CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,807 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 55 of 77
- CVE-2024-7697HIGHCVSS 7.5EG 7.52024-08-12
Logical vulnerability in the mobile application (com.transsion.carlcare) may lead to user information leakage risks.
- CVE-2024-7711MEDIUMCVSS 4.3EG 4.32024-08-20
An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server, allowing an attacker to update the title, assignees, and labels of any issue inside a public repository. This was only exploitable inside a public reposit…
- CVE-2024-7836MEDIUMCVSS 4.3EG 4.32024-08-22
The Themify Builder plugin for WordPress is vulnerable to unauthorized post duplication due to missing checks on the duplicate_page_ajaxify function in all versions up to, and including, 7.6.1. This makes it possible for authenticated atta…
- CVE-2024-7915HIGHCVSS 7.8EG 7.82024-11-25
The application Sensei Mac Cleaner contains a local privilege escalation vulnerability, allowing an attacker to perform multiple operations as the root user. These operations include arbitrary file deletion and writing, loading and unload…
- CVE-2024-8001MEDIUMCVSS 5.3EG 5.32024-11-13
A vulnerability was found in VIWIS LMS 9.11. It has been classified as critical. Affected is an unknown function of the component Print Handler. The manipulation leads to missing authorization. It is possible to launch the attack remotely.…
- CVE-2024-8011MEDIUMCVSS 5.5EG 5.52024-08-25
Logitech Options+ on MacOS prior 1.72 allows a local attacker to inject dynamic library within Options+ runtime and abuse permissions granted by the user to Options+ such as Camera.
- CVE-2024-8116MEDIUMCVSS 5.3EG 5.32024-12-16
An issue has been discovered in GitLab CE/EE affecting all versions from 16.9 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. By using a specific GraphQL query, under specific conditions an unauthorized user can retrieve branch …
- CVE-2024-8270MEDIUMCVSS 5.5EG 5.52025-06-11
The macOS Rocket.Chat application is affected by a vulnerability that allows bypassing Transparency, Consent, and Control (TCC) policies, enabling the exploitation or abuse of permissions specified in its entitlements (e.g., microphone, c…
- CVE-2024-8601MEDIUMCVSS 6.5EG 6.52024-09-09
This vulnerability exists in TechExcel Back Office Software versions prior to 1.0.0 due to improper access controls on certain API endpoints. An authenticated remote attacker could exploit this vulnerability by manipulating a parameter thr…
- CVE-2024-8606HIGHCVSS 8.8EG 8.82024-09-23
Bypass of two factor authentication in RestAPI in Checkmk < 2.3.0p16 and < 2.2.0p34 allows authenticated users to bypass two factor authentication
- CVE-2024-8650MEDIUMCVSS 5.3EG 5.32024-12-16
An issue was discovered in GitLab CE/EE affecting all versions from 15.0 prior to 17.4.6, 17.5 prior to 17.5.4, and 17.6 prior to 17.6.2 that allowed non-member users to view unresolved threads marked as internal notes in public projects m…
- CVE-2024-8691HIGHCVSS 7.1EG 8.12024-09-11
A vulnerability in the GlobalProtect portal in Palo Alto Networks PAN-OS software enables a malicious authenticated GlobalProtect user to impersonate another GlobalProtect user. Active GlobalProtect users impersonated by an attacker who is…
- CVE-2024-8970HIGHCVSS 8.2EG 8.22024-10-11
An issue was discovered in GitLab CE/EE affecting all versions starting from 11.6 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows an attacker to trigger a pipeline as another user u…
- CVE-2024-8974LOWCVSS 2.6EG 2.62024-09-26
Information disclosure in Gitlab EE/CE affecting all versions from 15.6 prior to 17.2.8, 17.3 prior to 17.3.4, and 17.4 prior to 17.4.1 in specific conditions it was possible to disclose to an unauthorised user the path of a private projec…
- CVE-2024-9082MEDIUMCVSS 6.3EG 6.32024-09-22
A vulnerability was found in SourceCodester Online Eyewear Shop 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /classes/Users.php?f=save of the component User Creation Handler. The mani…
- CVE-2024-9098MEDIUMCVSS 6.1EG 7.32025-03-20
In lunary-ai/lunary before version 1.4.30, a privilege escalation vulnerability exists where admins can invite new members with billing permissions, thereby gaining unauthorized access to billing resources. This issue arises because the us…
- CVE-2024-9136MEDIUMCVSS 6.7EG 6.72024-09-27
Access permission verification vulnerability in the App Multiplier module Impact: Successful exploitation of this vulnerability may affect service confidentiality.
- CVE-2024-9155MEDIUMCVSS 4.3EG 4.32024-09-26
Mattermost versions 9.10.x <= 9.10.1, 9.9.x <= 9.9.2, 9.5.x <= 9.5.8 fail to limit access to channels files that have not been linked to a post which allows an attacker to view them in channels that they are a member of.
- CVE-2024-9159MEDIUMCVSS 6.5EG 6.52025-03-20
An incorrect authorization vulnerability exists in gaizhenbiao/chuanhuchatgpt version git c91dbfc. The vulnerability allows any user to restart the server at will, leading to a complete loss of availability. The issue arises because the fu…
- CVE-2024-9623MEDIUMCVSS 4.9EG 4.92024-10-10
An issue was discovered in GitLab CE/EE affecting all versions starting from 8.16 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows deploy keys to push to an archived repository.
- CVE-2024-9654LOWCVSS 3.7EG 3.72024-12-17
The Easy Digital Downloads plugin for WordPress is vulnerable to Improper Authorization in versions 3.1 through 3.3.4. This is due to a lack of sufficient validation checks within the 'verify_guest_email' function to ensure the requesting …
- CVE-2024-9693HIGHCVSS 8.5EG 8.52024-11-14
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.0 prior to 17.3.7, starting from 17.4 prior to 17.4.4, and starting from 17.5 prior to 17.5.2, which could have allowed unauthorized access to the Kubernetes a…
- CVE-2024-9825MEDIUMCVSS 5.4EG 5.42024-10-28
The Chef Habitat builder-api on-prem-builder package with any version lower than habitat/builder-api/10315/20240913162802 is vulnerable to indirect object reference (IDOR) by un-authorized deletion of personal token. Habitat builder co…
- CVE-2024-9902MEDIUMCVSS 6.3EG 6.32024-11-06
A flaw was found in Ansible. The ansible-core `user` module can allow an unprivileged user to silently create or replace the contents of any file on any system path and take ownership of it when a privileged user executes the `user` module…
- CVE-2025-0237MEDIUMCVSS 5.4EG 5.42025-01-07
The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the principal being sent. This could have led to privilege escalation attacks. This vulnerability …
- CVE-2025-0359HIGHCVSS 8.5EG 8.52025-03-04
During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the ACAP Application framework that allowed applications to access restricted D-Bus methods within the framework. Axis has released …
- CVE-2025-0360HIGHCVSS 7.8EG 7.82025-03-04
During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the VAPIX Device Configuration framework that could lead to an incorrect user privilege level in the VAPIX service account D-Bus API.
- CVE-2025-0516MEDIUMCVSS 4.3EG 4.32025-02-12
Improper Authorization in GitLab CE/EE affecting all versions from 17.7 prior to 17.7.4, 17.8 prior to 17.8.2 allow users with limited permissions to perform unauthorized actions on critical project data.
- CVE-2025-0580MEDIUMCVSS 5.6EG 5.62025-01-20
A vulnerability was found in Shiprocket Module 3 on OpenCart. It has been rated as critical. Affected by this issue is some unknown functionality of the file /index.php?route=extension/module/rest_api&action=getOrders of the component REST…
- CVE-2025-0652MEDIUMCVSS 4.3EG 4.32025-03-13
An issue has been discovered in GitLab EE/CE affecting all versions starting from 16.9 before 17.7.7, all versions starting from 17.8 before 17.8.5, all versions starting from 17.9 before 17.9.2 could allow unauthorized users to access con…
- CVE-2025-0741MEDIUMCVSS 5.8EG 5.82025-01-30
An Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker to write messages into other users chat by changing the parameter "chat_id" of the POST request "/embed…
- CVE-2025-0742MEDIUMCVSS 5.8EG 5.82025-01-30
An Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker to obtain files stored by others users by changing the "FILE_ID" of the endpoint "/embedai/files/show/<FI…
- CVE-2025-0743MEDIUMCVSS 5.3EG 5.32025-01-30
An Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker to leverage the endpoint "/embedai/visits/show/<VISIT_ID>" to obtain information about the visits made by…
- CVE-2025-0744HIGHCVSS 7.5EG 7.52025-01-30
an Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker change his subscription plan without paying by making a POST request changing the parameters of the "/dem…
- CVE-2025-0745HIGHCVSS 7.5EG 7.52025-01-30
An Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker to obtain the backups of the database by requesting the "/embedai/app/uploads/database/<SQL_FILE>" endpoi…
- CVE-2025-0765MEDIUMCVSS 4.3EG 4.32025-07-24
An issue has been discovered in GitLab CE/EE affecting all versions from 17.9 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that could have allowed an unauthorized user to access custom service desk email addresses.
- CVE-2025-0781HIGHCVSS 8.6EG 8.62025-01-28
An attacker can bypass the sandboxing of Nasal scripts and arbitrarily write to any file path that the user has permission to modify at the operating-system level.
- CVE-2025-0885LOWCVSS 1.8EG 1.82025-07-03
Incorrect Authorization vulnerability in OpenText™ GroupWise allows Exploiting Incorrectly Configured Access Control Security Levels. The vulnerability could allow unauthorized access to calendar items marked private. This issue affect…
- CVE-2025-0937HIGHCVSS 7.1EG 7.12025-02-12
Nomad Community and Nomad Enterprise ("Nomad") event stream configured with a wildcard namespace can bypass the ACL Policy allowing reads on other namespaces.
- CVE-2025-10015MEDIUMCVSS 4.8EG 4.82025-09-16
The Sparkle framework includes an XPC service Downloader.xpc, by default this service is private to the application its bundled with. A local unprivileged attacker can register this XPC service globally which will inherit TCC permissions …
- CVE-2025-10016HIGHCVSS 8.8EG 8.82025-09-16
The Sparkle framework includes a helper tool Autoupdate. Due to lack of authentication of connecting clients a local unprivileged attacker can request installation of crafted malicious PKG file by racing to connect to the daemon when oth…
- CVE-2025-10545LOWCVSS 3.1EG 3.12025-10-16
Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when adding channel members which allows guest users to add any team members to their private channels via the `/api/v4/channels/{ch…
- CVE-2025-10611CRITICALCVSS 9.8EG 9.82025-10-16
Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certain REST APIs can be bypassed, allowing them to be invoked without proper validation. Successful exploitation …
- CVE-2025-10696MEDIUMCVSS 5.4EG 5.42025-10-03
OpenSupports exposes an endpoint that allows the list of 'supervised users' for any account to be edited, but it does not validate whether the actor is the owner of that list. A Level 1 staff member can modify the supervision relationship …
- CVE-2025-10908HIGHCVSS 7.3EG 7.32026-05-11
Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic Link or Pass Key methods. This bypasses the intended security control that should prevent access to ac…
- CVE-2025-11060MEDIUMCVSS 5.7EG 5.72025-09-26
A flaw was found in the live query subscription mechanism of the database engine. This vulnerability allows record or guest users to observe unauthorized records within the same table, bypassing access controls, via crafted LIVE SELECT sub…
- CVE-2025-1110LOWCVSS 2.7EG 2.72025-05-22
An issue has been discovered in GitLab CE/EE affecting all versions from 18.0 before 18.0.1. In certain circumstances, a user with limited permissions could access Job Data via a crafted GraphQL query.
- CVE-2025-11239MEDIUMCVSS 4.3EG 4.32025-10-02
Potentially sensitive information in jobs on KNIME Business Hub prior to 1.16.0 were visible to all members of the user's team. Starting with KNIME Business Hub 1.16.0 only metadata of jobs is shown to team members. Only the creator of a j…
- CVE-2025-11340HIGHCVSS 7.7EG 7.72025-10-09
GitLab has remediated an issue in GitLab EE affecting all versions from 18.3 to 18.3.4, 18.4 to 18.4.2 that, under certain conditions, could have allowed authenticated users with read-only API tokens to perform unauthorized write operation…
- CVE-2025-11438MEDIUMCVSS 6.3EG 6.32025-10-08
A vulnerability has been found in JhumanJ OpnForm up to 1.9.3. This vulnerability affects unknown code of the file /custom-domains of the component API Endpoint. Such manipulation leads to missing authorization. The attack may be launched …
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →