CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,808 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 63 of 77
- CVE-2025-54267MEDIUMCVSS 6.5EG 6.52025-10-14
Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerability. A low-privileged attacker could leverage this vulnerability to bypass security …
- CVE-2025-54532MEDIUMCVSS 4.3EG 4.32025-07-28
In JetBrains TeamCity before 2025.07 improper access control allowed disclosure of build settings via snapshot dependencies
- CVE-2025-54533MEDIUMCVSS 4.3EG 4.32025-07-28
In JetBrains TeamCity before 2025.07 improper access control allowed disclosure of build settings via VCS configuration
- CVE-2025-54554MEDIUMCVSS 5.3EG 5.32025-08-04
tiaudit in Tera Insights tiCrypt before 2025-07-17 allows unauthenticated REST API requests that reveal sensitive information about the underlying SQL queries and database structure.
- CVE-2025-54569MEDIUMCVSS 4.5EG 4.52025-07-28
In Malwarebytes Binisoft Windows Firewall Control before 6.16.0.0, the installer is vulnerable to local privilege escalation.
- CVE-2025-54583MEDIUMCVSS 6.5EG 6.52025-07-30
GitProxy is an application that stands between developers and a Git remote endpoint (e.g., github.com). Versions 1.19.1 and below allow users to push to remote repositories while bypassing policies and explicit approvals. Since checks and …
- CVE-2025-54596MEDIUMCVSS 4.3EG 4.32025-07-25
Abnormal Security /v1.0/rbac/users_v2/{USER_ID}/ before 2025-02-19 allows downgrading the privileges of other user accounts.
- CVE-2025-54838MEDIUMCVSS 6.8EG 6.82025-12-09
An Incorrect Authorization vulnerability [CWE-863] in FortiPortal 7.4.0 through 7.4.5 may allow an authenticated attacker to reboot a shared FortiGate device via crafted HTTP requests.
- CVE-2025-54877MEDIUMCVSS 5.3EG 5.32025-08-29
Tuleap is an Open Source Suite created to facilitate management of software development and collaboration. In Tuleap Community Edition versions before 16.10.99.1754050155 and Tuleap Enterprise Edition versions before 16.9-8 and before 16.1…
- CVE-2025-54888HIGHCVSS 8.7EG 8.72025-08-09
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. In versions below 1.3.20, 1.4.0-dev.585 through 1.4.12, 1.5.0-dev.636 through 1.5.4, 1.6.0-dev.754 through 1.6.7, 1.7.0-pr.251.885 through 1.7.8 and …
- CVE-2025-55077HIGHCVSS 7.4EG 7.42025-08-07
Tyler Technologies ERP Pro 9 SaaS allows an authenticated user to escape the application and execute limited operating system commands within the remote Microsoft Windows environment with the privileges of the authenticated user. Tyler Tec…
- CVE-2025-55177MEDIUMCVSS 5.4EG 9.0⚠ KEV2025-08-29
Incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 could have allowed an unrelated user to trigger processing…
- CVE-2025-55205CRITICALCVSS 9.0EG 9.02025-08-18
Capsule is a multi-tenancy and policy-based framework for Kubernetes. A namespace label injection vulnerability in Capsule v0.10.3 and earlier allows authenticated tenant users to inject arbitrary labels into system namespaces (kube-system…
- CVE-2025-55213CRITICALCVSS 9.8EG 9.82025-08-18
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.9.3 to v1.9.4 ( openfga-0.2.40 <= Helm chart <= openfga-0.2.41, v1.9.3 <= docker <= v.1.9.4) are vu…
- CVE-2025-55469CRITICALCVSS 9.8EG 9.82025-11-26
Incorrect access control in youlai-boot v2.21.1 allows attackers to escalate privileges and access the Administrator backend.
- CVE-2025-57728MEDIUMCVSS 6.5EG 6.52025-08-20
In JetBrains IntelliJ IDEA before 2025.2 improper access control allowed Code With Me guest to discover hidden files
- CVE-2025-58052HIGHCVSS 8.1EG 8.12025-12-19
Galette is a membership management web application for non profit organizations. Starting in version 0.9.6 and prior to version 1.2.0, attackers with group manager role can bypass intended restrictions allowing unauthorized access and chan…
- CVE-2025-58134MEDIUMCVSS 4.3EG 4.32025-09-09
Incorrect authorization in certain Zoom Workplace Clients for Windows may allow an authenticated user to conduct an impact to integrity via network access.
- CVE-2025-5822HIGHCVSS 8.8EG 7.12025-06-25
Autel MaxiCharger AC Wallbox Commercial Technician API Incorrect Authorization Privilege Escalation Vulnerability. This vulnerability allows remote attackers to escalate privileges on affected installations of Autel MaxiCharger AC Wallbox …
- CVE-2025-59020MEDIUMCVSS 6.5EG 6.52026-01-13
By exploiting the defVals parameter, attackers could bypass field‑level access checks during record creation in the TYPO3 backend. This gave them the ability to insert arbitrary data into prohibited exclude fields of a database table for…
- CVE-2025-59048HIGHCVSS 8.1EG 8.12025-10-23
OpenBao's AWS Plugin generates AWS access credentials based on IAM policies. Prior to version 0.1.1, the AWS Plugin is vulnerable to cross-account IAM role Impersonation in the AWS auth method. The vulnerability allows an IAM role from an …
- CVE-2025-59111MEDIUMCVSS 6.5EG 6.52025-11-18
Windu CMS is vulnerable to Broken Access Control in user editing functionality. Malicious attacker can send a GET request which allows privileged users to delete Super Admins which is not possible with GUI. Only version 4.1 was tested and…
- CVE-2025-59376LOWCVSS 3.7EG 5.32025-09-15
feiskyer mcp-kubernetes-server through 0.1.11 does not consider chained commands in the implementation of --disable-write and --disable-delete, e.g., it allows a "kubectl version; kubectl delete pod" command because the first word (i.e., "…
- CVE-2025-59420HIGHCVSS 7.5EG 7.52025-09-22
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib’s JWS verification accepts tokens that declare unknown critical header parameters (crit), violating RFC 7515 “must‑understand�…
- CVE-2025-59449MEDIUMCVSS 4.9EG 4.92025-10-06
The YoSmart YoLink MQTT broker through 2025-10-02 does not enforce sufficient authorization controls to prevent cross-account attacks, allowing an attacker to remotely operate affected devices if the attacker obtains the associated device …
- CVE-2025-59451LOWCVSS 3.5EG 3.52025-10-06
The YoSmart YoLink application through 2025-10-02 has session tokens with unexpectedly long lifetimes.
- CVE-2025-59683HIGHCVSS 8.2EG 8.22025-12-25
Pexip Infinity 15.0 through 38.0 before 38.1 has Improper Access Control in the Secure Scheduler for Exchange service, when used with Office 365 Legacy Exchange Tokens. This allows a remote attacker to read potentially sensitive data and e…
- CVE-2025-59714MEDIUMCVSS 6.5EG 6.52025-09-19
In Internet2 Grouper 5.17.1 before 5.20.5, group admins who are not Grouper sysadmins can configure loader jobs.
- CVE-2025-59824MEDIUMCVSS 5.4EG 5.42025-09-24
Omni manages Kubernetes on bare metal, virtual machines, or in a cloud. Prior to version 0.48.0, Omni Wireguard SideroLink has the potential to escape. Omni and each Talos machine establish a peer-to-peer (P2P) SideroLink connection using …
- CVE-2025-6003MEDIUMCVSS 5.3EG 5.32025-06-12
The WordPress Single Sign-On (SSO) plugin for WordPress is vulnerable to unauthorized access due to a misconfigured capability check on a function in all versions up to, and including, the *.5.3 versions of the plugin. This makes it possib…
- CVE-2025-6018HIGHCVSS 7.8EG 7.82025-07-23
A Local Privilege Escalation (LPE) vulnerability has been discovered in pam-config within Linux Pluggable Authentication Modules (PAM). This flaw allows an unprivileged local attacker (for example, a user logged in via SSH) to obtain the e…
- CVE-2025-6168LOWCVSS 2.7EG 2.72025-07-10
An issue has been discovered in GitLab EE affecting all versions from 18.0 before 18.0.4 and 18.1 before 18.1.2 that could have allowed authenticated maintainers to bypass group-level user invitation restrictions by sending crafted API req…
- CVE-2025-61781HIGHCVSS 7.1EG 7.12026-01-05
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.8.1, the GraphQL mutation "WorkspacePopoverDeletionMutation" allows users to delete workspace-related objects such as d…
- CVE-2025-61830HIGHCVSS 7.1EG 7.12025-11-11
Adobe Pass versions 3.7.3 and earlier are affected by an Incorrect Authorization vulnerability. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read and write access. Exploitation of this iss…
- CVE-2025-62189MEDIUMCVSS 4.3EG 4.32025-11-21
LogStare Collector contains an incorrect authorization vulnerability in UserRegistration. If exploited, a non-administrative user may create a new user account by sending a crafted HTTP request.
- CVE-2025-62243MEDIUMCVSS 5.4EG 5.42025-10-13
Insecure direct object reference (IDOR) vulnerability in Publications in Liferay Portal 7.4.1 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote authentic…
- CVE-2025-62259MEDIUMCVSS 5.4EG 5.42025-10-27
Liferay Portal 7.4.0 through 7.4.3.109, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit access to APIs before a …
- CVE-2025-62275MEDIUMCVSS 5.3EG 5.32025-11-01
Blogs in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions does not check permission…
- CVE-2025-62394MEDIUMCVSS 4.3EG 4.32025-10-23
Moodle failed to verify enrolment status correctly when sending quiz notifications. As a result, suspended or inactive users might receive quiz-related messages, leaking limited course information.
- CVE-2025-62487LOWCVSS 3.5EG 3.52026-01-09
On October 1, 2025, Palantir discovered that images uploaded through the Dossier front-end app were not being marked correctly with the proper security levels. The regression was traced back to a change in May 2025, which was meant to allo…
- CVE-2025-62506HIGHCVSS 8.1EG 8.12025-10-16
MinIO is a high-performance object storage system. In all versions prior to RELEASE.2025-10-15T17-29-55Z, a privilege escalation vulnerability allows service accounts and STS (Security Token Service) accounts with restricted session polici…
- CVE-2025-62647MEDIUMCVSS 5.8EG 5.82025-10-17
The Restaurant Brands International (RBI) assistant platform through 2025-09-06 provides the functionality of returning a JWT that can be used to call an API to return a signed AWS upload URL, for any store's path.
- CVE-2025-62648MEDIUMCVSS 5.8EG 6.42025-10-17
The Restaurant Brands International (RBI) assistant platform through 2025-09-06 allows remote attackers to adjust Drive Thru speaker audio volume.
- CVE-2025-62651MEDIUMCVSS 5.8EG 6.52025-10-17
The Restaurant Brands International (RBI) assistant platform through 2025-09-06 does not implement access control for the bathroom rating interface.
- CVE-2025-62730HIGHCVSS 8.8EG 8.82025-11-20
SOPlanning is vulnerable to Privilege Escalation in user management tab. Users with user_manage_team role are allowed to modify permissions of users. However, they are able to assign administrative permissions to any user including themsel…
- CVE-2025-62795HIGHCVSS 7.1EG 7.12025-10-30
JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v3.10.21-lts and v4.10.12-lts, a low-privileged authenticated user can invoke LDAP configuration tests and start LDAP synchronizatio…
- CVE-2025-63687MEDIUMCVSS 6.5EG 6.52025-11-07
An issue was discovered in rymcu forest thru commit f782e85 (2025-09-04) in function doBefore in file src/main/java/com/rymcu/forest/core/service/security/AuthorshipAspect.java, allowing authorized attackers to delete arbitrary users posts.
- CVE-2025-64421HIGHCVSS 8.0EG 8.02026-01-05
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a low privileged user (member) can invite a high privileged user. At first, the ap…
- CVE-2025-64490HIGHCVSS 8.3EG 8.32025-11-08
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.7 and prior, 8.0.0-beta.1 through 8.9.0 allow a low-privileged user with a restrictive role to view and create work ite…
- CVE-2025-64641MEDIUMCVSS 4.1EG 4.12025-12-24
Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fail to verify that post actions invoking /share-issue-publicly were created by the Jira plugin which allowed a malicious Mattermost user to exf…
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →