CWE-639— Authorization Bypass Through User-Controlled Key (IDOR)
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.— MITRE CWE catalog
1,859 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-639page 35 of 38
- CVE-2026-54015MEDIUMCVSS 6.4EG 6.42026-06-17
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI's prompt version-history endpoints authorize the prompt_id in the URL but then act on caller-supplied history IDs…
- CVE-2026-54016MEDIUMCVSS 4.3EG 4.32026-06-17
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI has a Broken Object Level Authorization (BOLA) vulnerability in the builtin search_knowledge_files tool. When nat…
- CVE-2026-54097HIGHCVSS 7.2EG 7.22026-06-12
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, a low-privileged authenticated user of filebrowser (with create + delete permissions …
- CVE-2026-54105MEDIUMCVSS 5.3EG 5.32026-06-18
The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) expose sensitive account information through the 'update-profile/' A…
- CVE-2026-54184HIGHCVSS 8.2EG 8.22026-06-17
Unauthenticated Insecure Direct Object References (IDOR) in Clean Login <= 1.15 versions.
- CVE-2026-54322HIGHCVSS 7.7EG 7.72026-06-16
Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.185.0, Daytona's organization role update and delete endpoints authorized the caller as an owner of the organization nam…
- CVE-2026-54324MEDIUMCVSS 6.5EG 6.52026-06-17
Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.185.0, a cross-tenant authorization flaw in Daytona's notification WebSocket gateway allowed any authenticated user to s…
- CVE-2026-54357MEDIUMCVSS 5.1EG 5.12026-06-12
An improper authorization vulnerability in MISP allowed an authenticated organization administrator to access or modify user settings belonging to site administrator accounts within the same organization. The affected access-control checks…
- CVE-2026-54360HIGHCVSS 8.4EG 8.42026-06-12
A mass assignment vulnerability exists in MISP’s sharing group creation endpoint. When creating a new sharing group, the controller did not remove a user-supplied id field before saving the submitted data. In CakePHP, supplying a primary…
- CVE-2026-54361HIGHCVSS 8.8EG 8.82026-06-12
MISP contained multiple mass assignment vulnerabilities in the handling of collections, tag collections, event delegations, and shadow attributes. Several controller actions accepted user-supplied fields that should have remained server-co…
- CVE-2026-5459MEDIUMCVSS 5.3EG 5.32026-07-08
The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.1 via the payment_page…
- CVE-2026-54590MEDIUMCVSS 5.9EG 5.92026-07-08
AsyncSSH is a Python package which provides an asynchronous client and server implementation of the SSHv2 protocol on top of the Python asyncio framework. Version 2.23.0 contains an incomplete fix for CVE-2026-45309 in SSHServerConfig._set…
- CVE-2026-54602HIGHCVSS 7.1EG 7.12026-07-07
FastGPT is a knowledge-based AI application platform. Prior to 4.15.0, GET /api/core/ai/record/getRecord authenticates the caller but loads LLM request and response traces only by requestId without team scoping, allowing any authenticated …
- CVE-2026-5465HIGHCVSS 8.8EG 8.82026-04-07
The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.3. This is due to the `UpdateProviderCommandHandler` failing to va…
- CVE-2026-54826HIGHCVSS 7.6EG 7.62026-06-26
Subscriber Insecure Direct Object References (IDOR) in SupportCandy <= 3.4.6 versions.
- CVE-2026-54839HIGHCVSS 7.5EG 7.52026-06-26
Unauthenticated Sensitive Data Exposure in Trinity Backup – Backup, Migrate, Restore, Clone & Schedule Backups <= 2.0.9 versions.
- CVE-2026-55197MEDIUMCVSS 6.5EG 6.52026-06-17
Hermes WebUI before 0.51.443 contains a broken access control vulnerability in the /api/session endpoint that allows authenticated users to disclose cross-profile session transcripts. Attackers can bypass profile boundary checks by directl…
- CVE-2026-55198MEDIUMCVSS 6.5EG 6.52026-06-17
Hermes WebUI before 0.51.443 contains an authorization bypass vulnerability in the session export endpoint that allows authenticated users to access sessions from other profiles. The _handle_session_export handler in api/routes.py fails to…
- CVE-2026-5523HIGHCVSS 8.8EG 8.82026-07-09
The Divi Form Builder plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 5.1.8. This is due to the update_user() function accepting a user ID parameter from form submissions without verifying that…
- CVE-2026-55255HIGHCVSS 8.4EG 9.0⚠ KEV2026-06-19
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, an Insecure Direct Object Reference (IDOR) vulnerability in /api/v1/responses endpoint allows an authenticated attacker to execute any flow belo…
- CVE-2026-55411MEDIUMCVSS 6.8EG 6.82026-06-25
ToolJet is the open-source foundation am AI-native platform for building and deploying internal tools, workflows and AI agents. Prior to 3.20.1780-lts, the authenticated endpoint POST /api/data-sources/decrypt returns the decrypted plainte…
- CVE-2026-55418HIGHCVSS 8.6EG 8.62026-07-07
FastGPT is an open source AI knowledge base platform. Prior to v4.15.0-beta5, two FastGPT file handlers authorize an unrelated resource and then sign or read an S3 object using a key taken directly from the request, without checking that t…
- CVE-2026-55429HIGHCVSS 8.7EG 8.72026-07-06
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `UpsertWorkspaceApp` overwrites an existing app's `agent_id` on a primary-key conflict and `insert…
- CVE-2026-55478MEDIUMCVSS 5.4EG 5.42026-07-10
Snipe-IT is an IT asset/license management system. Prior to 8.6.2, POST /api/v1/kits/{kit_id}/licenses checks whether the caller can edit kits but does not authorize access to the referenced license object, allowing a low-privilege user wi…
- CVE-2026-55515MEDIUMCVSS 5.0EG 5.02026-07-10
Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the unaccepted-assets report delete endpoint authorizes only reports.view and deletes CheckoutAcceptance::pending()->find($acceptanceId) by global ID without checking acces…
- CVE-2026-55516HIGHCVSS 7.7EG 7.72026-07-10
Snipe-IT is an IT asset/license management system. Prior to 8.6.2, PATCH or PUT /api/v1/maintenances/{maintenance_id} checks access to the current maintenance record and asset but then fills attacker-controlled fields including asset_id wi…
- CVE-2026-55583HIGHCVSS 7.6EG 7.62026-06-24
Twenty is an open-source CRM (customer relationship management) platform. Prior to 2.9.0, Twenty was vulnerable to a cross-workspace insecure direct object reference (IDOR) in the AI agent monitor's AgentTurnResolver, in packages/twenty-se…
- CVE-2026-55604HIGHCVSS 8.6EG 8.62026-07-09
DeepSeek MCP Server is an MCP server for DeepSeek V4. Starting in version 1.4.2 and prior to version 1.7.0, the process-global `SessionStore` accepts caller-supplied `session_id` values without binding them to any authenticated principal o…
- CVE-2026-55611NONECVSS 0.0EG 0.02026-06-24
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. From 1.11.1 until 1.14.1, userId/workspaceId scoping to the parsed-files read/delete paths was added. However, the …
- CVE-2026-55670LOWCVSS 2.3EG 2.32026-06-18
ZITADEL is an open source identity management platform. Prior to 4.15.1, ZITADEL's event store validation can retain the original resource owner for a deleted user identifier, causing a later user recreated with the same identifier in anot…
- CVE-2026-55880HIGHCVSS 7.1EG 7.12026-07-10
OpenReplay is a self-hosted session replay suite. In 1.27.0 and earlier, three dashboard and note mutation functions ran their SQL without the ownership predicate that their sibling read and edit functions use: notes.delete filtered only o…
- CVE-2026-55881HIGHCVSS 7.1EG 7.12026-07-10
OpenReplay is a self-hosted session replay suite. From 1.22.0 before 1.27.0, getFirstMob returned 15-second presigned S3 download URLs for a session's DOM-replay recording based solely on the session path parameter, while validateProjectAc…
- CVE-2026-56013MEDIUMCVSS 6.5EG 6.52026-06-25
Unauthenticated Insecure Direct Object References (IDOR) in License Manager for WooCommerce <= 3.0.15 versions.
- CVE-2026-56048MEDIUMCVSS 6.5EG 6.52026-06-26
Unauthenticated Insecure Direct Object References (IDOR) in Payment Gateway Based Fees and Discounts for WooCommerce <= 3.0.0 versions.
- CVE-2026-56069HIGHCVSS 7.5EG 7.52026-06-26
Unauthenticated Insecure Direct Object References (IDOR) in Toolset Forms <= 2.6.24 versions.
- CVE-2026-5617HIGHCVSS 8.8EG 8.82026-04-15
The Login as User plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.3. This is due to the handle_return_to_admin() function trusting a client-controlled cookie (oclaup_original_admin) to d…
- CVE-2026-56215HIGHCVSS 8.3EG 8.32026-06-20
Capgo before 12.128.12 allows authenticated users to modify their mutable public.users.email to arbitrary addresses, which the SSO provisioning endpoint trusts as an account-merge key. Attackers can pre-position their account with a victim…
- CVE-2026-56222HIGHCVSS 7.2EG 7.22026-06-23
Capgo before 12.128.2 contains an authorization bypass vulnerability in POST /private/role_bindings that fails to verify app_id ownership during app-scoped role binding creation. An attacker with administrative privileges in one organizati…
- CVE-2026-56229MEDIUMCVSS 6.5EG 6.52026-06-21
Capgo before 12.128.2 contains an authorization bypass vulnerability in the /build/status and /build/logs endpoints that allows attackers to access build jobs belonging to different applications by supplying a mismatched app_id and job_id …
- CVE-2026-56230HIGHCVSS 8.8EG 8.82026-07-01
Capgo before 12.128.2 contains a broken object level authorization vulnerability in middlewareKey() that accepts the client-controlled x-limited-key-id header without validating ownership, allowing authenticated users to adopt cross-tenant…
- CVE-2026-56385MEDIUMCVSS 4.3EG 4.32026-06-21
Craft CMS versions >= 5.0.0-RC1, <= 5.9.13 and >= 4.0.0-RC1, <= 4.17.7 contain an authorization bypass in the assets/preview-file endpoint. The action does not enforce per-asset view authorization before returning preview content, allowing…
- CVE-2026-56422CRITICALCVSS 9.4EG 9.42026-06-22
Multiple MISP core controllers and model capture paths accepted client-controlled request fields such as primary keys (id) and ownership/scope foreign keys (event_id, org_id, user_id, sharing_group_id, galaxy_cluster_uuid, organisation_uui…
- CVE-2026-56424HIGHCVSS 8.8EG 8.82026-06-22
MISP core contained multiple broken access-control flaws where authorization checks were performed against the wrong entity, or where ownership/editability checks were missing on write paths. In affected subsystems, a lower-privileged auth…
- CVE-2026-5652CRITICALCVSS 9.0EG 9.02026-04-21
An insecure direct object reference vulnerability in the Users API component of Crafty Controller allows a remote, authenticated attacker to perform user modification actions via improper API permissions validation.
- CVE-2026-56765CRITICALCVSS 9.8EG 9.82026-07-10
Vikunja before 2.2.1 contains an authorization flaw where the LinkSharing.ReadAll endpoint exposes share hashes to users with read access, enabling permission escalation to admin-level shares. The GetTaskAttachment endpoint performs permis…
- CVE-2026-56772MEDIUMCVSS 4.3EG 4.32026-06-25
NewsBlur before 14.5.0 contains a broken access control vulnerability that allows authenticated users to read private notification feeds by supplying arbitrary user_id values to the GET /social/interactions endpoint without ownership verif…
- CVE-2026-56774MEDIUMCVSS 5.4EG 5.42026-06-25
Kanboard through 1.2.52, fixed in commit 928c68a, UserViewController::removeSession fails to validate the session id parameter before passing it to RememberMeSessionModel::remove, allowing authenticated users to delete other users' Remembe…
- CVE-2026-56780HIGHCVSS 7.5EG 7.52026-06-29
Modoboa before 2.9.0 contains an insecure direct object reference vulnerability in the PUT /api/v1/accounts/{pk}/password/ endpoint that allows domain administrators to change any user's password. Attackers with domain admin privileges can…
- CVE-2026-56781MEDIUMCVSS 5.3EG 5.32026-06-29
Teable before 2026-06-15T04-43-24Z.1912 contains an improper access control vulnerability that allows anonymous attackers to access hidden field data by supplying arbitrary field IDs in the projection parameter of the share view records en…
- CVE-2026-56784HIGHCVSS 8.1EG 8.32026-06-23
OpenRemote before 1.25.0 contains an insecure direct object reference (IDOR) vulnerability in the bulk alarm deletion endpoint that allows authenticated users to permanently delete alarms belonging to other tenants by supplying arbitrary a…
Map vulnerabilities like CWE-639 to your infrastructure
EchelonGraph correlates every CVE — across CWE-639 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →