CWE-285— Improper Authorization
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.— MITRE CWE catalog
1,354 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-285page 27 of 28
- CVE-2026-58424HIGHCVSS 8.9EG 8.92026-07-03
Permanent Fork PR Workflow Approval Gate Bypass
- CVE-2026-59226MEDIUMCVSS 4.3EG 4.32026-07-09
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.0 before 0.10.0, execute_automation rehydrated automation owners without rechecking that they were still active or still had features.automation…
- CVE-2026-5999MEDIUMCVSS 6.3EG 6.32026-04-10
A vulnerability has been found in JeecgBoot up to 3.9.1. This impacts an unknown function of the component SysAnnouncementController. Such manipulation leads to improper authorization. The attack can be launched remotely. The exploit has b…
- CVE-2026-6105HIGHCVSS 7.3EG 7.32026-04-11
A security vulnerability has been detected in perfree go-fastdfs-web up to 1.3.7. This affects an unknown part of the file src/main/java/com/perfree/controller/InstallController.java of the component doInstall Interface. The manipulation l…
- CVE-2026-6449MEDIUMCVSS 5.3EG 5.32026-05-02
The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Improper Authorization in all versions up to, and including, 2.1.2. This is due to a logical short-circuit flaw in authorization logic that c…
- CVE-2026-6556CRITICALCVSS 9.1EG 9.12026-06-30
@fastify/express versions 4.0.6 and earlier only rewrite the plugin prefix for middleware mount paths when the path argument is a string. Non-string mount paths (arrays of paths and regular expressions) are left unprefixed inside prefixed …
- CVE-2026-6564MEDIUMCVSS 4.3EG 4.32026-04-19
A vulnerability was found in EMQ EMQX Enterprise up to 6.1.0. The impacted element is an unknown function of the component Session Handling. The manipulation results in improper authorization. It is possible to launch the attack remotely. …
- CVE-2026-6570LOWCVSS 2.7EG 2.72026-04-19
A security flaw has been discovered in kodcloud KodExplorer up to 4.52. Affected is the function initInstall of the file /app/controller/systemMember.class.php. Performing a manipulation of the argument path results in authorization bypass…
- CVE-2026-6571MEDIUMCVSS 6.3EG 6.32026-04-19
A weakness has been identified in kodcloud KodExplorer up to 4.52. Affected by this vulnerability is the function roleGroupAction of the file /app/controller/systemRole.class.php. Executing a manipulation of the argument group_role can lea…
- CVE-2026-6572MEDIUMCVSS 5.6EG 5.62026-04-19
A security vulnerability has been detected in Collabora KodExplorer up to 4.52. Affected by this issue is some unknown functionality of the file /app/controller/share.class.php of the component fileUpload Endpoint. The manipulation of the …
- CVE-2026-6583MEDIUMCVSS 5.4EG 5.42026-04-19
A vulnerability has been found in TransformerOptimus SuperAGI up to 0.0.14. This affects the function delete_api_key/edit_api_key of the file superagi/controllers/api_key.py of the component API Key Management Endpoint. The manipulation le…
- CVE-2026-6584MEDIUMCVSS 5.4EG 5.42026-04-20
A vulnerability was found in TransformerOptimus SuperAGI up to 0.0.14. This vulnerability affects the function update_user of the file superagi/controllers/user.py of the component User Update Endpoint. The manipulation of the argument use…
- CVE-2026-6585MEDIUMCVSS 5.4EG 5.42026-04-20
A vulnerability was determined in TransformerOptimus SuperAGI up to 0.0.14. This issue affects the function update_organisation of the file superagi/controllers/organisation.py of the component Organisation Update Endpoint. This manipulati…
- CVE-2026-6586MEDIUMCVSS 6.3EG 6.32026-04-20
A vulnerability was identified in TransformerOptimus SuperAGI up to 0.0.14. Impacted is the function get_budget/update_budget of the file superagi/controllers/budget.py of the component Budget Endpoint. Such manipulation leads to authoriza…
- CVE-2026-6609MEDIUMCVSS 6.3EG 6.32026-04-20
A flaw has been found in liangliangyy DjangoBlog up to 2.1.0.0. The affected element is the function form_valid of the file oauth/views.py. This manipulation of the argument oauthid causes improper authorization. The attack may be initiate…
- CVE-2026-6612MEDIUMCVSS 6.3EG 6.32026-04-20
A vulnerability was determined in TransformerOptimus SuperAGI up to 0.0.14. This impacts the function get_agent_execution/update_agent_execution of the file superagi/controllers/agent_execution.py of the component Agent Execution Endpoint.…
- CVE-2026-6613MEDIUMCVSS 6.3EG 6.32026-04-20
A vulnerability was identified in TransformerOptimus SuperAGI up to 0.0.14. Affected is the function delete_agent/stop_schedule/get_schedule_data of the file superagi/controllers/agent.py. The manipulation of the argument agent_id leads to…
- CVE-2026-6614MEDIUMCVSS 6.3EG 6.32026-04-20
A security flaw has been discovered in TransformerOptimus SuperAGI up to 0.0.14. Affected by this vulnerability is the function get_project/update_project/get_projects_organisation of the file superagi/controllers/project.py. The manipulat…
- CVE-2026-6634MEDIUMCVSS 6.3EG 6.32026-04-20
A weakness has been identified in usememos memos up to 0.22.1. This affects the function memos_access_token of the file src/App.tsx of the component UpdateInstanceSetting. This manipulation of the argument additionalStyle/additionalScript …
- CVE-2026-6938MEDIUMCVSS 6.5EG 6.52026-05-27
IBM Db2 12.1.0 through 12.1.4 is vulnerable to authorization bypass when uploading to a remote object storage path with a special query.
- CVE-2026-6977HIGHCVSS 7.3EG 7.32026-04-25
A security vulnerability has been detected in vanna-ai vanna up to 2.0.2. The affected element is an unknown function of the component Legacy Flask API. The manipulation leads to improper authorization. It is possible to initiate the attac…
- CVE-2026-7091MEDIUMCVSS 6.3EG 6.32026-04-27
A flaw has been found in code-projects Invoice System in Laravel 1.0. This impacts an unknown function of the file /user of the component User Management Handler. This manipulation causes improper authorization. Remote exploitation of the …
- CVE-2026-7092MEDIUMCVSS 6.3EG 6.32026-04-27
A vulnerability has been found in code-projects Invoice System in Laravel 1.0. Affected is an unknown function of the file /profile/ of the component Profile Handler. Such manipulation of the argument ID leads to improper authorization. Th…
- CVE-2026-7093MEDIUMCVSS 6.3EG 6.32026-04-27
A vulnerability was found in code-projects Invoice System in Laravel 1.0. Affected by this vulnerability is an unknown functionality of the file /invoice/ of the component Invoice Endpoint. Performing a manipulation of the argument ID resu…
- CVE-2026-7109MEDIUMCVSS 5.3EG 5.32026-04-27
A vulnerability was detected in code-projects Invoice System in Laravel 1.0. This impacts an unknown function of the file /item of the component API Endpoint. Performing a manipulation results in improper authorization. It is possible to i…
- CVE-2026-7142MEDIUMCVSS 6.3EG 6.32026-04-27
A vulnerability was determined in Wooey up to 0.13.2. The impacted element is the function add_or_update_script of the file wooey/api/scripts.py of the component API Endpoint. Executing a manipulation can lead to improper authorization. It…
- CVE-2026-7144MEDIUMCVSS 4.3EG 4.32026-04-27
A security flaw has been discovered in 1000 Projects Portfolio Management System MCA 1.0. This impacts an unknown function of the file update_passwd_process.php. The manipulation of the argument temp_user results in authorization bypass. T…
- CVE-2026-7145MEDIUMCVSS 5.4EG 5.42026-04-27
A weakness has been identified in mettle sendportal up to 3.0.1. Affected is the function destroy of the file app/Http/Controllers/Workspaces/WorkspaceInvitationsController.php of the component Invitation Handler. This manipulation of the …
- CVE-2026-7292MEDIUMCVSS 5.6EG 5.62026-04-28
A security vulnerability has been detected in o2oa up to 10.0. This impacts the function syncFile of the file NodeAgent.java of the component NodeAgent. The manipulation leads to improper authorization. The attack can be initiated remotely…
- CVE-2026-7502MEDIUMCVSS 5.4EG 5.42026-04-30
A security vulnerability has been detected in LinkStackOrg LinkStack up to 4.8.6. The affected element is the function saveLink of the file app/Http/Controllers/UserController.php of the component Management Endpoint. The manipulation lead…
- CVE-2026-7505HIGHCVSS 7.3EG 7.32026-04-30
A flaw has been found in nextlevelbuilder GoClaw and GoClaw Lite up to 3.8.5. This affects an unknown function of the component RPC Handler. This manipulation causes improper authorization. The attack may be initiated remotely. The exploit…
- CVE-2026-7510MEDIUMCVSS 6.3EG 6.32026-04-30
A vulnerability was determined in OWAP DefectDojo up to 2.55.4. Affected by this vulnerability is an unknown functionality of the component Benchmark/Engagement/Product/Survey. Executing a manipulation can lead to authorization bypass. The…
- CVE-2026-7602MEDIUMCVSS 6.3EG 6.32026-05-02
A vulnerability was found in JeecgBoot up to 3.9.1. Affected by this vulnerability is an unknown functionality of the file /sys/fillRule/edit of the component FillRuleUtil Component. The manipulation of the argument ruleClass results in im…
- CVE-2026-7631MEDIUMCVSS 5.4EG 5.42026-05-02
A vulnerability was found in code-projects Online Hospital Management System 1.0. The impacted element is an unknown function of the component Registration Handler. The manipulation of the argument Username results in improper authorizatio…
- CVE-2026-7644HIGHCVSS 7.3EG 7.32026-05-02
A vulnerability has been found in ChatGPTNextWeb NextChat up to 2.16.1. Affected is the function addMcpServer of the file app/mcp/actions.ts. The manipulation leads to improper authorization. Remote exploitation of the attack is possible. …
- CVE-2026-7663CRITICALCVSS 9.8EG 9.12026-06-30
IBM Langflow OSS 1.0.0 through 1.9.6 could allow unauthenticated attackers to access protected MCP project resources and execute MCP operations due to improper authorization enforcement in the Streamable MCP transport endpoint.
- CVE-2026-7681MEDIUMCVSS 6.5EG 6.52026-05-03
A security vulnerability has been detected in jsbroks COCO Annotator up to 0.11.1. Affected by this vulnerability is an unknown functionality of the file backend/webserver/api/datasets.py of the component Dataset API. The manipulation of t…
- CVE-2026-7702MEDIUMCVSS 5.3EG 5.32026-05-03
A vulnerability was detected in toeverything AFFiNE up to 0.26.3. This issue affects the function allowDocPreview of the file /workspace/:workspaceId/:docId of the component Public Markdown Preview Endpoint. The manipulation results in aut…
- CVE-2026-7709MEDIUMCVSS 6.3EG 6.32026-05-03
A vulnerability was identified in janeczku Calibre-Web up to 0.6.26. The impacted element is the function generate_auth_token of the file cps/kobo_auth.py of the component Endpoint. Such manipulation of the argument user_id leads to improp…
- CVE-2026-7713MEDIUMCVSS 6.3EG 6.32026-05-04
A vulnerability was detected in crocodilestick Calibre-Web-Automated up to 4.0.6. Affected by this vulnerability is the function generate_auth_token of the file cps/kobo_auth.py of the component Kobo auth-token Route. The manipulation resu…
- CVE-2026-7782MEDIUMCVSS 6.3EG 6.32026-05-04
A vulnerability was detected in CodeCanyon Perfex CRM up to 3.4.1. This affects the function Clients::project of the file application/controllers/Clients.php of the component Tenant Handler. The manipulation of the argument ID results in a…
- CVE-2026-8027MEDIUMCVSS 4.3EG 4.32026-05-06
A weakness has been identified in FlowiseAI Flowise up to 3.0.12. Affected by this vulnerability is an unknown functionality of the component User Controller Handler. This manipulation of the argument userId/organizationId/workspaceId/emai…
- CVE-2026-8196LOWCVSS 3.7EG 3.72026-05-09
A flaw has been found in JeecgBoot 3.9.1. The impacted element is an unknown function of the file jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/LoginController.java of the component mLogin Endpoint.…
- CVE-2026-8241MEDIUMCVSS 5.3EG 5.32026-05-10
A vulnerability has been found in Industrial Application Software IAS Canias ERP 8.03. The affected element is the function iasGetServerInfoEvent of the component RMI Interface. Such manipulation leads to improper authorization. The attack…
- CVE-2026-8743MEDIUMCVSS 6.3EG 6.32026-05-17
A vulnerability was found in Open5GS up to 2.7.6. This impacts the function ran_ue_find_by_amf_ue_ngap_id of the file src/amf/context.c of the component AMF/MME. Performing a manipulation results in improper authorization. It is possible t…
- CVE-2026-8747MEDIUMCVSS 6.3EG 6.32026-05-17
A weakness has been identified in Z-BlogPHP 1.7.4.3430. This affects the function CheckComment of the file zb_system/function/c_system_event.php of the component Commend Approval Handler. This manipulation causes improper authorization. Th…
- CVE-2026-8786MEDIUMCVSS 6.3EG 6.32026-05-18
A vulnerability has been found in Tencent WeKnora up to 0.3.6. Affected by this issue is the function getKnowledgeBaseForInitialization of the file internal/handler/initialization.go of the component Config API Endpoint. The manipulation o…
- CVE-2026-9306LOWCVSS 3.7EG 3.72026-05-26
A security vulnerability has been detected in QuantumNous new-api up to 0.12.1. This affects the function RelayMidjourneyImage/GetByOnlyMJId of the file router/relay-router.go of the component Midjourney Image Relay Endpoint. Such manipula…
- CVE-2026-9376MEDIUMCVSS 6.3EG 6.32026-05-24
A vulnerability was determined in JPress up to 1.0.3. The affected element is an unknown function of the file /ucenter/article/doWriteSave of the component UCenter Article Submission Endpoint. Executing a manipulation of the argument id/us…
- CVE-2026-9397HIGHCVSS 8.1EG 8.12026-05-24
A weakness has been identified in Besen BS20 EV Charging Station up to 20260426. Affected by this issue is some unknown functionality of the component OTA Update Installation Handler. This manipulation causes improper authorization. The at…
Map vulnerabilities like CWE-285 to your infrastructure
EchelonGraph correlates every CVE — across CWE-285 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →