credentials to authenticate directly, bypassing organizationa…
- CVE-2026-5642HIGHCVSS 7.3EG 7.32026-04-06
A vulnerability was determined in Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. This affects an unknown function of the file /viva/update.php of the component HTTP POST Request Handler. This manipulati…
- CVE-2026-5781HIGHCVSS 8.8EG 8.82026-04-28
An authorization vulnerability in MphRx's Minerva V3.6.0, specifically in the '/minerva/moUser/update' endpoint, could allow an authenticated user with user modification privileges to escalate their privileges by sending an HTTP request wi…
- CVE-2026-57983HIGHCVSS 8.7EG 8.72026-07-03
Improper authorization in Microsoft Edge (Chromium-based) allows an unauthorized attacker to bypass a security feature over a network.
- CVE-2026-58251MEDIUMCVSS 6.5EG 6.52026-07-08
NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.0, 2.12.7, and 2.11.16, an authenticated user with subscription deny permissions could bypass a plain subject deny rule by usin…
- CVE-2026-58252MEDIUMCVSS 6.5EG 6.52026-07-08
NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.0, 2.12.7, and 2.11.16, an authenticated user could receive messages on denied subjects when a wildcard subscription overlapped…
- CVE-2026-58284HIGHCVSS 8.3EG 8.32026-07-03
Improper authorization in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.
- CVE-2026-5842HIGHCVSS 7.3EG 7.32026-04-09
A security vulnerability has been detected in decolua 9router up to 0.3.47. The impacted element is an unknown function of the file /api of the component Administrative API Endpoint. The manipulation leads to authorization bypass. The atta…
- CVE-2026-58424HIGHCVSS 8.9EG 8.92026-07-03
Permanent Fork PR Workflow Approval Gate Bypass
Map vulnerabilities like CWE-285 to your infrastructure
EchelonGraph correlates every CVE — across CWE-285 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →