CWE-639— Authorization Bypass Through User-Controlled Key (IDOR)
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.— MITRE CWE catalog
1,858 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-639page 34 of 38
- CVE-2026-49141HIGHCVSS 7.1EG 7.12026-06-08
WACRM prior to commit 73041bf contain an authorization bypass vulnerability in the automation engine that allows authenticated attackers to access and modify contacts belonging to other tenants by supplying an arbitrary caller-controlled c…
- CVE-2026-49192MEDIUMCVSS 5.4EG 5.42026-06-04
The summary service endpoint suffers from an IDOR vulnerability where it fails to verify user ownership of hardware serial numbers, exposing device data to scraping.
- CVE-2026-49258HIGHCVSS 8.8EG 8.82026-06-26
Nebula Mesh: Web UI lacks ownership checks, enabling cross-operator access to hosts and networks (read, block, delete) ## Summary The web UI (`/ui/*`) does not apply the per-operator CA scoping the JSON API received for GHSA-598g-h2vc-h5…
- CVE-2026-49296MEDIUMCVSS 6.5EG 6.52026-07-07
Before apache-airflow 3.3.0, a user authorized to read one Dag could disclose the source of other Dags co-located in the same source file. `GET /api/v2/dagSources/{dag_id}` — and the equivalent Dag-source view in the UI — returned the …
- CVE-2026-49338HIGHCVSS 7.1EG 7.12026-06-19
gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, the Subsonic API endpoints `/rest/deletePlaylist.view` and `/rest/getPlaylist.view` perform no per-resource authorization. Once …
- CVE-2026-49339HIGHCVSS 7.1EG 7.12026-06-19
gonic is a music streaming server / free-software subsonic server API implementation. The maintainer's fix in commit `6dd71e6a3c966867ef8c900d359a7df75789f410` added an ownership check based on `playlist.UserID`. However, `playlist.UserID…
- CVE-2026-49355MEDIUMCVSS 4.3EG 4.32026-06-26
OpenProject is open-source, web-based project management software. Prior to 17.4.0, `GET /api/v3/meetings/:meeting_id/agenda_items/:agenda_item_id` discloses private work package data from a linked work package that belongs to a private/in…
- CVE-2026-49386MEDIUMCVSS 6.5EG 6.52026-05-29
In JetBrains YouTrack before 2026.1.13570 improper access control allowed enumeration of restricted issues and articles on Planning Canvas
- CVE-2026-49858MEDIUMCVSS 5.9EG 5.92026-07-01
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. In versions from 2.6.0 prior to 4.1.29, 4.2.26, and 4.3.12, a missing isCacheKeySafe gate in the JSON:API and HAL item normalizers causes a cross-user attribu…
- CVE-2026-50141HIGHCVSS 7.1EG 7.12026-06-18
Woodpecker is a CI/CD engine. Starting in version 3.0.0 and prior to version 3.14.1, a vulnerability in Woodpecker CI's gRPC layer allowed any authenticated agent to impersonate any other agent on the same server by injecting a forged `age…
- CVE-2026-50194HIGHCVSS 8.2EG 8.22026-06-17
Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. When Steeltoe management endpoints versions 3.2.2 through 3.3.0 and 4.1.0 are configured to listen on an alternate…
- CVE-2026-50283MEDIUMCVSS 5.3EG 5.32026-07-01
Craft CMS is a content management system (CMS). Versions 5.0.0-RC1 through 5.9.20, and 4.0.0-RC1 through 4.17.13 contain an authorization issue in the AssetsController::actionReplaceFile that can delete a source asset without source delete…
- CVE-2026-50530HIGHCVSS 7.1EG 7.12026-07-07
DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, a share mode chart data interface only validates that sceneId matches the resourceId in the link token and fails to validate whether tableId and field IDs i…
- CVE-2026-5135MEDIUMCVSS 6.5EG 6.52026-07-01
A flaw was found in Foreman. This broken access control vulnerability allows an authenticated user with host-edit permissions to retarget an existing lookup value override to a different host. This is achieved by modifying the match field …
- CVE-2026-5138MEDIUMCVSS 4.3EG 4.32026-07-01
A flaw was found in Foreman. An authenticated user with host-edit permissions could exploit a cross-tenant information disclosure vulnerability. This flaw occurs because the taxonomy_scope controller method does not properly validate organ…
- CVE-2026-5142MEDIUMCVSS 6.5EG 6.52026-07-01
A flaw was found in foreman. Authenticated users with 'view_keypairs' permission can bypass taxonomy scoping, allowing them to download private SSH (Secure Shell) keys from other organizations by directly querying key pair IDs. This vulner…
- CVE-2026-5167MEDIUMCVSS 5.3EG 5.32026-04-08
The Masteriyo LMS – Online Course Builder for eLearning, LMS & Education plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in versions up to and including 2.1.7. This is due to insufficient webhook si…
- CVE-2026-51923HIGHCVSS 8.1EG 8.12026-07-09
An Insecure Direct Object Reference (IDOR) vulnerability exists in docuForm GmbH Client v.11.11c allowing a remote attacker to execute arbitrary code via the user settings component, and modify or retrieve sensitive data associated with ot…
- CVE-2026-51924HIGHCVSS 8.1EG 8.12026-07-09
An issue in docuForm GmbH Client v.11.11c allows a remote attacker to execute arbitrary code via the file upload and report.php component
- CVE-2026-51925HIGHCVSS 8.1EG 8.12026-07-09
A Local File Inclusion (LFI) vulnerability exists in docuForm GmbH Client v.11.11c that allows a remote attacker to execute arbitrary code via the dfm-menu_report.php component. Attackers can exploit this flaw to read arbitrary files on th…
- CVE-2026-5199LOWCVSS 2.3EG 2.32026-04-01
A writer role user in an attacker-controlled namespace could signal, delete, and reset workflows or activities in a victim namespace on the same cluster. Exploitation requires the attacker to know or guess specific victim workflow ID(s) an…
- CVE-2026-5234MEDIUMCVSS 5.3EG 5.32026-04-17
The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.3.2. The vulnerability exists because the OsStripeConnectController::create_payment_intent_for_transaction action …
- CVE-2026-5246MEDIUMCVSS 5.6EG 5.62026-04-02
A vulnerability was determined in Cesanta Mongoose up to 7.20. Affected is the function mg_tls_verify_cert_signature of the file mongoose.c of the component P-384 Public Key Handler. Executing a manipulation can lead to authorization bypas…
- CVE-2026-52699HIGHCVSS 7.5EG 7.52026-06-15
Unauthenticated Insecure Direct Object References (IDOR) in VikRentCar <= 1.4.5 versions.
- CVE-2026-52779MEDIUMCVSS 5.4EG 5.42026-06-26
OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, a cross-project IDOR / authorization context confusion in the Calendar and Team Planner modules allows a user with management permissions in one…
- CVE-2026-52782CRITICALCVSS 9.9EG 9.92026-06-26
OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is an IDOR through /projects/<A>/settings/project_storages/<A_ps_id> via PATCH parameter "storages_project_storage[project_folder_id]" lea…
- CVE-2026-52799HIGHCVSS 7.5EG 7.52026-06-22
Gogs is an open source self-hosted Git service. Prior to 0.14.3, GET /attachments/:uuid returns the raw attachment file without verifying whether the requester has view permission for the associated Issue/Comment/Release or the repository.…
- CVE-2026-52812HIGHCVSS 7.1EG 7.12026-06-23
Gogs is an open source self-hosted Git service. Prior to 0.14.3, Git LFS storage is content-addressed by OID alone (<LFS-root>/<oid[0]>/<oid[1]>/<oid>) but per-repo authorization lives in the lfs_object table keyed (repo_id, oid). serveUpl…
- CVE-2026-5309MEDIUMCVSS 5.4EG 5.42026-06-25
GitLab has remediated an issue in GitLab EE affecting all versions from 18.6 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user to read or modify another group'…
- CVE-2026-5326MEDIUMCVSS 5.3EG 5.32026-04-02
A vulnerability was identified in SourceCodester Leave Application System 1.0. Impacted is an unknown function of the file /index.php?page=manage_user of the component User Information Handler. Such manipulation of the argument ID leads to…
- CVE-2026-5337MEDIUMCVSS 6.5EG 6.52026-05-03
During the analysis, it was identified that authenticated attackers with Subscriber-level access or higher are able to perform an Insecure Direct Object Reference (IDOR) attack. This vulnerability exists because the Frontend File Manager P…
- CVE-2026-53470HIGHCVSS 8.1EG 9.62026-06-10
A flaw was found in migration-planner. An authenticated attacker could exploit an improper access control vulnerability in the `/api/v1/sources/{id}/image-url` endpoint. This flaw allows the attacker to bypass an ownership check and obtain…
- CVE-2026-53471HIGHCVSS 7.7EG 9.62026-06-10
A flaw was found in migration-planner. The agent-API middleware processes JSON Web Tokens (JWTs) for authentication, but its UpdateSourceInventory and UpdateAgentStatus handlers fail to validate the source_id claim within these tokens agai…
- CVE-2026-5348MEDIUMCVSS 5.3EG 5.32026-07-02
The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.8.1. This is due to the '/topics' REST API endpoint being r…
- CVE-2026-53552CRITICALCVSS 9.6EG 9.62026-07-07
Goploy: Cross-namespace IDOR and RCE via body-supplied row id in project and project_file handlers ### Summary `Project.AddFile`, `Project.EditFile`, `Project.RemoveFile`, and `Project.Edit` in `cmd/server/api/project/handler.go` accept …
- CVE-2026-53643HIGHCVSS 8.7EG 8.72026-07-06
FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 allow low-privileged staff accounts to perform unauthorized actions via admin API endpoints. The root cause is a combination of the `can_alway…
- CVE-2026-53644HIGHCVSS 8.6EG 8.62026-07-06
FOSSBilling is a free, open-source billing and client management system. Versions 0.5.3 through 0.7.2 allow authenticated clients to both read and reset API key service secrets for orders that are no longer in an `active` state (e.g., `sus…
- CVE-2026-53673HIGHCVSS 8.1EG 8.12026-06-10
BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the messages REST API that allows authenticated attackers to access arbitrary private message threads by supplying a user_id parameter in the request. Attacker…
- CVE-2026-53675MEDIUMCVSS 4.3EG 4.32026-06-10
BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the friends REST API that allows any authenticated attacker to enumerate another user's complete friend list. Attackers can query the friends endpoint with an …
- CVE-2026-53726MEDIUMCVSS 6.9EG 6.92026-06-12
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.80 and 9.9.1-alpha.6, a relation query using the $relatedTo operator could read the membership of a Relation fiel…
- CVE-2026-53729HIGHCVSS 8.7EG 8.72026-07-07
DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, any authenticated user can download (/exportCenter/download/{id}), delete (/exportCenter/delete), retry (/exportCenter/retry/{id}), or generate download lin…
- CVE-2026-53863MEDIUMCVSS 6.5EG 7.12026-06-16
OpenClaw before 2026.4.25 contains an input validation vulnerability in tool group policy callers that accept unvalidated group IDs. Attackers who can supply a group ID to the policy resolver could trigger incorrect group-policy decisions …
- CVE-2026-53903HIGHCVSS 8.1EG 8.12026-07-01
MCO is vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability in the /customer/servlet/mco/webapi/trading-document/fetchPdfStatement endpoint. The application does not properly validate whether an authenticated user is auth…
- CVE-2026-53911MEDIUMCVSS 6.3EG 6.32026-06-11
Cerebrate before version 1.37 allowed the id primary key field to be supplied through request input during CRUD edit operations and certain custom entity patching flows. In affected entities that did not explicitly mark id as inaccessible,…
- CVE-2026-5395HIGHCVSS 8.2EG 8.22026-05-14
The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.2.0 via the exportEntries function …
- CVE-2026-5396HIGHCVSS 8.2EG 8.22026-05-14
The Fluent Forms plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 6.1.21. This is due to the SubmissionPolicy class authorizing submission-level actions (read, mod…
- CVE-2026-54006MEDIUMCVSS 4.3EG 4.32026-06-17
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, POST /api/v1/calendars/events/{event_id}/update validates that the caller has write access to the calendar the event current…
- CVE-2026-54009MEDIUMCVSS 6.5EG 6.52026-06-17
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, POST /api/chat/completions accepts an image_url.url value that, when it does NOT start with http://, https://, or data:image…
- CVE-2026-54010HIGHCVSS 8.3EG 8.32026-06-17
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI lets an authenticated user attach arbitrary file_id values to their own chat message without checking whether the…
- CVE-2026-54015MEDIUMCVSS 6.4EG 6.42026-06-17
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI's prompt version-history endpoints authorize the prompt_id in the URL but then act on caller-supplied history IDs…
Map vulnerabilities like CWE-639 to your infrastructure
EchelonGraph correlates every CVE — across CWE-639 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →