CWE-639— Authorization Bypass Through User-Controlled Key (IDOR)
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.— MITRE CWE catalog
1,858 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-639page 29 of 38
- CVE-2026-24991MEDIUMCVSS 5.3EG 5.32026-02-03
Authorization Bypass Through User-Controlled Key vulnerability in HT Plugins Extensions For CF7 extensions-for-cf7 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Extensions For CF7: from n/a thro…
- CVE-2026-25005MEDIUMCVSS 5.3EG 5.32026-02-19
Authorization Bypass Through User-Controlled Key vulnerability in N-Media Frontend File Manager nmedia-user-file-uploader allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Frontend File Manager: fro…
- CVE-2026-25197CRITICALCVSS 9.1EG 9.12026-04-03
A specific endpoint allows authenticated users to pivot to other user profiles by modifying the id number in the API call.
- CVE-2026-25324MEDIUMCVSS 5.3EG 5.32026-02-19
Authorization Bypass Through User-Controlled Key vulnerability in ExpressTech Systems Quiz And Survey Master quiz-master-next allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Quiz And Survey Master…
- CVE-2026-25497HIGHCVSS 8.8EG 8.82026-02-09
Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1, there is a Privilege Escalation vulnerability in Craft CMS’s GraphQL API that allows an authenticated user w…
- CVE-2026-25530MEDIUMCVSS 4.3EG 4.32026-02-10
Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, the getSwimlane API method lacks project-level authorization, allowing authenticated users to access swimlane data from projects they cannot access. Th…
- CVE-2026-2554HIGHCVSS 8.1EG 8.12026-05-02
The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via the 'wcfm_delete_wcf…
- CVE-2026-25563HIGHCVSS 7.5EG 7.52026-02-07
WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross…
- CVE-2026-25564HIGHCVSS 7.5EG 7.52026-02-07
WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross…
- CVE-2026-25567MEDIUMCVSS 4.3EG 4.32026-02-07
WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in the card comment creation API. The endpoint accepts an authorId from the request body, allowing an authenticated user to spoof the recorded comment author b…
- CVE-2026-25574MEDIUMCVSS 5.4EG 5.42026-02-06
Payload is a free and open source headless content management system. Prior to 3.74.0, a cross-collection Insecure Direct Object Reference (IDOR) vulnerability exists in the payload-preferences internal collection. In multi-auth collection…
- CVE-2026-25654HIGHCVSS 8.8EG 8.82026-04-14
A vulnerability has been identified in SINEC NMS (All versions < V4.0 SP3). Affected products do not properly validate user authorization when processing password reset requests. This could allow an authenticated remote attacker to bypass …
- CVE-2026-25757MEDIUMCVSS 5.3EG 5.32026-02-06
Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2, unauthenticated users can view completed guest orders by Order ID. This issue may lead to disclosure of PII of guest u…
- CVE-2026-25758HIGHCVSS 7.5EG 7.52026-02-06
Spree is an open source e-commerce solution built with Ruby on Rails. A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating …
- CVE-2026-25782MEDIUMCVSS 5.3EG 5.32026-07-03
Gitea versions before 1.25.5 look up tracked-time entries by time ID without scoping the lookup to the issue in the request URL, allowing deletion attempts to target entries from another issue.
- CVE-2026-2697MEDIUMCVSS 6.3EG 6.32026-02-23
An Indirect Object Reference (IDOR) in Security Center allows an authenticated remote attacker to escalate privileges via the 'owner' parameter.
- CVE-2026-2729MEDIUMCVSS 5.3EG 5.32026-05-05
The Forminator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.52.0. This is due to the plugin not properly verifying that a user is authorized to perform an action when processing attacke…
- CVE-2026-27329MEDIUMCVSS 5.3EG 5.32026-05-07
Authorization Bypass Through User-Controlled Key vulnerability in YITH YITH WooCommerce Wishlist allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects YITH WooCommerce Wishlist: from n/a through 4.12.…
- CVE-2026-27397MEDIUMCVSS 6.5EG 6.52026-03-19
Authorization Bypass Through User-Controlled Key vulnerability in Really Simple Plugins B.V. Really Simple Security Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Really Simple Security Pro: …
- CVE-2026-27657HIGHCVSS 7.5EG 7.52026-07-03
Gitea versions before 1.25.5 allow a user to change another user's primary email address.
- CVE-2026-27708HIGHCVSS 7.1EG 7.12026-06-24
FOSSBilling is a free, open-source billing and client management system. In versions 0.7.2 and prior, the Servicecustom Client API's __call method accepts an order_id parameter and fetches the associated order without verifying the authent…
- CVE-2026-27881MEDIUMCVSS 5.0EG 5.02026-06-30
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, `GET /api/v1/deployments/{uuid}` in DeployController.php retrieves deployment details without validating that the …
- CVE-2026-27883MEDIUMCVSS 5.0EG 5.02026-06-30
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, the `GET /api/v1/deployments/{uuid}` endpoint allows any authenticated user to access deployment details belonging…
- CVE-2026-27956MEDIUMCVSS 4.3EG 4.32026-06-30
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, `GET /api/v1/servers/{server_uuid}/domains?uuid={app_uuid}` bypasses team scoping when the optional uuid query par…
- CVE-2026-28444MEDIUMCVSS 6.5EG 6.52026-05-22
Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the getResultLogs API endpoint authorizes the caller against the provided typebotId but fetches logs solely by resultId without verifying that the result belongs to the autho…
- CVE-2026-28736MEDIUMCVSS 4.3EG 4.32026-04-03
** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to validate file ownership when serving uploaded files. This allows an authenticated attacker who knows a victim's fileID to read the content of the file. NOTE: Focalboard as a s…
- CVE-2026-28740HIGHCVSS 7.1EG 7.12026-07-03
Gitea versions up to and including 1.26.2 allow Git LFS object reuse to authorize private source objects for users who have repository access but lack Code-unit access.
- CVE-2026-28747HIGHCVSS 7.1EG 7.12026-04-27
A weak key generation vulnerability exists in specific firmware versions of Milesight AIOT cameras allows authorization to be bypassed.
- CVE-2026-2879MEDIUMCVSS 5.4EG 5.42026-03-13
The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.2. This is due to missing validation on the `id` parameter in the `create()` method of the `GetGenieChat` REST AP…
- CVE-2026-2888MEDIUMCVSS 5.3EG 5.32026-03-13
The Formidable Forms plugin for WordPress is vulnerable to an authorization bypass through user-controlled key in all versions up to, and including, 6.28. This is due to the `frm_strp_amount` AJAX handler (`update_intent_ajax`) overwriting…
- CVE-2026-29002HIGHCVSS 7.2EG 7.22026-04-10
CouchCMS contains a privilege escalation vulnerability that allows authenticated Admin-level users to create SuperAdmin accounts by tampering with the f_k_levels_list parameter in user creation requests. Attackers can modify the parameter …
- CVE-2026-2917MEDIUMCVSS 5.4EG 5.42026-03-11
The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the `ha_duplicate_thing` admin action handler. This is due to the `can_clone()` method o…
- CVE-2026-2918MEDIUMCVSS 6.4EG 6.42026-03-11
The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the `ha_condition_update` AJAX action. This is due to the `validate_reqeust()` method us…
- CVE-2026-29200CRITICALCVSS 9.9EG 9.92026-05-04
A critical IDOR vulnerability has been discovered in Comet Backup affecting all versions from 20.11.0 to 26.1.1 and 26.2.1. The vulnerability allows a tenant administrator to impersonate any end-user account of other tenants on the same se…
- CVE-2026-29204CRITICALCVSS 9.1EG 10.02026-05-12
Insufficient ownership check in `clientarea.php` allows an authenticated client area user to submit requests using another user’s `addonId` without any ownership validation leading to unauthorized access to the victim's account.
- CVE-2026-2997MEDIUMCVSS 5.4EG 5.42026-02-23
Tronclass developed by WisdomGarden has a Insecure Direct Object Reference vulnerability. After obtaining a course ID, authenticated remote attackers to modify a specific parameter to obtain a course invitation code, thereby joining any co…
- CVE-2026-3020HIGHCVSS 8.6EG 8.62026-03-16
Identity based authorization bypass vulnerability (IDOR) that allows an attacker to modify the data of a legitimate user account, such as changing the victim's email address, validating the new email address, and requesting a new password.…
- CVE-2026-3073MEDIUMCVSS 4.3EG 4.32026-05-14
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.6 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to bypass PyPI pack…
- CVE-2026-3074MEDIUMCVSS 4.3EG 4.32026-05-14
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to download private debugging symbols from inacce…
- CVE-2026-31150MEDIUMCVSS 4.3EG 4.32026-04-06
Incorrect access control in Kaleris YMS v7.2.2.1 allows authenticated attackers with only the shipping/receiving role to view the truck's dashboard resources.
- CVE-2026-3124HIGHCVSS 7.5EG 7.52026-03-30
The Download Monitor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.7 via the executePayment() function due to missing validation on a user controlled key. This makes it pos…
- CVE-2026-3139MEDIUMCVSS 4.3EG 4.32026-03-31
The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.15.5 via the wppb_save_avatar_value…
- CVE-2026-3173MEDIUMCVSS 6.5EG 6.52026-05-28
The Meta Field Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.5.1. This is due to the plugin allowing users to specify arbitrary object IDs and object types via block at…
- CVE-2026-31956MEDIUMCVSS 4.3EG 4.32026-04-24
Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to version 4.4.1, any authenticated user can manually construct a URL to preview campaigns/regions, and export …
- CVE-2026-32039MEDIUMCVSS 5.9EG 5.92026-03-19
OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in the toolsBySender group policy matching that allows attackers to inherit elevated tool permissions through identifier collision attacks. Attackers can ex…
- CVE-2026-32533MEDIUMCVSS 6.5EG 6.52026-03-25
Authorization Bypass Through User-Controlled Key vulnerability in LatePoint LatePoint latepoint allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LatePoint: from n/a through <= 5.2.6.
- CVE-2026-32535MEDIUMCVSS 6.5EG 6.52026-03-25
Authorization Bypass Through User-Controlled Key vulnerability in JoomSky JS Help Desk js-support-ticket allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JS Help Desk: from n/a through <= 3.0.3.
- CVE-2026-32589MEDIUMCVSS 6.3EG 7.12026-04-08
A flaw was found in Red Hat Quay's container image upload process. An authenticated user with push access to any repository on the registry can interfere with image uploads in progress by other users, including those in repositories they d…
- CVE-2026-32894HIGHCVSS 7.1EG 7.12026-04-10
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook result view page allows any authenticated teacher to delete any student's grade result …
- CVE-2026-32930HIGHCVSS 7.1EG 7.12026-04-10
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook evaluation edit page allows any authenticated teacher to view and modify the settings (…
Map vulnerabilities like CWE-639 to your infrastructure
EchelonGraph correlates every CVE — across CWE-639 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →