CWE-639— Authorization Bypass Through User-Controlled Key (IDOR)
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.— MITRE CWE catalog
1,858 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-639page 28 of 38
- CVE-2026-2104MEDIUMCVSS 4.3EG 4.32026-04-08
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to access confidential issues assigned to other users…
- CVE-2026-21409MEDIUMCVSS 5.9EG 5.92026-01-09
Improper authorization vulnerability exists in RICOH Streamline NX 3.5.1 to 24R3. If a man-in-the-middle attack is conducted on the communication between the affected product and its user, and some crafted request is processed by the produ…
- CVE-2026-21447HIGHCVSS 7.1EG 7.12026-01-02
Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer's …
- CVE-2026-21721HIGHCVSS 8.1EG 8.12026-01-27
The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on othe…
- CVE-2026-22050MEDIUMCVSS 4.3EG 4.32026-01-12
ONTAP versions 9.16.1 prior to 9.16.1P9 and 9.17.1 prior to 9.17.1P2 with snapshot locking enabled are susceptible to a vulnerability which could allow a privileged remote attacker to set the snapshot expiry time to none.
- CVE-2026-22234CRITICALCVSS 9.8EG 9.82026-01-08
OPEXUS eCasePortal before version 9.0.45.0 allows an unauthenticated attacker to navigate to the 'Attachments.aspx' endpoint, iterate through predictable values of 'formid', and download or delete all user-uploaded files, or upload new fil…
- CVE-2026-22235HIGHCVSS 7.5EG 7.52026-01-08
OPEXUS eComplaint before version 9.0.45.0 allows an attacker to visit the the 'DocumentOpen.aspx' endpoint, iterate through predictable values of 'chargeNumber', and download any uploaded files.
- CVE-2026-2230MEDIUMCVSS 4.3EG 4.32026-02-18
The Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 10.14.14 via the handle_ajax_save function due to missing validation on a user controlled key. This makes it …
- CVE-2026-22383HIGHCVSS 7.5EG 7.52026-02-20
Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PawF…
- CVE-2026-22391MEDIUMCVSS 5.4EG 5.42026-01-22
Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Cocco cocco allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cocco: from n/a through <= 1.5.1.
- CVE-2026-22393MEDIUMCVSS 5.4EG 5.42026-01-22
Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Curly curly allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Curly: from n/a through <= 3.3.
- CVE-2026-22396MEDIUMCVSS 5.4EG 5.42026-01-22
Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Fiorello fiorello allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fiorello: from n/a through <= 1.0.
- CVE-2026-22398MEDIUMCVSS 5.4EG 5.42026-01-22
Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Fleur fleur allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fleur: from n/a through <= 2.0.
- CVE-2026-22400MEDIUMCVSS 5.4EG 5.42026-01-22
Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Holmes holmes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Holmes: from n/a through <= 1.7.
- CVE-2026-22404LOWCVSS 3.8EG 5.42026-01-22
Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Innovio innovio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Innovio: from n/a through <= 1.7.
- CVE-2026-22406LOWCVSS 3.8EG 5.42026-01-22
Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Overton overton allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Overton: from n/a through <= 1.3.
- CVE-2026-22407LOWCVSS 3.8EG 5.42026-01-22
Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Roam roam allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Roam: from n/a through <= 2.1.1.
- CVE-2026-22409LOWCVSS 3.8EG 5.42026-01-22
Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Justicia justicia allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Justicia: from n/a through <= 1.2.
- CVE-2026-22411LOWCVSS 3.8EG 5.42026-01-22
Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Dolcino dolcino allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Dolcino: from n/a through <= 1.6.
- CVE-2026-22426MEDIUMCVSS 5.4EG 5.42026-01-22
Authorization Bypass Through User-Controlled Key vulnerability in Elated-Themes Sweet Jane sweetjane allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sweet Jane: from n/a through <= 1.2.
- CVE-2026-22430MEDIUMCVSS 5.4EG 5.42026-01-22
Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Verdure verdure allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Verdure: from n/a through <= 1.6.
- CVE-2026-22489MEDIUMCVSS 4.3EG 4.32026-01-08
Authorization Bypass Through User-Controlled Key vulnerability in Wptexture Image Slider Slideshow image-slider-slideshow allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Slider Slideshow: fr…
- CVE-2026-2257MEDIUMCVSS 6.4EG 6.42026-03-13
The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.2 due to missing validation on a user controlled key in the `action` function. This makes it possible for authent…
- CVE-2026-22588MEDIUMCVSS 6.5EG 6.52026-01-08
Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Authenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an authenticated use…
- CVE-2026-22589HIGHCVSS 7.5EG 7.52026-01-10
Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an unauthenticated…
- CVE-2026-2347CRITICALCVSS 9.8EG 9.82026-05-14
Authorization bypass through User-Controlled key vulnerability in Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website allows Session Hijacking. This issue affects E-Commerce Website: before 4.5.001.
- CVE-2026-23478CRITICALCVSS 9.8EG 9.82026-01-13
Cal.com is open-source scheduling software. From 3.1.6 to before 6.0.7, there is a vulnerability in a custom NextAuth JWT callback that allows attackers to gain full authenticated access to any user's account by supplying a target email ad…
- CVE-2026-23522LOWCVSS 3.7EG 3.72026-01-19
LobeChat is an open source chat application platform. Prior to version 2.0.0-next.193, `knowledgeBase.removeFilesFromKnowledgeBase` tRPC ep allows authenticated users to delete files from any knowledge base without verifying ownership. `us…
- CVE-2026-23638MEDIUMCVSS 6.5EG 6.52026-06-01
Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated attacker to tamper with the internal approval flow configura…
- CVE-2026-2366LOWCVSS 3.1EG 3.12026-03-12
A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This infor…
- CVE-2026-23754HIGHCVSS 8.8EG 8.82026-01-21
D-Link D-View 8 versions 2.0.1.107 and below contain an improper access control vulnerability in backend API endpoints. Any authenticated user can supply an arbitrary user_id value to retrieve sensitive credential data belonging to other u…
- CVE-2026-23843HIGHCVSS 7.1EG 7.12026-01-19
teklifolustur_app is a web-based PHP application that allows users to create, manage, and track quotes for their clients. Prior to commit dd082a134a225b8dcd401b6224eead4fb183ea1c, an Insecure Direct Object Reference (IDOR) vulnerability ex…
- CVE-2026-23844MEDIUMCVSS 4.3EG 4.32026-01-19
Whisper Money is a personal finance application. Versions prior to 0.1.5 have an insecure direct object reference vulnerability. A user can update/create account balances in other users' bank accounts. Version 0.1.5 fixes the issue.
- CVE-2026-23964MEDIUMCVSS 6.5EG 6.52026-01-22
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, an insecure direct object reference in the web push subscription update endpoint lets any authenticated user update an…
- CVE-2026-2398HIGHCVSS 8.8EG 8.82026-07-10
Authorization bypass through User-Controlled key vulnerability in Adam Retail Automation Ltd. MobilMen 20T allows Privilege Escalation. This issue affects MobilMen 20T: from v3 through 10072026. NOTE: The vendor was contacted early about…
- CVE-2026-24134MEDIUMCVSS 6.5EG 6.52026-01-28
StudioCMS is a server-side-rendered, Astro native, headless content management system. Versions prior to 0.2.0 contain a Broken Object Level Authorization (BOLA) vulnerability in the Content Management feature that allows users with the "V…
- CVE-2026-24136HIGHCVSS 7.5EG 7.52026-01-24
Saleor is an e-commerce platform. Versions 3.2.0 through 3.20.109, 3.21.0-a.0 through 3.21.44 and 3.22.0-a.0 through 3.22.28 have a n Insecure Direct Object Reference (IDOR) vulnerability that allows unauthenticated actors to extract sensi…
- CVE-2026-24178CRITICALCVSS 9.8EG 9.82026-04-28
NVIDIA NVFlare Dashboard contains a vulnerability in the user management and authentication system where an unauthenticated attacker may cause authorization bypass through user-controlled key. A successful exploit of this vulnerability may…
- CVE-2026-24379MEDIUMCVSS 6.5EG 9.12026-01-22
Authorization Bypass Through User-Controlled Key vulnerability in wpjobportal WP Job Portal wp-job-portal allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Portal: from n/a through <= 2.4.3.
- CVE-2026-24599MEDIUMCVSS 5.3EG 5.32026-01-23
Authorization Bypass Through User-Controlled Key vulnerability in XLPlugins NextMove Lite woo-thank-you-page-nextmove-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects NextMove Lite: from n/a t…
- CVE-2026-24631MEDIUMCVSS 5.4EG 5.42026-01-23
Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Rosebud rosebud allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Rosebud: from n/a through <= 1.4.
- CVE-2026-24634MEDIUMCVSS 5.3EG 5.32026-01-23
Authorization Bypass Through User-Controlled Key vulnerability in Rustaurius Ultimate Reviews ultimate-reviews allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Reviews: from n/a through <=…
- CVE-2026-24753MEDIUMCVSS 6.5EG 6.52026-06-01
Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated user to modify resources belonging to other users due to ins…
- CVE-2026-24755MEDIUMCVSS 5.4EG 5.42026-06-01
Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated user to modify permissions on resources belonging to other u…
- CVE-2026-24756MEDIUMCVSS 4.3EG 4.32026-06-01
Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated user to modify resources belonging to other users due to ins…
- CVE-2026-24761MEDIUMCVSS 4.3EG 4.32026-06-01
Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated user to access metadata of resources belonging to other user…
- CVE-2026-24773HIGHCVSS 7.5EG 7.52026-02-03
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an Insecure Direct Object Reference (IDOR) vulnerability allows unauthenticated remote attackers to access personal fil…
- CVE-2026-24776MEDIUMCVSS 4.3EG 4.32026-02-06
OpenProject is an open-source, web-based project management software. Prior to 17.0.2, the drag&drop handler moving an agenda item to a different section was not properly checking if the target meeting section is part of the same meeting (…
- CVE-2026-24900MEDIUMCVSS 6.5EG 6.52026-02-09
MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, the courses/<:course_id>/assignments/<:assignment_id>/submissions/html_content accepted a select_file_id parameter to serve SubmissionFile o…
- CVE-2026-24950HIGHCVSS 7.5EG 7.52026-02-20
Authorization Bypass Through User-Controlled Key vulnerability in themeplugs Authorsy authorsy allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Authorsy: from n/a through <= 1.0.6.
Map vulnerabilities like CWE-639 to your infrastructure
EchelonGraph correlates every CVE — across CWE-639 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →