CWE-639— Authorization Bypass Through User-Controlled Key (IDOR)
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.— MITRE CWE catalog
1,861 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-639page 36 of 38
- CVE-2026-56784HIGHCVSS 8.1EG 8.32026-06-23
OpenRemote before 1.25.0 contains an insecure direct object reference (IDOR) vulnerability in the bulk alarm deletion endpoint that allows authenticated users to permanently delete alarms belonging to other tenants by supplying arbitrary a…
- CVE-2026-56823MEDIUMCVSS 5.4EG 5.42026-06-26
AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to , the `POST /api/integrations/webhooks/{webhook_id}/ping` endpoint fetches the target webhook by primary ke…
- CVE-2026-5730HIGHCVSS 7.5EG 7.52026-07-07
Authorization bypass through User-Controlled key vulnerability in Idvlabs Software and Consulting Services Inc. Ontime allows Exploitation of Trusted Identifiers. This issue affects Ontime: through 04052026.
- CVE-2026-57341MEDIUMCVSS 6.5EG 6.52026-06-29
Unauthenticated Insecure Direct Object References (IDOR) in Colissimo Officiel : Méthodes de livraison pour WooCommerce <= 2.9.0 versions.
- CVE-2026-57498CRITICALCVSS 9.6EG 9.62026-06-29
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, Coolify's API controllers consistently validate server ownership with Server::whereTeamId($teamId) before any oper…
- CVE-2026-5750HIGHCVSS 7.6EG 7.62026-04-22
An insecure direct object reference (IDOR) vulnerability in the Fullstep V5 registration process allows authenticated users to access data belonging to other registered users through various vulnerable authenticated resources in the applic…
- CVE-2026-57630MEDIUMCVSS 5.3EG 5.32026-06-26
Unauthenticated Insecure Direct Object References (IDOR) in Blocksy Companion Pro <= 2.1.46 versions.
- CVE-2026-57634MEDIUMCVSS 4.3EG 4.32026-06-26
Contributor Insecure Direct Object References (IDOR) in PPWP <= 1.9.19 versions.
- CVE-2026-57646MEDIUMCVSS 5.4EG 5.42026-06-26
Subscriber Insecure Direct Object References (IDOR) in Majestic Support <= 1.1.7 versions.
- CVE-2026-57652MEDIUMCVSS 5.3EG 5.32026-06-26
Unauthenticated Insecure Direct Object References (IDOR) in JS Help Desk <= 3.1.0 versions.
- CVE-2026-57665MEDIUMCVSS 5.3EG 5.32026-06-26
Unauthenticated Insecure Direct Object References (IDOR) in GravityView <= 3.0.0 versions.
- CVE-2026-57676MEDIUMCVSS 4.3EG 4.32026-06-29
Authorization Bypass Through User-Controlled Key vulnerability in Matteo Manna Simple User Avatar allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Simple User Avatar: from n/a through 4.9.
- CVE-2026-57680MEDIUMCVSS 6.5EG 6.52026-07-02
Unauthenticated Insecure Direct Object References (IDOR) in Kirki <= 6.0.11 versions.
- CVE-2026-57868HIGHCVSS 7.1EG 7.12026-07-07
MicroRealEstate is affected by broken object-level access controls in PDF generator functionality. This issue affects MicroRealEstate: through 1.0.0-alpha3.
- CVE-2026-57869HIGHCVSS 7.1EG 7.12026-07-07
Broken object-level access controls and the use of a deterministic pattern during random ID generation in MicroRealEstate allows attackers to access documents uploaded by landlords or tenants without authorization. This issue affects Micr…
- CVE-2026-57870MEDIUMCVSS 5.3EG 5.32026-07-07
Broken object-level access control on the Template API in MicroRealEstate allows attackers to retrieve document templates used by other organizations without authorization. This issue affects MicroRealEstate: through 1.0.0-alpha3.
- CVE-2026-57943MEDIUMCVSS 5.9EG 5.92026-06-29
LibrePhotos before 1.0.0 contains a broken object level authorization vulnerability in the SetPhotosShared endpoint that allows authenticated users to grant themselves access to other users' private photos by bypassing ownership validation…
- CVE-2026-57945MEDIUMCVSS 4.3EG 4.32026-06-29
PhotoPrism before 260601-a7d098548 contains a broken access control vulnerability that allows authenticated non-admin users to modify other users' profile information by sending requests to arbitrary user endpoints. Attackers can exploit t…
- CVE-2026-57956MEDIUMCVSS 6.4EG 6.42026-06-29
SigNoz through 0.130.1 contains a broken access control vulnerability that allows authenticated users to access other organizations' alert rules by supplying a target rule UUID, as the alert rule store predicates fail to filter by organiza…
- CVE-2026-5798HIGHCVSS 7.1EG 7.12026-05-14
Unsafe object reference (IDOR) in Stel Order v3.25.1 and earlier versions, specifically in the ‘/app/FrontController’ endpoint, through manipulation of the ‘employeeID’ parameter. An authenticated attacker could exploit this vulner…
- CVE-2026-5799HIGHCVSS 7.5EG 7.52026-07-07
Authorization bypass through User-Controlled key vulnerability in Idvlabs Software and Consulting Services Inc. Ontime allows Exploitation of Trusted Identifiers. This issue affects Ontime: through 04052026.
- CVE-2026-5842HIGHCVSS 7.3EG 7.32026-04-09
A security vulnerability has been detected in decolua 9router up to 0.3.47. The impacted element is an unknown function of the file /api of the component Administrative API Endpoint. The manipulation leads to authorization bypass. The atta…
- CVE-2026-58447MEDIUMCVSS 6.5EG 6.52026-06-30
Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attackers to delete videos from other users' playlists by supplying an arbitrary global video ind…
- CVE-2026-5845CRITICALCVSS 9.6EG 9.62026-04-21
An improper authorization vulnerability in scoped user-to-server (ghu_) token authorization in GitHub Enterprise Server allows an authenticated attacker to access private repositories outside the intended installation scope, which can incl…
- CVE-2026-58580MEDIUMCVSS 5.9EG 5.92026-07-02
LobeChat through 2.2.9 server-database deployments are vulnerable to broken object-level authorization in MessageModel. The updateMessagePlugin, updatePluginState, updatePluginError, updateTTS and updateTranslate methods filter target rows…
- CVE-2026-58653MEDIUMCVSS 4.3EG 4.32026-07-02
PraisonAI before 0.1.7 fails to validate that project_id in issue create and update request bodies belongs to the URL workspace. An attacker can create issues referencing projects from other workspaces, causing cross-tenant data pollution …
- CVE-2026-5875MEDIUMCVSS 4.3EG 4.32026-04-08
Policy bypass in Blink in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
- CVE-2026-59098MEDIUMCVSS 6.5EG 6.52026-07-02
LobeChat through 2.2.9 contains a broken access control vulnerability in the retrieval-augmented-generation semantic search functionality that allows authenticated attackers to access other users' data by exploiting missing user-identifier…
- CVE-2026-59100MEDIUMCVSS 5.0EG 5.02026-07-02
LobeChat through 2.2.9 contains a broken object level authorization vulnerability that allows authenticated attackers to access and modify other users' chat-group agent data by supplying arbitrary group identifiers. Attackers can invoke th…
- CVE-2026-59190HIGHCVSS 8.7EG 8.72026-07-10
grav-plugin-admin is an HTML user interface that provides a way to configure Grav and create and modify pages. In 1.10.52 and earlier, an authenticated attacker with admin.users permission can change the password of any user account, inclu…
- CVE-2026-59215LOWCVSS 3.1EG 3.12026-07-09
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, channel thread parent and reply handling did not bind parent_id to the channel in the URL, allowing an authenticated user to reference a…
- CVE-2026-59216HIGHCVSS 7.7EG 7.72026-07-09
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, get_event_call delivered execute:python and execute:tool Socket.IO events to a client-supplied session_id after checking only that the s…
- CVE-2026-59234MEDIUMCVSS 6.9EG 6.92026-07-03
Authorization Bypass Through User-Controlled Key (CWE-639) in CalendarDeleteEventController (app/Http/Controllers/Calendar/CalendarDeleteEventController.php), exposed at GET /calendar/event/delete/{id}, in Prospero Flow CRM before 5.5.3 al…
- CVE-2026-59253MEDIUMCVSS 5.0EG 5.02026-07-08
n8n before 2.28.0 contains an improper authorization vulnerability allowing authenticated users to assign workflows to folders in other projects. Attackers can bypass project and folder authorization boundaries by supplying crafted request…
- CVE-2026-59712HIGHCVSS 8.1EG 8.12026-07-06
Leantime's Users::getUser method in the JSON-RPC API lacks proper authorization checks, allowing authenticated users to retrieve full user credential rows including password hashes, TOTP secrets, and session tokens. Attackers can exploit t…
- CVE-2026-59817MEDIUMCVSS 5.3EG 5.32026-07-09
Ghost is a Node.js content management system. From 6.27.0 before 6.44.0, Ghost's public donation checkout flow allowed an unauthenticated attacker to control donation checkout metadata and obtain full paid gift memberships for a minimal pa…
- CVE-2026-6001HIGHCVSS 8.8EG 8.82026-05-12
Authorization bypass through User-Controlled key vulnerability in ABIS Technology Ltd. Co. BAPSİS allows Exploitation of Trusted Identifiers. This issue affects BAPSİS: before v.202604152042.
- CVE-2026-6008MEDIUMCVSS 6.8EG 6.82026-05-14
Authorization bypass through User-Controlled key vulnerability in Im Park Information Technology, Electronics, Press, Publishing and Advertising, Education Ltd. Co. DijiDemi allows Privilege Abuse. This issue affects DijiDemi: from v4.5.1…
- CVE-2026-60104HIGHCVSS 8.7EG 7.32026-07-08
Bitwarden Server before 2026.6.0 does not verify that the email in a POST /auth-requests/admin-request body belongs to the authenticated caller, allowing a low-privileged organization member to obtain another user's vault key and a victim-…
- CVE-2026-6062MEDIUMCVSS 6.4EG 6.42026-06-22
Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 Fail to validate channel ownership of an existing subscription before applying edits which allows an authenticated attacker to hijack subscriptio…
- CVE-2026-6063MEDIUMCVSS 4.3EG 4.32026-05-14
GitLab has remediated an issue in GitLab EE affecting all versions from 11.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that under certain conditions could have allowed an authenticated user with developer-role permissi…
- CVE-2026-6072MEDIUMCVSS 6.5EG 6.52026-05-20
The Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.4.2.6. The plugin protects its entire /wp-json/pos-bridge/* R…
- CVE-2026-61460HIGHCVSS 8.8EG 8.82026-07-10
Krayin CRM through 2.2.3 contains an insecure direct object reference vulnerability in LeadController, PersonController, OrganizationController, QuoteController, and ActivityController that allows authenticated users to edit, update, or de…
- CVE-2026-6206MEDIUMCVSS 5.3EG 5.32026-05-14
The MW WP Form plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 5.1.2 via the _get_post_property_from_querystring() function due to insufficient restrictions on which posts can be included. T…
- CVE-2026-6212HIGHCVSS 8.8EG 8.82026-07-10
Authorization bypass through User-Controlled key vulnerability in Teracity Software Technologies Inc. TeraMIS allows Privilege Abuse. This issue affects TeraMIS: from V03.26.01.14 through 30.04.2026.
- CVE-2026-6355MEDIUMCVSS 6.5EG 6.52026-04-22
A vulnerability in the web application allows unauthorized users to access and manipulate sensitive data across different tenants by exploiting insecure direct object references. This could lead to unauthorized access to sensitive informat…
- CVE-2026-6375HIGHCVSS 8.7EG 8.72026-04-23
A vulnerability in SpiceJet’s booking API allows unauthenticated users to query passenger name records (PNRs) without any access controls. Because PNR identifiers follow a predictable pattern, an attacker could systematically enumerate v…
- CVE-2026-6444HIGHCVSS 8.6EG 8.62026-06-09
A flaw exists in the FlashArray Purity management interface where an authenticated low-privileged user may, under specific conditions, access functionality beyond their assigned privileges.
- CVE-2026-6542MEDIUMCVSS 6.5EG 6.52026-04-30
IBM Langflow OSS 1.0.0 through 1.8.4 could allow any user to supply a flow_id to read transaction logs and vertex build data belonging to other users, and to delete persisted vertex build data for another user's flow.
- CVE-2026-6552HIGHCVSS 8.7EG 8.72026-06-11
GitLab has remediated an issue in GitLab EE affecting all versions from 15.5 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with group Owner role to take …
Map vulnerabilities like CWE-639 to your infrastructure
EchelonGraph correlates every CVE — across CWE-639 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →