CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,807 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 58 of 77
- CVE-2025-21560MEDIUMCVSS 6.5EG 6.52025-01-21
Vulnerability in the Oracle Agile PLM Framework product of Oracle Supply Chain (component: SDK-Software Development Kit). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows low privileged attacker wi…
- CVE-2025-21561MEDIUMCVSS 5.4EG 5.42025-01-21
Vulnerability in the PeopleSoft Enterprise SCM Purchasing product of Oracle PeopleSoft (component: Purchasing). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network a…
- CVE-2025-21562MEDIUMCVSS 4.3EG 4.32025-01-21
Vulnerability in the PeopleSoft Enterprise CC Common Application Objects product of Oracle PeopleSoft (component: Run Control Management). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privile…
- CVE-2025-21563MEDIUMCVSS 4.3EG 4.32025-01-21
Vulnerability in the PeopleSoft Enterprise CC Common Application Objects product of Oracle PeopleSoft (component: Run Control Management). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privile…
- CVE-2025-21565HIGHCVSS 7.5EG 7.52025-01-21
Vulnerability in the Oracle Agile PLM Framework product of Oracle Supply Chain (component: Install). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows unauthenticated attacker with network access vi…
- CVE-2025-21567MEDIUMCVSS 4.3EG 4.32025-01-21
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 9.1.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network ac…
- CVE-2025-21568MEDIUMCVSS 4.5EG 4.52025-01-21
Vulnerability in the Oracle Hyperion Data Relationship Management product of Oracle Hyperion (component: Access and Security). The supported version that is affected is 11.2.19.0.000. Easily exploitable vulnerability allows high privileg…
- CVE-2025-21569MEDIUMCVSS 6.6EG 6.62025-01-21
Vulnerability in the Oracle Hyperion Data Relationship Management product of Oracle Hyperion (component: Web Services). The supported version that is affected is 11.2.19.0.000. Difficult to exploit vulnerability allows high privileged at…
- CVE-2025-21570MEDIUMCVSS 6.1EG 6.12025-01-21
Vulnerability in the Oracle Life Sciences Argus Safety product of Oracle Health Sciences Applications (component: Login). The supported version that is affected is 8.2.3. Easily exploitable vulnerability allows unauthenticated attacker w…
- CVE-2025-21582MEDIUMCVSS 6.1EG 6.12025-04-15
Vulnerability in the Oracle CRM Technical Foundation product of Oracle E-Business Suite (component: Preferences). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker wi…
- CVE-2025-2201MEDIUMCVSS 6.9EG 6.92025-03-17
Broken access control vulnerability in the IcProgress Innovación y Cualificación plugin. This vulnerability allows an attacker to obtain sensitive information about other users such as public IP addresses, messages with other users and m…
- CVE-2025-2202MEDIUMCVSS 6.9EG 6.92025-03-17
Broken access control vulnerability in the Innovación y Cualificación local administration plugin ajax.php. This vulnerability allows an attacker to obtain sensitive information about other users such as id, name, login and email.
- CVE-2025-2242HIGHCVSS 7.5EG 7.52025-03-27
An improper access control vulnerability in GitLab CE/EE affecting all versions from 17.4 prior to 17.8.6, 17.9 prior to 17.9.3, and 17.10 prior to 17.10.1 allows a user who was an instance admin before but has since been downgraded to a r…
- CVE-2025-22428HIGHCVSS 7.8EG 7.82025-09-02
In hasInteractAcrossUsersFullPermission of AppInfoBase.java, there is a possible way to grant permissions to an app on the secondary user from the primary user due to a logic error in the code. This could lead to local escalation of privil…
- CVE-2025-22449LOWCVSS 3.8EG 3.82025-01-09
Mattermost versions 9.11.x <= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the "allow_open_invite" field via making their team public.
- CVE-2025-23053MEDIUMCVSS 6.5EG 6.52025-01-28
A privilege escalation vulnerability exists in the web-based management interface of HPE Aruba Networking Fabric Composer. Successful exploitation could allow an authenticated low privilege operator user to change the state of certain sett…
- CVE-2025-23054MEDIUMCVSS 6.5EG 6.52025-01-28
A vulnerability in the web-based management interface of HPE Aruba Networking Fabric Composer could allow an authenticated low privilege operator user to perform operations not allowed by their privilege level. Successful exploitation coul…
- CVE-2025-23244HIGHCVSS 7.8EG 7.82025-05-01
NVIDIA GPU Display Driver for Linux contains a vulnerability which could allow an unprivileged attacker to escalate permissions. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of priv…
- CVE-2025-23256HIGHCVSS 8.7EG 8.72025-09-04
NVIDIA BlueField contains a vulnerability in the management interface, where an attacker with local access could cause incorrect authorization to modify the configuration. A successful exploit of this vulnerability might lead to denial of …
- CVE-2025-23262MEDIUMCVSS 6.3EG 6.32025-09-04
NVIDIA ConnectX contains a vulnerability in the management interface, where an attacker with local access could cause incorrect authorization to modify the configuration. A successful exploit of this vulnerability might lead to denial of s…
- CVE-2025-23419MEDIUMCVSS 4.3EG 4.32025-02-05
When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. This vulnerability arises when TLS Session…
- CVE-2025-24099MEDIUMCVSS 5.1EG 5.12025-01-30
The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.3, macOS Sonoma 14.7.3, macOS Ventura 13.7.3. A local attacker may be able to elevate their privileges.
- CVE-2025-24114MEDIUMCVSS 5.5EG 5.52025-01-27
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.3, macOS Sonoma 14.7.3, macOS Ventura 13.7.3. An app may be able to modify protected parts of the file system.
- CVE-2025-24121LOWCVSS 3.3EG 3.32025-01-27
A logic issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.3, macOS Sonoma 14.7.3, macOS Ventura 13.7.3. An app may be able to modify protected parts of the file system.
- CVE-2025-24141LOWCVSS 3.3EG 3.32025-01-27
An authentication issue was addressed with improved state management. This issue is fixed in iOS 18.3 and iPadOS 18.3. An attacker with physical access to an unlocked device may be able to access Photos while the app is locked.
- CVE-2025-24200MEDIUMCVSS 6.1EG 9.0⚠ KEV2025-02-10
An authorization issue was addressed with improved state management. This issue is fixed in iOS 15.8.4 and iPadOS 15.8.4, iOS 16.7.11 and iPadOS 16.7.11, iOS 18.3.1 and iPadOS 18.3.1, iPadOS 17.7.5. A physical attack may disable USB Restri…
- CVE-2025-24221HIGHCVSS 7.5EG 7.52025-03-31
This issue was addressed with improved data access restriction. This issue is fixed in iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, visionOS 2.4. Sensitive keychain data may be accessible from an iOS backup.
- CVE-2025-24233CRITICALCVSS 9.8EG 9.82025-03-31
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. A malicious app may be able to read or write to protected files.
- CVE-2025-2424LOWCVSS 3.1EG 3.12025-04-14
Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to check if a file has been deleted when creating a bookmark which allows an attacker who knows the IDs of deleted files to obtain metadata of the files via bookmark creation.
- CVE-2025-24397MEDIUMCVSS 4.3EG 4.32025-01-22
An incorrect permission check in Jenkins GitLab Plugin 1.9.6 and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credential IDs of GitLab API token…
- CVE-2025-24400MEDIUMCVSS 4.3EG 4.32025-01-22
Jenkins Eiffel Broadcaster Plugin 2.8.0 through 2.10.2 (both inclusive) uses the credential ID as the cache key during signing operations, allowing attackers able to create a credential with the same ID as a legitimate one in a different c…
- CVE-2025-24401MEDIUMCVSS 6.8EG 6.82025-01-22
Jenkins Folder-based Authorization Strategy Plugin 217.vd5b_18537403e and earlier does not verify that permissions configured to be granted are enabled, potentially allowing users formerly granted (typically optional permissions, like Over…
- CVE-2025-24407HIGHCVSS 7.1EG 7.12025-02-11
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low privileged attacker could exploit this…
- CVE-2025-24409HIGHCVSS 8.2EG 8.22025-02-11
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerabili…
- CVE-2025-24419MEDIUMCVSS 4.3EG 4.32025-02-11
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could exploit this…
- CVE-2025-24420MEDIUMCVSS 4.3EG 4.32025-02-11
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could exploit this…
- CVE-2025-24421MEDIUMCVSS 4.3EG 4.32025-02-11
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could exploit this…
- CVE-2025-24434CRITICALCVSS 9.1EG 9.12025-02-11
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Incorrect Authorization vulnerability that could result in Privilege escalation. An attacker could leverage this vulnerability to …
- CVE-2025-24436MEDIUMCVSS 4.3EG 4.32025-02-11
Adobe Commerce versions 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, 2.4.8-beta1 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could exploit this…
- CVE-2025-24437MEDIUMCVSS 5.4EG 5.42025-02-11
Adobe Commerce versions 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, 2.4.8-beta1 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could exploit this…
- CVE-2025-24460MEDIUMCVSS 4.3EG 4.32025-01-21
In JetBrains TeamCity before 2024.12.1 improper access control allowed to see Projects’ names in the agent pool
- CVE-2025-24479HIGHCVSS 8.6EG 8.62025-01-28
A Local Code Execution Vulnerability exists in the product and version listed above. The vulnerability is due to a default setting in Windows and allows access to the Command Prompt as a higher privileged user.
- CVE-2025-24500HIGHCVSS 8.7EG 8.72025-01-30
The vulnerability allows an unauthenticated attacker to access information in PAM database.
- CVE-2025-24526MEDIUMCVSS 4.3EG 4.32025-02-24
Mattermost versions 10.1.x <= 10.1.3, 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to restrict channel export of archived channels when the "Allow users to view archived channels" is disabled which allows a …
- CVE-2025-24839LOWCVSS 3.1EG 3.12025-04-16
Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to prevent Wrangler posts from triggering AI responses. This vulnerability allows users without access to the AI bot to activate it by attaching the activate_ai …
- CVE-2025-24860MEDIUMCVSS 5.4EG 5.42025-02-04
Incorrect Authorization vulnerability in Apache Cassandra allowing users to access a datacenter or IP/CIDR groups they should not be able to when using CassandraNetworkAuthorizer or CassandraCIDRAuthorizer. Users with restricted data cent…
- CVE-2025-24866LOWCVSS 2.7EG 2.72025-04-10
Mattermost versions 9.11.x <= 9.11.8 fail to enforce proper access controls on the /api/v4/audits endpoint, allowing users with delegated granular administration roles who lack access to Compliance Monitoring to retrieve User Activity Lo…
- CVE-2025-24869MEDIUMCVSS 4.3EG 4.32025-02-11
SAP NetWeaver Application Server Java allows an attacker to access an endpoint that can disclose information about deployed server components, including their XML definitions. This information should ideally be restricted to customer admin…
- CVE-2025-24872MEDIUMCVSS 4.3EG 4.32025-02-11
The ABAP Build Framework in SAP ABAP Platform allows an authenticated attacker to gain unauthorized access to a specific transaction. By executing the add-on build functionality within the ABAP Build Framework, an attacker could call the t…
- CVE-2025-24920MEDIUMCVSS 4.3EG 4.32025-03-21
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to restrict bookmark creation and updates in archived channels, which allows authenticated users created or update bookmarked in archived chan…
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →