CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,808 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 64 of 77
- CVE-2025-64707MEDIUMCVSS 5.4EG 5.42025-11-12
Frappe Learning is a learning system that helps users structure their content. Starting in version 2.0.0 and prior to version 2.41.0, when admins revoked a role from the user, the effect was not immediate because of caching. The issue has …
- CVE-2025-64746MEDIUMCVSS 5.4EG 4.62025-11-13
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.13.0, Directus does not properly clean up field-level permissions when a field is deleted. When a field is removed from a collection, its …
- CVE-2025-64753MEDIUMCVSS 6.5EG 5.32025-11-13
grist-core is a spreadsheet hosting server. Prior to version 1.7.7, a user with only partial read access to a document could still access endpoints listing hashes for versions of that document and receive a full list of changes between ver…
- CVE-2025-65002HIGHCVSS 7.5EG 7.52025-11-12
Fujitsu / Fsas Technologies iRMC S6 on M5 before 1.37S mishandles Redfish/WebUI access if the length of a username is exactly 16 characters.
- CVE-2025-65073HIGHCVSS 7.5EG 7.52025-11-17
OpenStack Keystone before 26.0.1, 27.0.0, and 28.0.0 allows a /v3/ec2tokens or /v3/s3tokens request with a valid AWS Signature to provide Keystone authorization.
- CVE-2025-6549MEDIUMCVSS 6.5EG 6.52025-07-11
An Incorrect Authorization vulnerability in the web server of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to reach the Juniper Web Device Manager (J-Web). When Juniper Secure connect (JSC)…
- CVE-2025-65900MEDIUMCVSS 6.5EG 6.52025-12-04
Kalmia CMS version 0.2.0 contains an Incorrect Access Control vulnerability in the /kal-api/auth/users API endpoint. Due to insufficient permission validation and excessive data exposure in the backend, an authenticated user with basic rea…
- CVE-2025-66005HIGHCVSS 8.5EG 8.52026-01-14
Lack of authorization of the InputManager D-Bus interface in InputPlumber versions before v0.63.0 can lead to local Denial-of-Service, information leak or even privilege escalation in the context of the currently active user session.
- CVE-2025-66170MEDIUMCVSS 6.5EG 6.52026-05-08
The CloudStack Backup plugin has an improper authorization logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and has access to specific…
- CVE-2025-66315MEDIUMCVSS 4.3EG 4.32026-01-09
There is a configuration defect vulnerability in the version server of ZTE MF258K Pro products. Due to improper directory permission settings, an attacker can execute write permissions in a specific directory.
- CVE-2025-66360HIGHCVSS 8.8EG 8.82025-11-28
An issue was discovered in Logpoint before 7.7.0. An improperly configured access control policy exposes sensitive Logpoint internal service (Redis) information to li-admin users. This can lead to privilege escalation.
- CVE-2025-66378MEDIUMCVSS 5.9EG 5.92025-12-25
Pexip Infinity 38.0 and 38.1 before 39.0 has insufficient access control in the RTMP implementation, allowing an attacker to disconnect RTMP streams traversing a Proxy Node.
- CVE-2025-66406MEDIUMCVSS 5.0EG 5.02025-12-03
Step CA is an online certificate authority for secure, automated certificate management for DevOps. Prior to 0.29.0, there is an improper authorization check for SSH certificate revocation. This affects deployments configured with the SSHP…
- CVE-2025-66423HIGHCVSS 7.1EG 7.12025-11-30
Tryton trytond 6.0 before 7.6.11 does not enforce access rights for the route of the HTML editor. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70.
- CVE-2025-66424MEDIUMCVSS 6.5EG 6.52025-11-30
Tryton trytond 6.0 before 7.6.11 does not enforce access rights for data export. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70.
- CVE-2025-66433MEDIUMCVSS 4.2EG 4.22025-11-30
HTCondor Access Point before 25.3.1 allows an authenticated user to impersonate other users on the local machine by submitting a batch job. This is fixed in 24.12.14, 25.0.3, and 25.3.1. The earliest affected version is 24.7.3.
- CVE-2025-66581MEDIUMCVSS 6.5EG 6.52025-12-05
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.41.0, a flaw in the server-side authorization logic allowed authenticated users to perform actions beyond their assigned role…
- CVE-2025-66623HIGHCVSS 7.4EG 7.42025-12-05
Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. From 0.47.0 and prior to 0.49.1, in some situations, Strimzi creates an incorrect Kubernetes Role which grants the Apach…
- CVE-2025-66719CRITICALCVSS 9.1EG 9.12026-01-23
An issue was discovered in Free5gc NRF 1.4.0. In the access-token generation logic of free5GC, the AccessTokenScopeCheck() function in file internal/sbi/processor/access_token.go bypasses all scope validation when the attacker uses a craft…
- CVE-2025-6702MEDIUMCVSS 5.3EG 4.32025-06-26
A vulnerability, which was classified as problematic, was found in linlinjava litemall 1.8.0. Affected is an unknown function of the file /wx/comment/post. The manipulation of the argument adminComment leads to improper authorization. It i…
- CVE-2025-6707MEDIUMCVSS 5.4EG 4.22025-06-26
Under certain conditions, an authenticated user request may execute with stale privileges following an intentional change by an authorized administrator. This issue affects MongoDB Server v5.0 version prior to 5.0.31, MongoDB Server v6.0 v…
- CVE-2025-67490MEDIUMCVSS 5.4EG 5.42025-12-10
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. When using versions 4.11.0 through 4.11.2 and 4.12.0, simultaneous requests on the same client may result in improper lookups in the TokenRequ…
- CVE-2025-67740MEDIUMCVSS 5.3EG 2.72025-12-11
In JetBrains TeamCity before 2025.11 improper access control could expose GitHub App token's metadata
- CVE-2025-67856MEDIUMCVSS 5.4EG 5.42026-02-03
A flaw was found in Moodle. An authorization logic flaw, specifically due to incomplete role checks during the badge awarding process, allowed badges to be granted without proper verification. This could enable unauthorized users to obtain…
- CVE-2025-68129MEDIUMCVSS 6.8EG 6.82025-12-17
Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accep…
- CVE-2025-68140MEDIUMCVSS 4.3EG 4.32026-01-21
EVerest is an EV charging software stack. Prior to version 2025.9.0, once the validity of the received V2G message has been verified, it is checked whether the submitted session ID matches the registered one. However, if no session has bee…
- CVE-2025-68152MEDIUMCVSS 4.9EG 4.92026-04-03
Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called ‘charms’. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, i…
- CVE-2025-68153MEDIUMCVSS 6.5EG 6.52026-04-03
Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called ‘charms’. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, a…
- CVE-2025-68386MEDIUMCVSS 4.3EG 4.32025-12-18
Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to change a document's sharing type to "global," even though they do not have permission to do so, making it visible …
- CVE-2025-68422MEDIUMCVSS 4.3EG 4.32025-12-18
Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to bypass intended permission restrictions via a crafted HTTP request. This allows an attacker who lacks the live que…
- CVE-2025-68476HIGHCVSS 8.2EG 8.22025-12-22
KEDA is a Kubernetes-based Event Driven Autoscaling component. Prior to versions 2.17.3 and 2.18.3, an Arbitrary File Read vulnerability has been identified in KEDA, potentially affecting any KEDA resource that uses TriggerAuthentication t…
- CVE-2025-68660MEDIUMCVSS 5.4EG 5.42026-01-28
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, an endpoint lets any authenticated user bypass the ai_discover_persona access controls and gain ongoing DM access to personas …
- CVE-2025-68666MEDIUMCVSS 6.5EG 6.52026-01-28
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, users archives are viewable by users with moderation privileges even though moderators should not have access to the archives.…
- CVE-2025-6892HIGHCVSS 8.7EG 8.72025-10-17
An Incorrect Authorization vulnerability has been identified in Moxa’s network security appliances and routers. A flaw in the API authentication mechanism allows unauthorized access to protected API endpoints, including those intended fo…
- CVE-2025-68933MEDIUMCVSS 6.9EG 6.92026-01-28
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators with the `moderators_change_post_ownership` setting enabled can change ownership of posts in private mess…
- CVE-2025-68938MEDIUMCVSS 4.3EG 4.32025-12-26
Gitea before 1.25.2 mishandles authorization for deletion of releases.
- CVE-2025-68940LOWCVSS 3.1EG 3.12025-12-26
In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request.
- CVE-2025-68941MEDIUMCVSS 4.9EG 4.92025-12-26
Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources.
- CVE-2025-69196MEDIUMCVSS 6.5EG 6.52026-03-16
FastMCP is the standard framework for building MCP applications. Prior to version 2.14.2, the server does not properly respect the resource parameter submitted by the client in the authorization and token request. Instead of issuing the to…
- CVE-2025-69218MEDIUMCVSS 6.5EG 6.52026-01-28
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, moderators can access the `top_uploads` admin report which should be restricted to admins only. This report displays direct UR…
- CVE-2025-69289MEDIUMCVSS 5.4EG 5.42026-01-28
Discourse is an open source discussion platform. A privilege escalation vulnerability in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 allows a non-admin moderator to bypass email-change restrictions, allowing a takeover of n…
- CVE-2025-69414HIGHCVSS 8.5EG 8.52026-01-02
Plex Media Server (PMS) through 1.42.2.10156 allows retrieval of a permanent access token via a /myplex/account call with a transient access token.
- CVE-2025-69416MEDIUMCVSS 5.0EG 5.02026-01-02
In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve other tokens (intended for unrelated access) via clients.plex.tv/devices.xml.
- CVE-2025-69417MEDIUMCVSS 5.0EG 5.02026-01-02
In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve share tokens (intended for unrelated access) via a shared_servers endpoint.
- CVE-2025-6981MEDIUMCVSS 4.3EG 4.32025-07-15
An incorrect authorization vulnerability allowed unauthorized read access to the contents of internal repositories for contractor accounts when the Contractors API feature was enabled. The Contractors API is a rarely-enabled feature in pri…
- CVE-2025-70997MEDIUMCVSS 6.5EG 6.52026-02-04
A vulnerability has been discovered in eladmin v2.7 and before. This vulnerability allows for an arbitrary user password reset under any user permission level.
- CVE-2025-71278HIGHCVSS 8.8EG 8.82026-04-01
XenForo before 2.3.5 allows OAuth2 client applications to request unauthorized scopes. This affects any customer using OAuth2 clients on any version of XenForo 2.3 prior to 2.3.5, potentially allowing client applications to gain access bey…
- CVE-2025-7374MEDIUMCVSS 5.4EG 5.42025-10-10
The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to authorization bypass in all versions up to, and including, 7.6. This is due to insufficient login restrictions on inactive and pending accounts. This makes …
- CVE-2025-7736MEDIUMCVSS 4.3EG 3.12025-11-15
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.9 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker to bypass access control restrictions and view GitL…
- CVE-2025-7773HIGHCVSS 8.8EG 8.82025-08-14
A security issue exists within the 5032 16pt Digital Configurable module’s web server. The web server’s session number increments at an interval that correlates to the last two consecutive sign in session interval, making it predictabl…
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →