CWE-639— Authorization Bypass Through User-Controlled Key (IDOR)
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.— MITRE CWE catalog
1,863 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-639page 37 of 38
- CVE-2026-6542MEDIUMCVSS 6.5EG 6.52026-04-30
IBM Langflow OSS 1.0.0 through 1.8.4 could allow any user to supply a flow_id to read transaction logs and vertex build data belonging to other users, and to delete persisted vertex build data for another user's flow.
- CVE-2026-6552HIGHCVSS 8.7EG 8.72026-06-11
GitLab has remediated an issue in GitLab EE affecting all versions from 15.5 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with group Owner role to take …
- CVE-2026-6566MEDIUMCVSS 4.3EG 4.32026-05-20
The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 4.2.0. This is due to insufficient object-level authorization in the…
- CVE-2026-6570LOWCVSS 2.7EG 2.72026-04-19
A security flaw has been discovered in kodcloud KodExplorer up to 4.52. Affected is the function initInstall of the file /app/controller/systemMember.class.php. Performing a manipulation of the argument path results in authorization bypass…
- CVE-2026-6571MEDIUMCVSS 6.3EG 6.32026-04-19
A weakness has been identified in kodcloud KodExplorer up to 4.52. Affected by this vulnerability is the function roleGroupAction of the file /app/controller/systemRole.class.php. Executing a manipulation of the argument group_role can lea…
- CVE-2026-6583MEDIUMCVSS 5.4EG 5.42026-04-19
A vulnerability has been found in TransformerOptimus SuperAGI up to 0.0.14. This affects the function delete_api_key/edit_api_key of the file superagi/controllers/api_key.py of the component API Key Management Endpoint. The manipulation le…
- CVE-2026-6584MEDIUMCVSS 5.4EG 5.42026-04-20
A vulnerability was found in TransformerOptimus SuperAGI up to 0.0.14. This vulnerability affects the function update_user of the file superagi/controllers/user.py of the component User Update Endpoint. The manipulation of the argument use…
- CVE-2026-6585MEDIUMCVSS 5.4EG 5.42026-04-20
A vulnerability was determined in TransformerOptimus SuperAGI up to 0.0.14. This issue affects the function update_organisation of the file superagi/controllers/organisation.py of the component Organisation Update Endpoint. This manipulati…
- CVE-2026-6586MEDIUMCVSS 6.3EG 6.32026-04-20
A vulnerability was identified in TransformerOptimus SuperAGI up to 0.0.14. Impacted is the function get_budget/update_budget of the file superagi/controllers/budget.py of the component Budget Endpoint. Such manipulation leads to authoriza…
- CVE-2026-6612MEDIUMCVSS 6.3EG 6.32026-04-20
A vulnerability was determined in TransformerOptimus SuperAGI up to 0.0.14. This impacts the function get_agent_execution/update_agent_execution of the file superagi/controllers/agent_execution.py of the component Agent Execution Endpoint.…
- CVE-2026-6613MEDIUMCVSS 6.3EG 6.32026-04-20
A vulnerability was identified in TransformerOptimus SuperAGI up to 0.0.14. Affected is the function delete_agent/stop_schedule/get_schedule_data of the file superagi/controllers/agent.py. The manipulation of the argument agent_id leads to…
- CVE-2026-6614MEDIUMCVSS 6.3EG 6.32026-04-20
A security flaw has been discovered in TransformerOptimus SuperAGI up to 0.0.14. Affected by this vulnerability is the function get_project/update_project/get_projects_organisation of the file superagi/controllers/project.py. The manipulat…
- CVE-2026-6802MEDIUMCVSS 5.3EG 5.32026-07-10
The Easy Upload Files During Checkout plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 3.0.1. This is due to missing authorization checks in the ufdc_custom_init() function, which processes th…
- CVE-2026-6810MEDIUMCVSS 5.3EG 5.32026-04-24
The Booking Calendar Contact Form plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the dex_bccf_admin_int_calendar_list.inc.php file due to missing validation on a user…
- CVE-2026-6965MEDIUMCVSS 5.3EG 5.32026-05-13
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.9.9. This is due to the `get_course_id_by()` function unconditionally trusting …
- CVE-2026-6976LOWCVSS 3.7EG 3.72026-06-11
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with developer-role permiss…
- CVE-2026-7144MEDIUMCVSS 4.3EG 4.32026-04-27
A security flaw has been discovered in 1000 Projects Portfolio Management System MCA 1.0. This impacts an unknown function of the file update_passwd_process.php. The manipulation of the argument temp_user results in authorization bypass. T…
- CVE-2026-7145MEDIUMCVSS 5.4EG 5.42026-04-27
A weakness has been identified in mettle sendportal up to 3.0.1. Affected is the function destroy of the file app/Http/Controllers/Workspaces/WorkspaceInvitationsController.php of the component Invitation Handler. This manipulation of the …
- CVE-2026-7201HIGHCVSS 8.8EG 8.82026-06-02
CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote authenticated attacker to modify account propert…
- CVE-2026-7399HIGHCVSS 8.1EG 8.12026-04-30
Authorization bypass through User-Controlled key vulnerability in MeWare Software Development Inc. PDKS allows Privilege Abuse. This issue affects PDKS: from V16.20200313 before VMYR_3.5.2025117.
- CVE-2026-7491HIGHCVSS 8.1EG 8.12026-05-02
School App developed by Zyosoft has an Insecure Direct Object Reference vulnerability, allowing authenticated remote attackers to modify a specific parameter to read and modify other users' data.
- CVE-2026-7502MEDIUMCVSS 5.4EG 5.42026-04-30
A security vulnerability has been detected in LinkStackOrg LinkStack up to 4.8.6. The affected element is the function saveLink of the file app/Http/Controllers/UserController.php of the component Management Endpoint. The manipulation lead…
- CVE-2026-7510MEDIUMCVSS 6.3EG 6.32026-04-30
A vulnerability was determined in OWAP DefectDojo up to 2.55.4. Affected by this vulnerability is an unknown functionality of the component Benchmark/Engagement/Product/Survey. Executing a manipulation can lead to authorization bypass. The…
- CVE-2026-7573MEDIUMCVSS 5.0EG 5.02026-05-06
An authorization bypass (CWE-639) in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows any authenticated low-privilege user to retrieve the complete ACL policy (roles and permissions) for any user acr…
- CVE-2026-7638MEDIUMCVSS 5.3EG 5.32026-05-02
The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to and including 5.6.0. This is due to missing authorization validation in the `u…
- CVE-2026-7648MEDIUMCVSS 4.3EG 4.32026-05-14
The LearnPress – WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to payment bypass through user-controlled key in all versions up to, and including, 4.3.5. This is due to improper handling of us…
- CVE-2026-7651MEDIUMCVSS 5.3EG 5.32026-05-28
The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versio…
- CVE-2026-7665MEDIUMCVSS 5.3EG 5.32026-06-06
The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 6.6.4 via the ajax_load_more function due to insufficient restric…
- CVE-2026-7681MEDIUMCVSS 6.5EG 6.52026-05-03
A security vulnerability has been detected in jsbroks COCO Annotator up to 0.11.1. Affected by this vulnerability is an unknown functionality of the file backend/webserver/api/datasets.py of the component Dataset API. The manipulation of t…
- CVE-2026-7702MEDIUMCVSS 5.3EG 5.32026-05-03
A vulnerability was detected in toeverything AFFiNE up to 0.26.3. This issue affects the function allowDocPreview of the file /workspace/:workspaceId/:docId of the component Public Markdown Preview Endpoint. The manipulation results in aut…
- CVE-2026-7782MEDIUMCVSS 6.3EG 6.32026-05-04
A vulnerability was detected in CodeCanyon Perfex CRM up to 3.4.1. This affects the function Clients::project of the file application/controllers/Clients.php of the component Tenant Handler. The manipulation of the argument ID results in a…
- CVE-2026-7787HIGHCVSS 8.1EG 7.52026-06-11
IBM Langflow OSS 1.0.0 through 1.9.1 could allow an authenticated user to read or modify sensitive information by bypassing authentication using insecure direct object references.
- CVE-2026-7881MEDIUMCVSS 4.3EG 4.32026-05-21
Concrete CMS 9.5.0 and below is subject to Insecure Direct Object Reference (IDOR) in the Express Entry Detail block via the exEntryID parameter. This IDOR leads to unauthorized access to all Express form submissions. The Concrete CMS s…
- CVE-2026-7886MEDIUMCVSS 4.3EG 4.32026-05-21
Concrete CMS 9.5.0 and below is vulnerable to IDOR in AddMessage/UpdateMessage via attachments[] parameter which can lead to file permission bypass. The `AddMessage` and `UpdateMessage` conversation controllers accept user-supplied file …
- CVE-2026-8027MEDIUMCVSS 4.3EG 4.32026-05-06
A weakness has been identified in FlowiseAI Flowise up to 3.0.12. Affected by this vulnerability is an unknown functionality of the component User Controller Handler. This manipulation of the argument userId/organizationId/workspaceId/emai…
- CVE-2026-8196LOWCVSS 3.7EG 3.72026-05-09
A flaw has been found in JeecgBoot 3.9.1. The impacted element is an unknown function of the file jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/LoginController.java of the component mLogin Endpoint.…
- CVE-2026-8204MEDIUMCVSS 5.3EG 5.32026-05-21
Concrete CMS 9.5.0 and below is vulnerable to authorization Bypass in the Calendar Event Frontend Dialog which can allow cross-calendar data disclosure. A public calendar block can be used as a pivot point to access private calendar data. …
- CVE-2026-8337MEDIUMCVSS 5.3EG 5.32026-05-21
Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys. To be vulnerable, a site would have to be configured in such a way that both public and private surveys are present on the site. An unauthenticated attacker can vote in the …
- CVE-2026-8347LOWCVSS 4.3EG 4.32026-05-26
Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in the Express... Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in the Express association Reorder dialog. This can cause C…
- CVE-2026-8406HIGHCVSS 7.1EG 7.12026-06-11
openSIS Classic 9.3 contains an insecure direct object reference vulnerability in the messaging module. Any authenticated user with access to the messaging module can request sent-message details from modules/messaging/SentMail.php by supp…
- CVE-2026-8611MEDIUMCVSS 4.3EG 4.32026-06-06
The Klamra Paycal for Aspaclaria plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.4 via the 'invoice_id' parameter due to missing validation on a user controlled key. This mak…
- CVE-2026-8629HIGHCVSS 8.1EG 8.12026-05-14
Crabbox prior to v0.12.0 contains a privilege escalation vulnerability that allows users with shared visibility-only access to obtain Code, WebVNC, and Egress agent tickets by sending POST requests to ticket endpoints. Attackers can exploi…
- CVE-2026-8679HIGHCVSS 7.5EG 7.52026-05-22
The AudioIgniter plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the handle_playlist_endpoint() function (hooked to template_redirect) accepting a user-controll…
- CVE-2026-8786MEDIUMCVSS 6.3EG 6.32026-05-18
A vulnerability has been found in Tencent WeKnora up to 0.3.6. Affected by this issue is the function getKnowledgeBaseForInitialization of the file internal/handler/initialization.go of the component Config API Endpoint. The manipulation o…
- CVE-2026-8828HIGHCVSS 8.8EG 8.82026-06-12
A lack of authorization validation in version 1.0.0 or later of the ChromaDB Rust project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collection regardless of which tenant they belong t…
- CVE-2026-8839MEDIUMCVSS 5.3EG 5.32026-06-06
The MapPress Maps for WordPress plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 2.96.6. This is due to missing ownership verification in the REST API routes regis…
- CVE-2026-8890HIGHCVSS 8.2EG 8.22026-05-26
code100x contains an authentication bypass vulnerability in the Mobile API that allows unauthenticated attackers to impersonate arbitrary users by supplying a crafted JSON payload in the 'g' HTTP header. The middleware in middleware.ts ski…
- CVE-2026-9087HIGHCVSS 8.1EG 6.42026-05-20
A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId, idpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it …
- CVE-2026-9099HIGHCVSS 7.7EG 7.72026-06-25
A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Gr…
- CVE-2026-9136MEDIUMCVSS 6.5EG 6.52026-05-20
A vulnerability was identified in the ShadowAttribute proposal creation workflow. The add action accepted user-controlled ShadowAttribute request data without removing the id field before saving the record. Because the underlying framework…
Map vulnerabilities like CWE-639 to your infrastructure
EchelonGraph correlates every CVE — across CWE-639 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →