CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,807 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 60 of 77
- CVE-2025-30739MEDIUMCVSS 5.5EG 5.52025-07-15
Vulnerability in the Oracle CRM Technical Foundation product of Oracle E-Business Suite (component: Preferences). Supported versions that are affected are 12.2.11-12.2.13. Easily exploitable vulnerability allows high privileged attacker w…
- CVE-2025-30741MEDIUMCVSS 4.3EG 4.32025-03-25
Pixelfed before 0.12.5 allows anyone to follow private accounts and see private posts on other Fediverse servers. This affects users elsewhere in the Fediverse, if they otherwise have any followers from a Pixelfed instance.
- CVE-2025-30743HIGHCVSS 8.1EG 8.12025-07-15
Vulnerability in the Oracle Lease and Finance Management product of Oracle E-Business Suite (component: Internal Operations). The supported version that is affected is 12.2.13. Easily exploitable vulnerability allows low privileged attac…
- CVE-2025-30744HIGHCVSS 8.1EG 8.12025-07-15
Vulnerability in the Oracle Mobile Field Service product of Oracle E-Business Suite (component: Multiplatform Sync Errors). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged at…
- CVE-2025-30747MEDIUMCVSS 4.3EG 4.32025-07-15
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: PIA Core Technology). Supported versions that are affected are 8.60, 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated a…
- CVE-2025-30748MEDIUMCVSS 6.1EG 6.12025-07-15
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: PIA Core Technology). Supported versions that are affected are 8.60, 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated a…
- CVE-2025-30750LOWCVSS 2.4EG 2.42025-07-15
Vulnerability in the Unified Audit component of Oracle Database Server. Supported versions that are affected are 19.3-19.27, 21.3-21.18 and 23.4-23.8. Easily exploitable vulnerability allows high privileged attacker having Create User pr…
- CVE-2025-30751HIGHCVSS 8.8EG 8.82025-07-15
Vulnerability in the Oracle Database component of Oracle Database Server. Supported versions that are affected are 19.27 and 23.4-23.8. Easily exploitable vulnerability allows low privileged attacker having Create Session, Create Proced…
- CVE-2025-31227MEDIUMCVSS 4.6EG 4.62025-05-12
A logic issue was addressed with improved checks. This issue is fixed in iOS 18.5 and iPadOS 18.5. An attacker with physical access to a device may be able to access a deleted call recording.
- CVE-2025-31254MEDIUMCVSS 5.4EG 5.42025-09-15
This issue was addressed with improved URL validation. This issue is fixed in Safari 26, iOS 26 and iPadOS 26. Processing maliciously crafted web content may lead to unexpected URL redirection.
- CVE-2025-31331MEDIUMCVSS 4.3EG 4.32025-04-08
SAP NetWeaver allows an attacker to bypass authorization checks, enabling them to view portions of ABAP code that would normally require additional validation. Once logged into the ABAP system, the attacker can run a specific transaction t…
- CVE-2025-31481HIGHCVSS 7.5EG 7.52025-04-03
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Using the Relay special node type you can bypass the configured security on an operation. This vulnerability is fixed in 4.0.22 and 3.4.17.
- CVE-2025-31673MEDIUMCVSS 4.6EG 4.62025-03-31
Incorrect Authorization vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
- CVE-2025-32068MEDIUMCVSS 5.4EG 5.42025-04-11
Incorrect Authorization vulnerability in The Wikimedia Foundation Mediawiki - OAuth Extension allows Authentication Bypass.This issue affects Mediawiki - OAuth Extension: from 1.39 through 1.43.
- CVE-2025-32093MEDIUMCVSS 4.7EG 4.72025-04-14
Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to restrict certain operations on system admins to only other system admins, which allows delegated granular administration users with the "Edit Other Users" per…
- CVE-2025-3227MEDIUMCVSS 4.3EG 4.32025-06-20
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions in playbook runs, allowing authenticated users without the 'Manage…
- CVE-2025-3228MEDIUMCVSS 4.3EG 4.32025-06-20
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly retrieve requestorInfo from playbooks handler for guest users which allows an attacker access to the playbook ru…
- CVE-2025-32333HIGHCVSS 7.8EG 7.82025-09-04
In startSpaActivityForApp of SpaActivity.kt, there is a possible cross-user permission bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interacti…
- CVE-2025-32348HIGHCVSS 7.8EG 7.82026-06-01
In multiple locations, there is a possible background activity launch due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for ex…
- CVE-2025-32408LOWCVSS 2.5EG 8.52025-04-21
In Soffid Console 3.6.31 before 3.6.32, authorization to use the pam service is mishandled.
- CVE-2025-32462HIGHCVSS 8.8EG 2.82025-06-30
Sudo before 1.9.17p1, when used with a sudoers file that specifies a host that is neither the current host nor ALL, allows listed users to execute commands on unintended machines.
- CVE-2025-3260HIGHCVSS 8.3EG 8.32025-06-02
A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1). Impact: - Viewers c…
- CVE-2025-3272MEDIUMCVSS 6.7EG 6.72025-05-07
Incorrect Authorization vulnerability in OpenText™ Operations Bridge Manager. The vulnerability could allow authenticated users to change their password without providing their old password. This issue affects Operations Bridge Manag…
- CVE-2025-32796MEDIUMCVSS 6.5EG 6.52025-04-18
Dify is an open-source LLM app development platform. Prior to version 0.6.12, a vulnerability was identified in the DIFY where normal users can enable or disable apps through the API, even though the web UI button for this action is disabl…
- CVE-2025-32971LOWCVSS 3.8EG 3.82025-04-30
XWiki is a generic wiki platform. In versions starting from 4.5.1 to before 15.10.13, from 16.0.0-rc-1 to before 16.4.4, and from 16.5.0-rc-1 to before 16.8.0-rc-1, the Solr script service doesn't take dropped programming rights into accou…
- CVE-2025-3396MEDIUMCVSS 4.3EG 4.32025-07-10
An issue has been discovered in GitLab EE affecting all versions from 13.3 before 17.11.6, 18.0 before 18.0.4, and 18.1 before 18.1.2 that could have allowed authenticated project owners to bypass group-level forking restrictions by manipu…
- CVE-2025-34273MEDIUMCVSS 6.5EG 6.52025-10-30
Nagios Log Server versions prior to 2024R2.0.3 contain an incorrect authorization vulnerability that allows non-administrator users to delete global dashboards. The application did not correctly enforce authorization checks for the global …
- CVE-2025-3446MEDIUMCVSS 4.3EG 4.32025-05-15
Mattermost versions 10.6.x <= 10.6.1, 10.5.x <= 10.5.2, 10.4.x <= 10.4.4, 9.11.x <= 9.11.11 fail to check the correct permissions which allows authenticated users who only have permission to invite non-guest users to a team to add guest us…
- CVE-2025-34467MEDIUMCVSS 4.3EG 4.32025-12-31
ZwiiCMS versions prior to 13.7.00 contain a denial-of-service vulnerability in multiple administrative endpoints due to improper authorization checks combined with flawed resource state management. When an authenticated low-privilege use…
- CVE-2025-3453MEDIUMCVSS 5.3EG 5.32025-04-17
The Password Protected – Password Protect your WordPress Site, Pages, & WooCommerce Products – Restrict Content, Protect WooCommerce Category and more plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions…
- CVE-2025-3475MEDIUMCVSS 6.5EG 6.52025-04-09
Allocation of Resources Without Limits or Throttling, Incorrect Authorization vulnerability in Drupal WEB-T allows Excessive Allocation, Content Spoofing.This issue affects WEB-T: from 0.0.0 before 1.1.0.
- CVE-2025-3476CRITICALCVSS 9.4EG 9.42025-05-07
Incorrect Authorization vulnerability in OpenText™ Operations Bridge Manager. The vulnerability could allows privilege escalation by authenticated users.This issue affects Operations Bridge Manager: 2023.05, 23.4, 24.2, 24.4.
- CVE-2025-3586HIGHCVSS 7.2EG 7.22025-09-01
In Liferay Portal 7.4.3.27 through 7.4.3.42, and Liferay DXP 2024.Q1.1 through 2024.Q1.20, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 update 27 through update 42 (Liferay PaaS, and Liferay Self-Hosted), the Objects mod…
- CVE-2025-3609MEDIUMCVSS 5.3EG 5.32025-05-06
The Reales WP STPT plugin for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 2.1.2. This is due to the 'reales_user_signup_form' AJAX action not verifying if user registration is enabled, pr…
- CVE-2025-3611LOWCVSS 3.1EG 3.12025-05-30
Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly enforce access control restrictions for System Manager roles, allowing authenticated users with System Manager privileges to view team details they…
- CVE-2025-36120HIGHCVSS 8.8EG 8.82025-08-18
IBM Storage Virtualize 8.4, 8.5, 8.6, and 8.7 could allow an authenticated user to escalate their privileges in an SSH session due to incorrect authorization checks to access resources.
- CVE-2025-36157CRITICALCVSS 9.8EG 9.82025-08-24
IBM Jazz Foundation 7.0.2 to 7.0.2 iFix035, 7.0.3 to 7.0.3 iFix018, and 7.1.0 to 7.1.0 iFix004 could allow an unauthenticated remote attacker to update server property files that would allow them to perform unauthorized actions.
- CVE-2025-3644MEDIUMCVSS 4.3EG 4.32025-04-25
A flaw was found in Moodle. Additional checks were required to prevent users from deleting course sections they did not have permission to modify.
- CVE-2025-3645MEDIUMCVSS 4.3EG 4.32025-04-25
A flaw was found in Moodle. Insufficient capability checks in a messaging web service allowed users to view other users' names and online statuses.
- CVE-2025-3647MEDIUMCVSS 4.3EG 4.32025-04-25
A flaw was discovered in Moodle. Additional checks were required to ensure that users can only access cohort data they are authorized to retrieve.
- CVE-2025-36546HIGHCVSS 8.1EG 8.12025-05-07
On an F5OS system, if the root user had previously configured the system to allow login via SSH key-based authentication, and then enabled Appliance Mode; access via SSH key-based authentication is still allowed. For an attacker to exploit…
- CVE-2025-36578MEDIUMCVSS 6.8EG 6.82025-06-10
Dell Wyse Management Suite, versions prior to WMS 5.2, contain an Incorrect Authorization vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access.
- CVE-2025-3719HIGHCVSS 8.1EG 8.12025-10-07
An access control vulnerability was discovered in the CLI functionality due to a specific access restriction not being properly enforced for users with limited privileges. An authenticated user with limited privileges can issue administrat…
- CVE-2025-37736HIGHCVSS 8.8EG 8.82025-11-07
Improper Authorization in Elastic Cloud Enterprise can lead to Privilege Escalation where the built-in readonly user can call APIs that should not be allowed. The list of APIs that are affected by this issue is: post:/platform/configu…
- CVE-2025-3838MEDIUMCVSS 6.1EG 6.12025-04-21
An Improper Authorization vulnerability was identified in the EOL OVA based connect component which is deployed for installation purposes in the customer internal network. Under certain conditions, this could allow a bad actor to gain unau…
- CVE-2025-3861MEDIUMCVSS 5.4EG 5.42025-04-25
The Prevent Direct Access – Protect WordPress Files plugin for WordPress is vulnerable to unauthorized access and modification of data| due to a misconfigured capability check on the 'pda_lite_custom_permission_check' function in version…
- CVE-2025-3879MEDIUMCVSS 6.6EG 6.62025-05-02
Vault Community, Vault Enterprise (“Vault”) Azure Auth method did not correctly validate the claims in the Azure-issued token, resulting in the potential bypass of the bound_locations parameter on login. Fixed in Vault Community Editio…
- CVE-2025-3880MEDIUMCVSS 4.3EG 4.32025-06-17
The Poll, Survey & Quiz Maker Plugin by Opinion Stage plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on several functions in all versions up to, and including, 19.9.0. This m…
- CVE-2025-3913MEDIUMCVSS 5.3EG 5.32025-05-29
Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly validate permissions when changing team privacy settings, allowing team administrators without the 'invite user' permission to acc…
- CVE-2025-3960HIGHCVSS 7.3EG 7.32025-04-27
A vulnerability was found in withstars Books-Management-System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /allreaders.html of the component Background Interface. The manipulation le…
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →