CWE-551— Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.— MITRE CWE catalog
23 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-551page 1 of 1
- CVE-2016-20030CRITICALCVSS 9.8EG 9.82026-03-16
ZKTeco ZKBioSecurity 3.0 contains a user enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by submitting partial characters via the username parameter. Attackers can send requests to the authLoginA…
- CVE-2021-28164MEDIUMCVSS 5.3EG 9.02021-04-01
In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/…
- CVE-2021-28165HIGHCVSS 7.5EG 7.52021-04-01
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
- CVE-2021-31384HIGHCVSS 7.2EG 7.22021-10-19
Due to a Missing Authorization weakness and Insufficient Granularity of Access Control in a specific device configuration, a vulnerability exists in Juniper Networks Junos OS on SRX Series whereby an attacker who attempts to access J-Web a…
- CVE-2021-32777HIGHCVSS 8.6EG 8.62021-08-24
Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions when ext-authz extension is sending request headers to the external authorization service it must merge m…
- CVE-2021-32779HIGHCVSS 8.6EG 8.62021-08-24
Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions envoy incorrectly handled a URI '#fragment' element as part of the path element. Envoy is configured with…
- CVE-2021-34429MEDIUMCVSS 5.3EG 9.02021-07-15
For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the v…
- CVE-2023-23924CRITICALCVSS 10.0EG 10.02023-02-01
Dompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing `<image>` tags with uppercase letters. This may lead to arbitrary object unserialize on PHP < 8, through the `phar` URL wrappe…
- CVE-2026-0707MEDIUMCVSS 5.3EG 5.32026-01-08
A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case …
- CVE-2026-13676HIGHCVSS 7.5EG 7.52026-06-29
fast-uri versions 2.3.1 through 3.1.2 and 4.0.0 fail to canonicalize Unicode (IDN) hostnames for HTTP-family URLs. The IDN conversion path calls a helper that does not exist on the global URL constructor, silently leaving the host in its o…
- CVE-2026-22754HIGHCVSS 7.5EG 7.52026-04-22
Vulnerability in Spring Spring Security. If an application uses <sec:intercept-url servlet-path="/servlet-path" pattern="/endpoint/**"/> to define the servlet path for computing a path matcher, then the servlet path is not included and t…
- CVE-2026-2293CRITICALCVSS 9.8EG 9.82026-02-27
A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when Fastify path-normalization options are enabled. This issue affects nest.Js: 11.1.13.
- CVE-2026-28808HIGHCVSS 7.4EG 9.82026-04-07
Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias. When script_alias maps a URL prefix to a directory outside Documen…
- CVE-2026-33186CRITICALCVSS 9.1EG 9.12026-03-20
gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic,…
- CVE-2026-39852HIGHCVSS 8.2EG 8.22026-05-05
Quarkus is a Java framework for building cloud-native applications. In versions prior to 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2, a path normalization inconsistency between the security layer and the routing layer allows…
- CVE-2026-40022HIGHCVSS 8.2EG 8.22026-04-27
When authentication is enabled on the Apache Camel embedded HTTP server or embedded management server (camel-platform-http-main) and a non-root context path such as /api or /admin is configured via camel.server.path or camel.management.pat…
- CVE-2026-44573HIGHCVSS 7.5EG 7.52026-05-13
Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, Applications using the Pages Router with i18n configured and middleware/proxy-based authorization can allow unauthorized acces…
- CVE-2026-44574HIGHCVSS 8.1EG 8.12026-05-13
Next.js is a React framework for building full-stack web applications. From 15.4.0 to before 15.5.16 and 16.2.5, applications that rely on middleware to protect dynamic routes can be vulnerable to authorization bypass. In affected deployme…
- CVE-2026-44575HIGHCVSS 7.5EG 7.52026-05-13
Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.16 and 16.2.5, App Router applications that rely on middleware or proxy-based checks for authorization can allow unauthorized access through …
- CVE-2026-45832HIGHCVSS 8.1EG 8.82026-06-12
All V1 collection-level endpoints in ChromaDB's Python project pass None for the tenant and database to the authorization layer, allowing attackers to bypass authorization controls by using the V1 endpoints.
- CVE-2026-4636HIGHCVSS 8.1EG 8.12026-04-02
A flaw was found in Keycloak. An authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation req…
- CVE-2026-50559HIGHCVSS 7.5EG 7.52026-06-19
Quarkus is a Java framework for building cloud-native applications. Prior to versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2, Quarkus HTTP path-based authorization policies can be bypassed using encoded semicolons…
- CVE-2026-57920HIGHCVSS 7.7EG 7.72026-06-26
Peplink InControl 2 through 2.14.2 before 2026-06-03 allows use of a semicolon to bypass access-control rules for certain /rest/o/{orgId} endpoints.
Map vulnerabilities like CWE-551 to your infrastructure
EchelonGraph correlates every CVE — across CWE-551 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →