CWE-639— Authorization Bypass Through User-Controlled Key (IDOR)
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.— MITRE CWE catalog
1,857 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-639page 21 of 38
- CVE-2025-27433MEDIUMCVSS 4.3EG 4.32025-03-11
The Manage Bank Statements in SAP S/4HANA allows authenticated attacker to bypass certain functionality restrictions of the application and upload files to a reversed bank statement. This vulnerability has a low impact on the application's…
- CVE-2025-27436MEDIUMCVSS 4.3EG 4.32025-03-11
The Manage Bank Statements in SAP S/4HANA does not perform required access control checks for an authenticated user to confirm whether a request to interact with a resource is legitimate, allowing the attacker to delete the attachment of a…
- CVE-2025-27507CRITICALCVSS 9.0EG 9.02025-03-04
The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. ZITADEL's Admin API contains Insecure Direct Object Reference (IDOR) vulnerabilities that allow authenticated users, with…
- CVE-2025-27561MEDIUMCVSS 5.3EG 5.32025-04-15
Unauthenticated attackers can rename "rooms" of arbitrary users.
- CVE-2025-27565MEDIUMCVSS 5.3EG 5.32025-04-15
An unauthenticated attacker can delete any user's "rooms" by knowing the user's and room IDs.
- CVE-2025-27568MEDIUMCVSS 5.3EG 5.32025-04-15
An unauthenticated attacker can get users' emails by knowing usernames. A password reset email will be sent in response to this unsolicited request.
- CVE-2025-27575MEDIUMCVSS 5.3EG 5.32025-04-15
An unauthenticated attacker can obtain EV charger version and firmware upgrading history by knowing the charger ID.
- CVE-2025-27719MEDIUMCVSS 5.3EG 5.32025-04-15
Unauthenticated attackers can query an API endpoint and get device details.
- CVE-2025-27927MEDIUMCVSS 5.3EG 5.32025-04-15
An unauthenticated attackers can obtain a list of smart devices by knowing a valid username through an unprotected API.
- CVE-2025-27929MEDIUMCVSS 5.3EG 5.32025-04-15
Unauthenticated attackers can retrieve full list of users associated with arbitrary accounts.
- CVE-2025-27938MEDIUMCVSS 5.3EG 5.32025-04-15
Unauthenticated attackers can obtain restricted information about a user's smart device collections (i.e., "rooms").
- CVE-2025-27939HIGHCVSS 7.5EG 7.52025-04-15
An attacker can change registered email addresses of other users and take over arbitrary accounts.
- CVE-2025-28874MEDIUMCVSS 6.5EG 6.52025-03-11
Authorization Bypass Through User-Controlled Key vulnerability in shanebp BP Email Assign Templates bp-email-assign-templates allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BP Email Assign Templa…
- CVE-2025-30254MEDIUMCVSS 5.3EG 5.32025-04-15
An unauthenticated attacker can obtain a serial number of a smart meter(s) using its owner's username.
- CVE-2025-30257MEDIUMCVSS 5.3EG 5.32025-04-15
Unauthenticated attackers can retrieve serial number of smart meters associated to a specific user account.
- CVE-2025-30514MEDIUMCVSS 5.3EG 5.32025-04-15
Unauthenticated attackers can obtain restricted information about a user's smart device collections (i.e., "scenes").
- CVE-2025-30777MEDIUMCVSS 4.3EG 4.32025-03-27
Authorization Bypass Through User-Controlled Key vulnerability in DevItems Support Genix support-genix-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Support Genix: from n/a through <= 1.4.1…
- CVE-2025-3089MEDIUMCVSS 5.3EG 5.32025-08-12
ServiceNow has addressed a Broken Access Control vulnerability that was identified in the ServiceNow AI Platform. This vulnerability could allow a low privileged user to bypass access controls and perform a limited set of actions typically…
- CVE-2025-3091HIGHCVSS 7.5EG 7.52025-06-24
An low privileged remote attacker in possession of the second factor for another user can login as that user without knowledge of the other user`s password.
- CVE-2025-31147MEDIUMCVSS 5.3EG 5.32025-04-15
Unauthenticated attackers can query information about total energy consumed by EV chargers of arbitrary users.
- CVE-2025-31357MEDIUMCVSS 5.3EG 5.32025-04-15
An unauthenticated attacker can obtain a user's plant list by knowing the username.
- CVE-2025-31360MEDIUMCVSS 6.5EG 6.52025-04-15
Unauthenticated attackers can trigger device actions associated with specific "scenes" of arbitrary users.
- CVE-2025-31654MEDIUMCVSS 5.3EG 5.32025-04-15
An attacker can get information about the groups of the smart home devices for arbitrary users (i.e., "rooms").
- CVE-2025-31833MEDIUMCVSS 4.9EG 4.92025-04-01
Authorization Bypass Through User-Controlled Key vulnerability in themeglow JobBoard Job listing job-board-light allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JobBoard Job listing: from n/a thro…
- CVE-2025-31867MEDIUMCVSS 5.4EG 5.42025-04-01
Authorization Bypass Through User-Controlled Key vulnerability in JoomSky JS Job Manager js-jobs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JS Job Manager: from n/a through <= 2.0.2.
- CVE-2025-31933MEDIUMCVSS 5.3EG 5.32025-04-15
An unauthenticated attacker can check the existence of usernames in the system by querying an API.
- CVE-2025-31941MEDIUMCVSS 5.3EG 5.32025-04-15
An unauthenticated attacker can obtain a list of smart devices by knowing a valid username.
- CVE-2025-31945MEDIUMCVSS 5.3EG 5.32025-04-15
An unauthenticated attacker can obtain other users' charger information.
- CVE-2025-31949MEDIUMCVSS 5.3EG 5.32025-04-15
An authenticated attacker can obtain any plant name by knowing the plant ID.
- CVE-2025-31950MEDIUMCVSS 5.3EG 5.32025-04-15
An unauthenticated attacker can obtain EV charger energy consumption information of other users.
- CVE-2025-31997MEDIUMCVSS 4.2EG 4.22025-10-12
HCL Unica Centralized Offer Management is vulnerable to Insecure Direct Object References (IDOR). An attacker can bypass authorization and access resources in the system directly, for example database records or files.
- CVE-2025-32223MEDIUMCVSS 6.5EG 6.52026-03-19
Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.4.
- CVE-2025-32373MEDIUMCVSS 6.5EG 6.52025-04-09
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In limited configurations, registered users may be able to craft a request to enumerate/access some portal files they should not …
- CVE-2025-3281MEDIUMCVSS 5.3EG 5.32025-05-06
The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.1 via the create_stripe_subscrip…
- CVE-2025-3282MEDIUMCVSS 5.3EG 5.32025-04-12
The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.3 via the user_registration_memb…
- CVE-2025-3292MEDIUMCVSS 4.3EG 4.32025-04-12
The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.3 via the user_registration_upda…
- CVE-2025-34140HIGHCVSS 8.7EG 8.72025-07-22
An authorization bypass vulnerability exists in ETQ Reliance (legacy CG and NXG SaaS platforms). By appending a specific URI suffix to certain API endpoints, an unauthenticated attacker can bypass access control checks and retrieve limited…
- CVE-2025-34293HIGHCVSS 8.6EG 8.62025-10-24
GN4 Publishing System versions prior to 2.6 contain an insecure direct object reference (IDOR) vulnerability via the API. Authenticated requests to the API's object endpoints allow an authenticated user to request arbitrary user IDs and re…
- CVE-2025-34435HIGHCVSS 8.7EG 6.52025-12-17
AVideo versions prior to 20.1 are vulnerable to an insecure direct object reference (IDOR) that allows any authenticated user to delete media files belonging to other users. The affected endpoint validates authentication but fails to veri…
- CVE-2025-34436HIGHCVSS 8.7EG 8.82025-12-17
AVideo versions prior to 20.1 allow any authenticated user to upload files into directories belonging to other users due to an insecure direct object reference. The upload functionality verifies authentication but does not enforce ownershi…
- CVE-2025-34437HIGHCVSS 8.7EG 8.82025-12-17
AVideo versions prior to 20.1 permit any authenticated user to upload comment images to videos owned by other users. The endpoint validates authentication but omits ownership checks, allowing attackers to perform unauthorized uploads to ar…
- CVE-2025-34438MEDIUMCVSS 5.3EG 8.12025-12-17
AVideo versions prior to 20.1 contain an insecure direct object reference vulnerability allowing users with upload permissions to modify the rotation metadata of any video. The endpoint verifies upload capability but fails to enforce owner…
- CVE-2025-3519HIGHCVSS 7.0EG 7.02025-04-22
An authorization bypass in Unblu Spark allows a participant of a conversation to replace an existing, uploaded file. Every uploaded file in Unblu gets assigned with a randomly generated Universally Unique ID (UUID). In case a particip…
- CVE-2025-3536MEDIUMCVSS 6.5EG 6.52025-04-13
A vulnerability was found in Tutorials-Website Employee Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/delete-user.php. The manipulation of the argument ID leads to…
- CVE-2025-3537MEDIUMCVSS 5.3EG 5.32025-04-13
A vulnerability was found in Tutorials-Website Employee Management System 1.0. It has been classified as critical. This affects an unknown part of the file /admin/update-user.php. The manipulation of the argument ID leads to improper autho…
- CVE-2025-3574HIGHCVSS 8.7EG 8.72025-04-15
Insecure Direct Object Reference vulnerability in Deporsite from T-INNOVA allows an attacker to retrieve sensitive information from others users via "idUsuario" parameter in "/helper/Familia/obtenerFamiliaUsuario" endpoint.
- CVE-2025-3575HIGHCVSS 8.7EG 8.72025-04-15
Insecure Direct Object Reference vulnerability in Deporsite from T-INNOVA allows an attacker to retrieve sensitive information from others users via "idUsuario" parameter in "/helper/Familia/establecerUsuarioSeleccion" endpoint.
- CVE-2025-36023MEDIUMCVSS 6.5EG 6.52025-08-08
IBM Cloud Pak for Business Automation 24.0.0 through 24.0.0 IF005 and 24.0.1 through 24.0.1 IF002 could allow an authenticated user to view sensitive user and system information due to an indirect object reference through a user-controlled…
- CVE-2025-3605CRITICALCVSS 9.8EG 9.82025-05-09
The Frontend Login and Registration Blocks plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.1. This is due to the plugin not properly validating a user's identity pri…
- CVE-2025-3610HIGHCVSS 8.8EG 8.82025-05-06
The Reales WP STPT plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.1.2. This is due to the plugin not properly validating a user's identity prior to updating their det…
Map vulnerabilities like CWE-639 to your infrastructure
EchelonGraph correlates every CVE — across CWE-639 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →