CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,807 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 54 of 77
- CVE-2024-55965MEDIUMCVSS 6.5EG 6.52025-03-26
An issue was discovered in Appsmith before 1.51. Users invited as "App Viewer" incorrectly have access to development information of a workspace (specifically, a list of datasources in a workspace they're a member of). This information dis…
- CVE-2024-56114MEDIUMCVSS 6.5EG 6.52025-01-09
Canlineapp Online 1.1 is vulnerable to Broken Access Control and allows users with the Auditor role to create an audit template as a result of improper authorization checks. This feature is designated for supervisor role, but auditors have…
- CVE-2024-56348MEDIUMCVSS 4.3EG 4.32024-12-20
In JetBrains TeamCity before 2024.12 improper access control allowed viewing details of unauthorized agents
- CVE-2024-56350MEDIUMCVSS 4.3EG 4.32024-12-20
In JetBrains TeamCity before 2024.12 build credentials allowed unauthorized viewing of projects
- CVE-2024-56431CRITICALCVSS 9.8EG 9.82024-12-25
oc_huff_tree_unpack in huffdec.c in libtheora in Theora through 1.0 7180717 has an invalid negative left shift. NOTE: this is disputed by third parties because there is no evidence of a security impact, e.g., an application would not crash.
- CVE-2024-57032CRITICALCVSS 9.8EG 9.82025-01-17
WeGIA < 3.2.0 is vulnerable to Incorrect Access Control in controle/control.php. The application does not validate the value of the old password, so it is possible to change the password by placing any value in the senha_antiga field.
- CVE-2024-5705HIGHCVSS 8.8EG 8.82025-02-19
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions. (CWE-863) …
- CVE-2024-5714MEDIUMCVSS 6.8EG 7.42024-06-27
In lunary-ai/lunary version 1.2.4, an improper access control vulnerability allows members with team management permissions to manipulate project identifiers in requests, enabling them to invite users to projects in other organizations, ch…
- CVE-2024-57432HIGHCVSS 7.5EG 9.12025-01-31
macrozheng mall-tiny 1.0.1 suffers from Insecure Permissions. The application's JWT signing keys are hardcoded and do not change. User information is explicitly written into the JWT and used for subsequent privilege management, making it i…
- CVE-2024-57433HIGHCVSS 7.5EG 7.52025-01-31
macrozheng mall-tiny 1.0.1 is vulnerable to Incorrect Access Control via the logout function. After a user logs out, their token is still available and fetches information in the logged-in state.
- CVE-2024-57434HIGHCVSS 8.8EG 8.82025-01-31
macrozheng mall-tiny 1.0.1 is vulnerable to Incorrect Access Control. The project imports users by default, and the test user is made a super administrator.
- CVE-2024-57438MEDIUMCVSS 5.4EG 5.42025-01-29
Insecure permissions in RuoYi v4.8.0 allows authenticated attackers to escalate privileges by assigning themselves higher level roles.
- CVE-2024-57676MEDIUMCVSS 6.5EG 6.52025-01-16
An access control issue in the component form2WlanBasicSetup.cgi of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the 2.4G and 5G wlan service of the device via a crafted POST request.
- CVE-2024-57677MEDIUMCVSS 6.5EG 6.52025-01-16
An access control issue in the component form2Wan.cgi of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the wan service of the device via a crafted POST request.
- CVE-2024-57678MEDIUMCVSS 6.5EG 6.52025-01-16
An access control issue in the component form2WlAc.cgi of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the 2.4G and 5G mac access control list of the device via a crafted POST request.
- CVE-2024-57679MEDIUMCVSS 6.5EG 6.52025-01-16
An access control issue in the component form2RepeaterSetup.cgi of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the 2.4G and 5G repeater service of the device via a crafted POST request.
- CVE-2024-57680MEDIUMCVSS 5.3EG 5.32025-01-16
An access control issue in the component form2PortriggerRule.cgi of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the port trigger of the device via a crafted POST request.
- CVE-2024-57681MEDIUMCVSS 5.3EG 5.32025-01-16
An access control issue in the component form2alg.cgi of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the agl service of the device via a crafted POST request.
- CVE-2024-57683MEDIUMCVSS 4.3EG 4.32025-01-16
An access control issue in the component websURLFilterAddDel of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the filter settings of the device via a crafted POST request.
- CVE-2024-57969MEDIUMCVSS 4.3EG 4.32025-02-14
app/Model/Attribute.php in MISP before 2.4.198 ignores an ACL during a GUI attribute search.
- CVE-2024-5816MEDIUMCVSS 5.3EG 5.32024-07-16
An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed a suspended GitHub App to retain access to the repository via a scoped user access token. This was only exploitable in public repositories whi…
- CVE-2024-5817MEDIUMCVSS 6.5EG 6.52024-07-16
An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed read access to issue content via GitHub Projects. This was only exploitable in internal repositories and required the attacker to have access …
- CVE-2024-58260HIGHCVSS 7.6EG 7.62025-10-02
A vulnerability has been identified within Rancher Manager where a missing server-side validation on the `.username` field in Rancher can allow users with update permissions on other User resources to cause denial of access for targeted ac…
- CVE-2024-5860MEDIUMCVSS 4.3EG 4.32024-06-18
The Tickera – WordPress Event Ticketing plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the tc_dl_delete_tickets AJAX action in all versions up to, and including, 3.5.2.8. This makes i…
- CVE-2024-6086MEDIUMCVSS 4.3EG 5.32024-06-27
In version 1.2.7 of lunary-ai/lunary, any authenticated user, regardless of their role, can change the name of an organization due to improper access control. The function checkAccess() is not implemented, allowing users with the lowest pr…
- CVE-2024-6150MEDIUMCVSS 4.3EG 4.32024-07-10
A non-admin user can cause short-term disruption in Target VM availability in Citrix Provisioning
- CVE-2024-6202CRITICALCVSS 9.8EG 9.82024-08-06
HaloITSM versions up to 2.146.1 are affected by a SAML XML Signature Wrapping (XSW) vulnerability. When having a SAML integration configured, anonymous actors could impersonate arbitrary HaloITSM users by just knowing their email address. …
- CVE-2024-6323HIGHCVSS 7.5EG 7.52024-06-27
Improper authorization in global search in GitLab EE affecting all versions from 16.11 prior to 16.11.5 and 17.0 prior to 17.0.3 and 17.1 prior to 17.1.1 allows an attacker leak content of a private repository in a public project.
- CVE-2024-6337MEDIUMCVSS 6.5EG 6.52024-08-20
An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed a GitHub App with only content: read and pull_request_write: write permissions to read issue content inside a private repository. This was onl…
- CVE-2024-6358MEDIUMCVSS 6.3EG 6.32024-08-06
Incorrect Authorization vulnerability identified in OpenText ArcSight Intelligence.
- CVE-2024-6512MEDIUMCVSS 6.5EG 6.52024-09-25
Authorization bypass in the PAM access request approval mechanism in Devolutions Server 2024.2.10 and earlier allows authenticated users with permissions to approve their own requests, bypassing intended security restrictions, via the PAM…
- CVE-2024-6592CRITICALCVSS 9.1EG 9.12024-09-25
Incorrect Authorization vulnerability in the protocol communication between the WatchGuard Authentication Gateway (aka Single Sign-On Agent) on Windows and the WatchGuard Single Sign-On Client on Windows and MacOS allows Authentication Byp…
- CVE-2024-6593CRITICALCVSS 9.1EG 9.12024-09-25
Incorrect Authorization vulnerability in WatchGuard Authentication Gateway (aka Single Sign-On Agent) on Windows allows an attacker with network access to execute restricted management commands. This issue affects Authentication Gateway: t…
- CVE-2024-6695CRITICALCVSS 9.8EG 9.82024-07-31
it's possible for an attacker to gain administrative access without having any kind of account on the targeted site and perform unauthorized actions. This is due to improper logic flow on the user registration process.
- CVE-2024-6782CRITICALCVSS 9.8EG 9.82024-08-06
Improper access control in Calibre 6.9.0 ~ 7.14.0 allow unauthenticated attackers to achieve remote code execution.
- CVE-2024-6914CRITICALCVSS 9.8EG 9.82025-05-22
An incorrect authorization vulnerability exists in multiple WSO2 products due to a business logic flaw in the account recovery-related SOAP admin service. A malicious actor can exploit this vulnerability to reset the password of any user a…
- CVE-2024-6979MEDIUMCVSS 6.8EG 6.82024-09-10
Amin Aliakbari, member of the AXIS OS Bug Bounty Program, has found a broken access control which would lead to less-privileged operator- and/or viewer accounts having more privileges than designed. The risk of exploitation is very low as …
- CVE-2024-7004MEDIUMCVSS 4.3EG 4.32024-08-06
Insufficient validation of untrusted input in Safe Browsing in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass discretionary access control via a malicious fil…
- CVE-2024-7039MEDIUMCVSS 6.7EG 8.32025-03-20
In open-webui/open-webui version v0.3.8, there is an improper privilege management vulnerability. The application allows an attacker, acting as an admin, to delete other administrators via the API endpoint `http://0.0.0.0:8080/api/v1/users…
- CVE-2024-7048MEDIUMCVSS 5.4EG 6.32024-10-10
In version v0.3.8 of open-webui, an improper privilege management vulnerability exists in the API endpoints GET /api/v1/documents/ and POST /rag/api/v1/doc. This vulnerability allows a lower-privileged user to access and overwrite files ma…
- CVE-2024-7062HIGHCVSS 8.8EG 8.82024-07-26
Nimble Commander suffers from a privilege escalation vulnerability due to the server (info.filesmanager.Files.PrivilegedIOHelperV2) performing improper/insufficient validation of a client’s authorization before executing an operation. Co…
- CVE-2024-7096MEDIUMCVSS 4.2EG 4.22025-05-30
A privilege escalation vulnerability exists in multiple WSO2 products due to a business logic flaw in SOAP admin services. A malicious actor can create a new user with elevated permissions only when all of the following conditions are met:…
- CVE-2024-7097MEDIUMCVSS 4.3EG 4.32025-05-30
An incorrect authorization vulnerability exists in multiple WSO2 products due to a flaw in the SOAP admin service, which allows user account creation regardless of the self-registration configuration settings. This vulnerability enables ma…
- CVE-2024-7108CRITICALCVSS 9.8EG 9.82024-09-26
Incorrect Authorization vulnerability in National Keep Cyber Security Services CyberMath allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects CyberMath: before CYBM.240816253.
- CVE-2024-7265HIGHCVSS 8.8EG 8.82024-08-07
Incorrect User Management vulnerability in Naukowa i Akademicka Sieć Komputerowa - Państwowy Instytut Badawczy EZD RP allows logged-in user to change the password of any user, including root user, which could lead to privilege escalation…
- CVE-2024-7266MEDIUMCVSS 4.3EG 4.32024-08-07
Incorrect User Management vulnerability in Naukowa i Akademicka Sieć Komputerowa - Państwowy Instytut Badawczy EZD RP allows logged-in user to list all users in the system, including those from other organizations. This issue affects EZ…
- CVE-2024-7296LOWCVSS 2.7EG 2.72025-03-13
An issue was discovered in GitLab EE affecting all versions from 16.5 prior to 17.7.7, 17.8 prior to 17.8.5, and 17.9 prior to 17.9.2 which allowed a user with a custom permission to approve pending membership requests beyond the maximum …
- CVE-2024-7457HIGHCVSS 7.8EG 7.82025-06-11
The ws.stash.app.mac.daemon.helper tool contains a vulnerability caused by an incorrect use of macOS’s authorization model. Instead of validating the client's authorization reference, the helper invokes AuthorizationCopyRights() using it…
- CVE-2024-7604HIGHCVSS 7.8EG 5.12024-08-21
Logsign Unified SecOps Platform Incorrect Authorization Authentication Bypass Vulnerability. This vulnerability allows local attackers to bypass authentication on affected installations of Logsign Unified SecOps Platform. Authentication is…
- CVE-2024-7624HIGHCVSS 8.1EG 8.12024-08-15
The Zephyr Project Manager plugin for WordPress is vulnerable to limited privilege escalation in all versions up to, and including, 3.3.101. This is due to the plugin not properly checking a users capabilities before allowing them to enabl…
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →