CWE-639— Authorization Bypass Through User-Controlled Key (IDOR)
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.— MITRE CWE catalog
1,858 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-639page 31 of 38
- CVE-2026-39386HIGHCVSS 8.8EG 8.82026-04-21
Neko is a a self-hosted virtual browser that runs in Docker and uses WebRTC In versions 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1, any authenticated user can immediately obtain full administrative control of the entire Neko instance (me…
- CVE-2026-39510LOWCVSS 2.7EG 2.72026-04-08
Authorization Bypass Through User-Controlled Key vulnerability in WP Chill Image Photo Gallery Final Tiles Grid final-tiles-grid-gallery-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image …
- CVE-2026-39518HIGHCVSS 7.1EG 7.12026-06-15
Subscriber Insecure Direct Object References (IDOR) in EventPrime <= 4.3.0.0 versions.
- CVE-2026-39526MEDIUMCVSS 5.4EG 5.42026-04-08
Authorization Bypass Through User-Controlled Key vulnerability in wpstream WpStream wpstream allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WpStream: from n/a through < 4.11.2.
- CVE-2026-39616MEDIUMCVSS 5.3EG 5.32026-04-08
Authorization Bypass Through User-Controlled Key vulnerability in dFactory Download Attachments download-attachments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Download Attachments: from n/a …
- CVE-2026-39942HIGHCVSS 8.5EG 8.52026-04-09
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/{id} endpoint accepts a user-controlled filename_disk parameter. By setting this value to match the storage path of another…
- CVE-2026-39967LOWCVSS 3.1EG 3.12026-05-22
TypeBot is a chatbot builder tool. In versions 3.15.2 and prior, the bot engine's the findResult query does not filter results by typebotId, allowing an authenticated user to load result data (user answers, variable values) from a differen…
- CVE-2026-39968HIGHCVSS 7.1EG 7.12026-05-22
TypeBot is a chatbot builder tool. In versions 3.15.2 and prior, the fix for GHSA-4xc5-wfwc-jw47 ("Credential Theft via Client-Side Script Execution and API Authorization Bypass") is incomplete. While the builder's getCredentials tRPC endp…
- CVE-2026-3999HIGHCVSS 8.8EG 8.82026-03-13
A broken access control may allow an authenticated user to perform a horizontal privilege escalation. The vulnerability only impacts specific configurations.
- CVE-2026-40043MEDIUMCVSS 6.5EG 6.52026-04-13
Pachno 1.0.6 contains an authentication bypass vulnerability in the runSwitchUser() action that allows authenticated low-privilege users to escalate privileges by manipulating the original_username cookie. Attackers can set the client-cont…
- CVE-2026-40127MEDIUMCVSS 5.3EG 5.32026-05-25
OutSystems Lifetime is vulnerable to Authorization Bypass Through User-Controlled Key vulnerability in ApplicationID parameter. Any authenticated user, can read the Change Log containing actions performed by other users as well as applica…
- CVE-2026-40252HIGHCVSS 8.1EG 8.12026-04-10
FastGPT is an AI Agent building platform. Prior to 4.14.10.4, Broken Access Control vulnerability (IDOR/BOLA) allows any authenticated team to access and execute applications belonging to other teams by supplying a foreign appId. While the…
- CVE-2026-40308HIGHCVSS 8.8EG 8.82026-04-16
My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mc_ajax_mcjs_action AJAX endpoint, registered for unauthenticated users, passes user-supplied arguments through parse_str() without validation…
- CVE-2026-40480HIGHCVSS 7.1EG 7.12026-04-18
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the GET /api/person/{personId} endpoint loads and returns person records without performing object-level authorization checks. Although the legacy PersonView…
- CVE-2026-40570MEDIUMCVSS 5.7EG 5.72026-04-21
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, the `load_customer_info` action in `POST /conversation/ajax` returns complete customer profile data to any authenticated user without verifying mailbox…
- CVE-2026-40589HIGHCVSS 7.6EG 7.62026-04-21
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, a low-privileged agent can edit a visible customer and add an email address already owned by a hidden customer in another mailbox. The server discloses…
- CVE-2026-40590MEDIUMCVSS 4.3EG 4.32026-04-21
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the Change Customer modal exposes a “Create a new customer” flow via POST /customers/ajax with action=create. Under limited visibility, the endpoin…
- CVE-2026-40591HIGHCVSS 7.1EG 7.12026-04-21
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the phone-conversation creation flow accepts attacker-controlled `customer_id`, `name`, `to_email`, and `phone` values and resolves the target customer…
- CVE-2026-40600HIGHCVSS 8.1EG 8.12026-04-30
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew allows authenticated users with access to one project to update or delete a SharePol…
- CVE-2026-40737MEDIUMCVSS 5.3EG 5.32026-04-15
Authorization Bypass Through User-Controlled Key vulnerability in VillaTheme COMPE compe-woo-compare-products allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects COMPE: from n/a through <= 1.1.4.
- CVE-2026-40768HIGHCVSS 7.3EG 7.32026-06-17
Unauthenticated Insecure Direct Object References (IDOR) in Salon booking system <= 10.30.24 versions.
- CVE-2026-40784HIGHCVSS 8.1EG 8.12026-04-15
Authorization Bypass Through User-Controlled Key vulnerability in Mahmudul Hasan Arif FluentBoards fluent-boards allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FluentBoards: from n/a through <= 1…
- CVE-2026-40792MEDIUMCVSS 6.3EG 6.32026-06-15
Subscriber Insecure Direct Object References (IDOR) in KiviCare <= 4.2.1 versions.
- CVE-2026-40865HIGHCVSS 7.1EG 7.12026-04-21
Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, an insecure direct object reference in the employee document viewer allows any authenticated user to access other employees’ uploaded documents by chang…
- CVE-2026-40866HIGHCVSS 8.6EG 8.62026-04-21
Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, an insecure direct object reference in the employee document upload endpoint allows any authenticated user to overwrite or replace or corrupt another empl…
- CVE-2026-40867HIGHCVSS 7.1EG 7.12026-04-21
Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, a broken access control vulnerability in the helpdesk attachment viewer allows any authenticated user to view attachments from other tickets by changing t…
- CVE-2026-40896MEDIUMCVSS 6.5EG 6.52026-04-20
OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with `manage_agendas` permission in any project can inject agenda items into meetings belonging to any other project on the instance — eve…
- CVE-2026-40907MEDIUMCVSS 6.5EG 6.52026-04-21
WWBN AVideo is an open source video platform. In versions 29.0 and prior, the endpoint `plugin/Live/view/Live_restreams/list.json.php` contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user wit…
- CVE-2026-40981HIGHCVSS 7.5EG 7.52026-05-07
When using Google Secrets Manager as a backend for the Spring Cloud Config server a client can craft a request to the config server potentially exposing secrets from unintended GCP projects. Spring Cloud Config 3.1.x: affected from 3.1.0 t…
- CVE-2026-41084HIGHCVSS 7.5EG 7.52026-06-01
A bug in Apache Airflow's bulk Task Instances API (`PATCH/DELETE /api/v2/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances`) evaluated authorization against the `dag_id` resolved from the URL path while operating on the `dag_id` / `dag_run_…
- CVE-2026-41127MEDIUMCVSS 6.5EG 6.52026-04-22
BigBlueButton is an open-source virtual classroom. Versions prior to 3.0.24 have a missing authorization that allows viewers to inject/overwrite captions Version 3.0.24 tightened the permissions on who is able to submit captions. No known …
- CVE-2026-41141MEDIUMCVSS 6.5EG 6.52026-05-28
EspoCRM is an open source customer relationship management application. Prior to 9.3.5, the POST /api/v1/EmailTemplate/:id/prepare endpoint accepts an emailAddress parameter and resolves the owning entity (Contact, Lead, Account, or User) …
- CVE-2026-41160MEDIUMCVSS 4.3EG 4.32026-05-28
EspoCRM is an open source customer relationship management application. Prior to 9.3.5, a business logic flaw (Broken Access Control) in EspoCRM 9.3.3 allows low-privileged users to pin arbitrary notes without having the required edit perm…
- CVE-2026-41267HIGHCVSS 8.1EG 8.12026-04-23
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, an improper mass assignment (JSON injection) vulnerability in the account registration endpoint of Flowise Cloud allows unauthenticate…
- CVE-2026-41277HIGHCVSS 8.8EG 8.82026-04-23
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Mass Assignment vulnerability in the DocumentStore creation endpoint allows authenticated users to control the primary key (id) and …
- CVE-2026-41279HIGHCVSS 7.5EG 7.52026-04-23
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the text-to-speech generation endpoint (POST /api/v1/text-to-speech/generate) is whitelisted (no auth) and accepts a credentialId dire…
- CVE-2026-41372MEDIUMCVSS 5.8EG 5.82026-04-28
OpenClaw before 2026.4.2 fails to normalize trailing-dot localhost hosts in remote CDP discovery responses, allowing bypass of loopback protections. Attackers can craft hostile discovery responses returning localhost. to retarget authentic…
- CVE-2026-41406MEDIUMCVSS 5.4EG 5.42026-04-28
OpenClaw before 2026.3.31 contains a sender allowlist bypass vulnerability that allows remote attackers to access restricted messages. Attackers can exploit fetched quoted, root, and thread context messages to bypass sender allowlist restr…
- CVE-2026-41471HIGHCVSS 7.5EG 7.52026-05-04
The Easy PayPal Events & Tickets plugin for WordPress before version 1.4 contains an information disclosure vulnerability in the QR code scanning endpoint that allows unauthenticated attackers to enumerate and retrieve all customer order r…
- CVE-2026-4160MEDIUMCVSS 5.3EG 5.32026-04-16
The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference via the 'submission_id' parameter in versions up to, and including, 6.1.21.…
- CVE-2026-41649HIGHCVSS 7.7EG 7.72026-04-28
Outline is a service that allows for collaborative documentation. The `shares.create` API endpoint starting in version 0.86.0 and prior to version 1.7.0 has an insecure direct object reference.. When both `collectionId` and `documentId` ar…
- CVE-2026-41878HIGHCVSS 7.1EG 7.12026-07-10
R-SOFT DMS is vulnerable to Insecure Direct Object Reference (IDOR) attack in multiple file download endpoints. The application fetches files from the database by ID and serves them to whoever requests them, relying only on session authen…
- CVE-2026-41906HIGHCVSS 7.1EG 7.12026-05-07
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.214, the Change Customer modal correctly hides out-of-scope customers through the mailbox-filtered search endpoint, but the backend con…
- CVE-2026-41947CRITICALCVSS 9.1EG 7.42026-05-18
Dify before version 1.14.2 contains an authorization bypass vulnerability that allows authenticated editor users to set and enable trace configurations for any application regardless of tenant ownership. Attackers can exploit missing tenan…
- CVE-2026-41949HIGHCVSS 7.5EG 5.92026-05-18
Dify before version 1.14.2 contains an authorization bypass vulnerability in the file preview endpoint that allows any authenticated user to read up to 3,000 characters of any uploaded document across all tenants and workspaces using only …
- CVE-2026-41950MEDIUMCVSS 6.5EG 6.52026-05-05
Dify before version 1.14.0 contains an authorization bypass vulnerability that allows authenticated users to read the full contents of files uploaded by other users within the same tenant by supplying an arbitrary file UUID in the files ar…
- CVE-2026-42097HIGHCVSS 8.8EG 8.82026-05-19
Sparx Pro Cloud Server requires authentication based on requested URL. An attacker can omit the "model" query parameter and send the model name only in the binary blob in POST request allowing SQL query execution without authentication.…
- CVE-2026-42205HIGHCVSS 8.8EG 8.82026-05-08
Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.31.2, a broken access control vulnerability was identified in the ActionsController of the Avo framework. Due to insecure action lookup logic, an authenti…
- CVE-2026-42227MEDIUMCVSS 6.5EG 6.52026-05-04
n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with a valid API key scoped to variable:list could read variables from projects they are not a member of by supplying…
- CVE-2026-42276MEDIUMCVSS 4.3EG 4.32026-05-08
Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, and 3.2.6, the POST /chat/stop-chat-session/{chat_session_id} endpoint lets any authenticated user stop any other user's active chat session. The endpoint checks authentic…
Map vulnerabilities like CWE-639 to your infrastructure
EchelonGraph correlates every CVE — across CWE-639 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →