CWE-639— Authorization Bypass Through User-Controlled Key (IDOR)
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.— MITRE CWE catalog
1,864 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-639page 38 of 38
- CVE-2026-9136MEDIUMCVSS 6.5EG 6.52026-05-20
A vulnerability was identified in the ShadowAttribute proposal creation workflow. The add action accepted user-controlled ShadowAttribute request data without removing the id field before saving the record. Because the underlying framework…
- CVE-2026-9152CRITICALCVSS 10.0EG 10.02026-05-21
A missing authentication vulnerability exists in the Altium 365 SearchService. A legacy SOAP endpoint exposes search index operations without requiring authentication, session tokens, or any form of identity verification. An unauthenticate…
- CVE-2026-9180MEDIUMCVSS 5.3EG 5.32026-07-03
The MotoPress Appointment Booking plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 2.4.4. This is due to the `POST /motopress/appointment/v1/bookings` REST endpoin…
- CVE-2026-9185HIGHCVSS 7.5EG 7.52026-06-09
The 6Storage Rentals plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.22.0 via the `userId` parameter of the `six_storage_get_user_info` and `six_storage_update_pr…
- CVE-2026-9188MEDIUMCVSS 5.3EG 5.32026-07-02
The Appointment Bookings for Zoom GoogleMeet and more – Wappointment plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to and including 2.7.6 via the `appointmentkey` parameter due to the appointme…
- CVE-2026-9228MEDIUMCVSS 4.3EG 4.32026-05-28
The Timetable and Event Schedule by MotoPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.16 via the action_get_event_data due to missing validation on a user controlled …
- CVE-2026-9241MEDIUMCVSS 4.3EG 4.32026-05-28
The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 1.4.6. This is due to the `get_value()` function in `clas…
- CVE-2026-9248LOWCVSS 2.6EG 2.62026-05-26
Authorization bypass in the entry duplication feature in Devolutions Server allows an... Authorization bypass in the entry duplication feature in Devolutions Server allows an authenticated user with write access to any vault to copy docum…
- CVE-2026-9306LOWCVSS 3.7EG 3.72026-05-26
A security vulnerability has been detected in QuantumNous new-api up to 0.12.1. This affects the function RelayMidjourneyImage/GetByOnlyMJId of the file router/relay-router.go of the component Midjourney Image Relay Endpoint. Such manipula…
- CVE-2026-9493MEDIUMCVSS 6.5EG 6.52026-05-29
Service Center developed by BankPro E-Service Technology has an Insecure Direct Object Reference vulnerability, allowing authenticated remote attackers to modify the parameter of a specific query function to access other users' EC order de…
- CVE-2026-9708MEDIUMCVSS 4.9EG 4.92026-07-13
Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to validate that an assigned incoming webhook user has access to the target team or channel, which allows a requester with webhook management permissions to c…
- CVE-2026-9712LOWCVSS 3.8EG 3.82026-05-27
When creating an export through the pretix API, API clients are returned an UUID value for their export job (a long, random string like 35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client can then request the actual f…
- CVE-2026-9799MEDIUMCVSS 4.6EG 4.62026-06-25
A flaw was found in org.keycloak.authorization. An authenticated user with a granted User-Managed Access (UMA) permission ticket for one resource can exploit this by using a specific permission request prefix to bypass per-resource access …
- CVE-2026-9851HIGHCVSS 7.2EG 7.22026-06-06
The Booking Package plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in versions up to, and including, 1.7.16. This is due to a missing capability check on the 'updateUser' branch of the package_app_action AJ…
Map vulnerabilities like CWE-639 to your infrastructure
EchelonGraph correlates every CVE — across CWE-639 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →