CWE-639— Authorization Bypass Through User-Controlled Key (IDOR)
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.— MITRE CWE catalog
1,858 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-639page 33 of 38
- CVE-2026-45386MEDIUMCVSS 4.3EG 4.32026-05-15
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, Pin/Unpin is a write operation (modifies the message's is_pinned , pinned_by, pinned_at fields), but in standard channels it…
- CVE-2026-45398HIGHCVSS 7.5EG 7.52026-05-15
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, _validate_collection_access() checks the user-memory-* and file-* collection name prefixes but does not check knowledge base…
- CVE-2026-45402HIGHCVSS 8.1EG 8.12026-05-15
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, multiple endpoints accept a user-supplied file_id and attach the referenced file to a resource the caller controls (folder k…
- CVE-2026-45550CRITICALCVSS 9.1EG 9.12026-06-10
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, PUT /smon/check (app/routes/smon/routes.py:117-138) gates only on roxywi_common.check_user_group_for_flask() — which va…
- CVE-2026-45551MEDIUMCVSS 5.1EG 5.12026-05-29
Group-Office is an enterprise customer relationship management and groupware tool. Prior to 26.0.25, 25.0.100, and 6.8.165, GroupOffice allows authenticated users to persist arbitrary legacy settings for any user_id via index.php?r=core/sa…
- CVE-2026-45552CRITICALCVSS 9.9EG 9.92026-06-10
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the install blueprint declares only bp.before_request → @jwt_required() (app/routes/install/routes.py:36-39). The indiv…
- CVE-2026-45563MEDIUMCVSS 4.3EG 4.32026-06-10
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, GET /history/<service>/<server_ip> re-uses the server_ip path parameter as a user-id when service == 'user', with no auth…
- CVE-2026-45666MEDIUMCVSS 6.5EG 6.52026-05-15
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.11, the API /api/v1/notes/{note_id} endpoint lacks proper authorization checks, allowing authenticated users to retrieve notes …
- CVE-2026-45671HIGHCVSS 8.0EG 8.02026-05-15
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user can permanently delete files owned by other users via DELETE /api/v1/files/{id} when the target file …
- CVE-2026-45732HIGHCVSS 8.1EG 8.12026-06-23
n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, the OAuth1 and OAuth2 credential reconnect endpoints authorized access using credential:read rather than credential:update. An authenticated user wi…
- CVE-2026-45743HIGHCVSS 8.1EG 8.12026-06-05
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. 16 file-manager endpoints in Termix prior to version 2.3.2 do not verify that the requesting user owns the SSH session identified…
- CVE-2026-45746CRITICALCVSS 9.0EG 9.02026-06-05
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the File Manager functionality in Termix contains a critical Broken Access Control vulnerability due to i…
- CVE-2026-45750CRITICALCVSS 9.0EG 9.02026-06-05
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the GET /ssh/file_manager/ssh/resolvePath endpoint in the Termix File Manager component unsafely processe…
- CVE-2026-45760HIGHCVSS 8.1EG 8.12026-05-21
(Externally Controlled Reference to a Resource in Another Sphere), (Authorization Bypass Through User-Controlled Key) vulnerability in Apache Camel K. Authorized users in a Kubernetes namespace can create a Build resource, controlling the …
- CVE-2026-45810MEDIUMCVSS 6.8EG 6.82026-06-01
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 31.0.0 to before 31.0.12, and 32.0.0 to before 32.0.3, a missing check of a relation allowed authenticated users with access to any file comment,…
- CVE-2026-45830HIGHCVSS 8.1EG 8.82026-06-12
A lack of authorization validation in version 0.4.17 or later of the ChromaDB Python project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collection regardless of which tenant they belon…
- CVE-2026-45832HIGHCVSS 8.1EG 8.82026-06-12
All V1 collection-level endpoints in ChromaDB's Python project pass None for the tenant and database to the authorization layer, allowing attackers to bypass authorization controls by using the V1 endpoints.
- CVE-2026-4630MEDIUMCVSS 6.8EG 6.82026-05-19
A flaw was found in Keycloak. An authenticated client could exploit an Insecure Direct Object Reference (IDOR) vulnerability in the Authorization Services Protection API endpoint. By knowing or obtaining a resource's unique identifier (UUI…
- CVE-2026-46390MEDIUMCVSS 6.9EG 6.92026-06-05
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 2.0.0 and prior to version 26.0.0, the gitlist plugin is exposed to unauthenticated users, allowing unauthenticated browsing of git repositories and g…
- CVE-2026-46407HIGHCVSS 8.1EG 8.12026-05-15
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the backend admin/auth-token endpoint allows an authenticated administrator to load another administrator's REST API …
- CVE-2026-46408HIGHCVSS 7.6EG 7.62026-05-15
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the checkout endpoint accepts a user-controlled cart_id and uses it to enter the payment flow without verifying cart …
- CVE-2026-46414HIGHCVSS 8.8EG 8.82026-05-27
Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO's WebSocket control plane trusts client-supplied identity and role fields in task messages. A client connectio…
- CVE-2026-46441CRITICALCVSS 9.6EG 9.62026-06-08
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the assistant update endpoint of FlowiseAI. The endpoint allows authenticated users …
- CVE-2026-46453MEDIUMCVSS 5.3EG 5.32026-07-06
Improper Input Validation, Authorization Bypass Through User-Controlled Key vulnerability in Apache Camel ElasticSearch Rest Client. The camel-elasticsearch-rest-client component reads several Exchange headers to control its behaviour - S…
- CVE-2026-4654MEDIUMCVSS 5.3EG 5.32026-04-08
The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 6.3.7. This is due to the wpas_get_ticket_replies_ajax() function failing …
- CVE-2026-46544MEDIUMCVSS 5.3EG 5.32026-05-27
Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO accepts client-supplied session_id values in WebSocket task messages and reuses an existing in-memory session …
- CVE-2026-46558HIGHCVSS 8.3EG 8.32026-06-10
Plane is an open-source project management tool. Prior to version 1.3.1, there is a cross-workspace asset authorization bypass lets any authenticated user read, copy, delete, and overwrite assets in other Plane workspaces. This issue has b…
- CVE-2026-46585HIGHCVSS 7.5EG 7.52026-07-06
Improper Input Validation, Authorization Bypass Through User-Controlled Key vulnerability in Apache Camel Lucene Component. The camel-lucene producer reads the search phrase from an Exchange header (LuceneConstants.HEADER_QUERY) whose val…
- CVE-2026-46721MEDIUMCVSS 6.9EG 6.92026-05-19
The create and edit flows do not restrict which user properties may be submitted and do not enforce access control on the frontend user group assignment. As a result, an attacker can assign an arbitrary frontend user group to a newly regis…
- CVE-2026-46764MEDIUMCVSS 4.3EG 4.32026-06-01
The Event Log detail endpoint `GET /api/v2/eventLogs/{event_log_id}` in Apache Airflow fetched audit-log rows directly by numeric ID after only the generic Audit Log permission check, while the collection endpoint `GET /api/v2/eventLogs` a…
- CVE-2026-47068LOWCVSS 2.3EG 2.32026-05-20
Authorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenix_storybook allows cross-session PubSub topic injection via a URL query parameter. 'Elixir.PhoenixStorybook.Story.ComponentIframeLive':handle_params/3 i…
- CVE-2026-47101HIGHCVSS 8.8EG 8.82026-05-21
LiteLLM prior to 1.83.14 allows an authenticated internal_user to create API keys with access to routes that their role does not permit. When generating a key, the allowed_routes field is stored without verifying that the specified routes …
- CVE-2026-47189HIGHCVSS 8.3EG 8.32026-06-11
Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.5, the AutoMod remove flow looks up and deletes rules by global database ID without verifying that the rule belongs to the guil…
- CVE-2026-47238MEDIUMCVSS 6.5EG 6.52026-06-11
ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #133, a normal authenticated user can edit another user's video subtitles because of a lack of authorization. They can upload subtitles, edit their name or de…
- CVE-2026-47266HIGHCVSS 8.7EG 8.72026-05-29
Formie is a Craft CMS plugin for creating forms. Prior to 2.2.21 and 3.1.26, unauthenticated users could modify existing submissions by posting a known or guessed submission ID to formie/submissions/save-submission. This vulnerability is f…
- CVE-2026-47378MEDIUMCVSS 6.9EG 6.92026-06-05
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, Public shared-view endpoints exposed values from columns that the view owner had hidden, via three independent paths: groupBy returned raw values for any column…
- CVE-2026-47388LOWCVSS 2.3EG 2.32026-06-05
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a low-privilege MCP token holder with knowledge of an attachment path could read any file in shared storage, including attachments belonging to other bases and …
- CVE-2026-47713MEDIUMCVSS 4.3EG 4.32026-05-28
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, an approved mobile device token created in single-user mode can survive single-user -> multi-user …
- CVE-2026-47715LOWCVSS 3.1EG 3.12026-05-26
Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, Bugsink issue event pages accept a direct event identifier from the URL and, in affected versions, look up that event without also requiring it to belong to the issue in the URL…
- CVE-2026-47716LOWCVSS 3.1EG 3.12026-05-26
Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, In affected versions, the issue list view authorizes access through the project in the URL, but applies the requested bulk action to the submitted issue IDs without also requiri…
- CVE-2026-48067MEDIUMCVSS 6.5EG 6.52026-06-11
Filament is a collection of full-stack components for accelerated Laravel development. From filament/actions 4.0.0 until 4.11.4 and 5.6.4 and from filament/tables 3.0.0 until 3.3.51, the recordSelectOptionsQuery() method may be used to sco…
- CVE-2026-48206MEDIUMCVSS 5.3EG 5.32026-07-06
Improper Input Validation, Authorization Bypass Through User-Controlled Key vulnerability in Apache Camel JIRA component. The camel-jira producers read their operation parameters - the issue key, project key, transition id, summary, type,…
- CVE-2026-48599HIGHCVSS 7.6EG 7.62026-06-15
Authorization Bypass Through User-Controlled Key vulnerability in elixir-grpc grpc allows authenticated attackers to access or modify resources belonging to other users by smuggling a conflicting value for any path-bound field via the quer…
- CVE-2026-4868HIGHCVSS 8.2EG 8.22026-05-27
GitLab has remediated an issue in GitLab EE affecting all versions from 18.8 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that, under certain conditions, could have allowed an authenticated user to cause specific Duo AI wor…
- CVE-2026-48759HIGHCVSS 7.1EG 7.12026-06-17
TypeBot is a chatbot builder tool. Versions 3.15.2 and below have an Insecure Direct Object Reference vulnerability through cross-workspace Theme Template modification and deletion. The handleSaveThemeTemplate and handleDeleteThemeTemplate…
- CVE-2026-48783MEDIUMCVSS 4.8EG 4.82026-06-17
Postiz is an AI social media scheduling tool. Versions prior to 2.21.8 contained an unauthenticated endpoint that accepted a signed token and applied subscription-enforcement side effects to the organization referenced in that token's clai…
- CVE-2026-48868HIGHCVSS 7.5EG 7.52026-06-15
Unauthenticated Insecure Direct Object References (IDOR) in Simple Shopping Cart <= 5.2.9 versions.
- CVE-2026-48872HIGHCVSS 7.5EG 7.52026-06-15
Unauthenticated Sensitive Data Exposure in EmbedPress <= 4.5.2 versions.
- CVE-2026-4896HIGHCVSS 8.1EG 8.12026-04-04
The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via multiple AJAX action…
- CVE-2026-49099MEDIUMCVSS 5.3EG 5.32026-07-06
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'), Authorization Bypass Through User-Controlled Key vulnerability in Apache Camel Salesforce Component. The camel-salesforce producer resolve…
Map vulnerabilities like CWE-639 to your infrastructure
EchelonGraph correlates every CVE — across CWE-639 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →