CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,809 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 66 of 77
- CVE-2026-1514MEDIUMCVSS 6.5EG 6.52026-01-28
Official Document Management System developed by 2100 Technology has a Incorrect Authorization vulnerability, allowing authenticated remote attackers to modify front-end code to read all official documents.
- CVE-2026-1524CRITICALCVSS 9.8EG 9.82026-03-11
An edgecase in SSO implementation in Neo4j Enterprise edition versions prior to version 2026.02 can lead to unauthorised access under the following conditions: If a neo4j admin configures two or more OIDC providers AND configures one or …
- CVE-2026-15286MEDIUMCVSS 4.3EG 4.32026-07-10
The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to unauthorized post publication in all versions up to, and including, 3.5.32 due to a misconfigured capability check on the 'get_items…
- CVE-2026-15318MEDIUMCVSS 6.3EG 6.32026-07-10
A weakness has been identified in Sipeed PicoClaw up to 0.2.9. Affected by this issue is some unknown functionality of the file pkg/channels/mqtt/mqtt.go of the component MQTT Channel Handler. This manipulation of the argument client_id ca…
- CVE-2026-15320MEDIUMCVSS 5.4EG 5.42026-07-10
A vulnerability was detected in Sipeed PicoClaw up to 0.2.9. This vulnerability affects the function rt.ReloadConfig of the file pkg/channels/pico/pico.go. Performing a manipulation of the argument message.send results in missing authoriza…
- CVE-2026-15332MEDIUMCVSS 6.3EG 6.32026-07-10
A security flaw has been discovered in zhayujie CowAgent up to 2.1.0. The impacted element is an unknown function of the file channel/channel.py of the component Message Endpoint. The manipulation results in missing authorization. The atta…
- CVE-2026-15507MEDIUMCVSS 6.3EG 6.32026-07-12
A vulnerability was detected in coollabsio Coolify up to 4.1.1. The impacted element is an unknown function of the file /app/Policies/ of the component Policy Handler. Performing a manipulation results in missing authorization. Remote expl…
- CVE-2026-1553MEDIUMCVSS 4.8EG 4.82026-02-04
Incorrect Authorization vulnerability in Drupal Drupal Canvas allows Forceful Browsing.This issue affects Drupal Canvas: from 0.0.0 before 1.0.4.
- CVE-2026-15541HIGHCVSS 7.3EG 7.32026-07-13
A flaw has been found in will-moss Isaiah up to 1.36.9. The impacted element is the function Server.Handle of the file app/server/server/server.go of the component Master Websocket Handler. Executing a manipulation of the argument Agent ca…
- CVE-2026-15641CVSS 0.0EG 0.02026-07-14
Improper authorization in the access request status endpoint in Devolutions Server 2026.2.11, 2026.1.22 allows an authenticated low-privileged user to approve their own pending access request via a direct call to the request status endpoin…
- CVE-2026-1734MEDIUMCVSS 5.3EG 5.32026-02-02
A security flaw has been discovered in Zhong Bang CRMEB up to 5.6.3. This vulnerability affects unknown code of the file crmeb/app/api/controller/v1/CrontabController.php of the component crontab Endpoint. The manipulation results in missi…
- CVE-2026-1752MEDIUMCVSS 4.3EG 4.32026-04-08
GitLab has remediated an issue in GitLab EE affecting all versions from 11.3 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user with developer-role permissions to modify protected envi…
- CVE-2026-1897MEDIUMCVSS 4.3EG 4.32026-02-05
A vulnerability was found in WeKan up to 8.20. Affected by this issue is some unknown functionality of the file server/methods/positionHistory.js of the component Position-History Tracking. The manipulation results in missing authorization…
- CVE-2026-1999MEDIUMCVSS 6.5EG 6.52026-02-18
An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to merge their own pull request into a repository without having push access by exploiting an authorization bypass in the enable_a…
- CVE-2026-20238MEDIUMCVSS 6.5EG 6.52026-05-20
In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data that was restricted through `srchFilter` configurations on custom roles.<br><br>The app contain…
- CVE-2026-20624MEDIUMCVSS 5.5EG 5.52026-02-11
An injection issue was addressed with improved validation. This issue is fixed in macOS Sequoia 15.7.4, macOS Sonoma 14.8.4, macOS Tahoe 26.3. An app may be able to access sensitive user data.
- CVE-2026-20960HIGHCVSS 8.0EG 8.02026-01-16
Improper authorization in Microsoft Power Apps allows an authorized attacker to execute code over a network.
- CVE-2026-21031HIGHCVSS 7.8EG 7.82026-06-05
Improper authorization in AppBlock prior to SMR Jun-2026 Release 1 allows local attacker to launch arbitrary activity. User interaction is required for triggering this vulnerability.
- CVE-2026-21036MEDIUMCVSS 5.5EG 5.52026-06-05
Improper authorization in Samsung Internet prior to version 30.0.0.39 allows local attackers to access sensitive information.
- CVE-2026-2126MEDIUMCVSS 5.3EG 5.32026-02-18
The User Submitted Posts – Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 20260113. This is due to the `usp_get_submitted_category()` fu…
- CVE-2026-21274HIGHCVSS 7.8EG 7.82026-01-13
Dreamweaver Desktop versions 21.6 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could leverage this vulnerability to bypas…
- CVE-2026-2141HIGHCVSS 8.8EG 6.32026-02-08
A security flaw has been discovered in WuKongOpenSource WukongCRM up to 11.3.3. This affects an unknown part of the file gateway/src/main/java/com/kakarote/gateway/service/impl/PermissionServiceImpl.java of the component URL Handler. Perfo…
- CVE-2026-21721HIGHCVSS 8.1EG 8.12026-01-27
The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on othe…
- CVE-2026-21722MEDIUMCVSS 5.3EG 5.32026-02-12
Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those …
- CVE-2026-21789MEDIUMCVSS 4.6EG 4.62026-05-18
HCL Connections contains a broken access control vulnerability that may allow unauthorized user to update data in certain scenarios.
- CVE-2026-21896MEDIUMCVSS 5.7EG 5.72026-01-08
Kirby is an open-source content management system. From versions 5.0.0 to 5.2.1, Kirby is missing permission checks in the content changes API. This vulnerability affects all Kirby sites where user permissions are configured to prevent spe…
- CVE-2026-22042HIGHCVSS 8.8EG 8.82026-01-08
RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.79, he `ImportIam` admin API validates permissions using `ExportIAMAction` instead of `ImportIAMAction`, allowing a principal with export-only IAM pe…
- CVE-2026-2208MEDIUMCVSS 4.3EG 4.32026-02-08
A security vulnerability has been detected in WeKan up to 8.20. Impacted is an unknown function of the file server/publications/rules.js of the component Rules Handler. The manipulation leads to missing authorization. The attack can be ini…
- CVE-2026-22170MEDIUMCVSS 6.5EG 6.52026-03-18
OpenClaw versions prior to 2026.2.22 with the optional BlueBubbles plugin contain an access control bypass vulnerability where empty allowFrom configuration causes dmPolicy pairing and allowlist restrictions to be ineffective. Remote attac…
- CVE-2026-22230HIGHCVSS 7.6EG 7.62026-01-08
OPEXUS eCASE Audit allows an authenticated attacker to modify client-side JavaScript or craft HTTP requests to access functions or buttons that have been disabled or blocked by an administrator. Fixed in eCASE Platform 11.14.1.0.
- CVE-2026-22253MEDIUMCVSS 5.4EG 5.42026-01-08
Soft Serve is a self-hostable Git server for the command line. Prior to version 0.11.2, an authorization bypass in the LFS lock deletion endpoint allows any authenticated user with repository write access to delete locks owned by other use…
- CVE-2026-22595HIGHCVSS 8.1EG 8.12026-01-10
Ghost is a Node.js content management system. In versions 5.121.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's handling of Staff Token authentication allowed certain endpoints to be accessed that were only intended …
- CVE-2026-22624MEDIUMCVSS 4.3EG 4.32026-01-30
Due to inadequate access control, authenticated users of certain HIKSEMI NAS products can manipulate other users' file resources without proper authorization.
- CVE-2026-22659HIGHCVSS 8.1EG 8.12026-07-10
FlaskBB through 2.2.0, fixed in commit acc88cf, contains an authorization bypass vulnerability that allows authenticated moderators to perform unauthorized actions on topics in forums they do not control by submitting crafted topic ID list…
- CVE-2026-22682HIGHCVSS 7.1EG 7.12026-04-07
OpenHarness prior to commit 166fcfe contains an improper access control vulnerability in built-in file tools due to inconsistent parameter handling in permission enforcement, allowing attackers who can influence agent tool execution to re…
- CVE-2026-22784MEDIUMCVSS 4.3EG 4.32026-01-12
Lychee is a free, open-source photo-management tool. Prior to 7.1.0, an authorization vulnerability exists in Lychee's album password unlock functionality that allows users to gain possibly unauthorized access to other users' password-prot…
- CVE-2026-22806CRITICALCVSS 9.1EG 9.12026-01-29
vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to versions 4.6.0, 4.5.4, 4.4.2, and 4.3.10, when an access key is created with a limited scope, the scope can be byp…
- CVE-2026-22822HIGHCVSS 8.8EG 8.82026-01-21
External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Starting in version 0.20.2 and prior to version 1.2.0, the `getSecretKey` template function, while introduc…
- CVE-2026-22872CRITICALCVSS 9.1EG 9.12026-05-28
Capsule is a multi-tenancy and policy-based framework for Kubernetes. The Capsule Controller runs with cluster-admin privileges. Although the TenantResource RawItems processing logic forcibly sets the namespace, this is ineffective for clu…
- CVE-2026-22892MEDIUMCVSS 4.3EG 4.32026-02-13
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to validate user permissions when creating Jira issues from Mattermost posts, which allows an authenticated attacker with access to the Jira plugin to read pos…
- CVE-2026-22909HIGHCVSS 7.5EG 7.52026-01-15
Certain system functions may be accessed without proper authorization, allowing attackers to start, stop, or delete installed applications, potentially disrupting system operations.
- CVE-2026-2293CRITICALCVSS 9.8EG 9.82026-02-27
A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when Fastify path-normalization options are enabled. This issue affects nest.Js: 11.1.13.
- CVE-2026-23496MEDIUMCVSS 5.4EG 5.42026-01-15
Pimcore Web2Print Tools Bundle adds tools for web-to-print use cases to Pimcore. Prior to 5.2.2 and 6.1.1, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for managing "Favourite Out…
- CVE-2026-23513HIGHCVSS 7.1EG 7.12026-06-23
FOSSBilling is a free, open-source billing and client management system. In versions 0.7.2 and prior, a query-construction flaw in client list endpoints allowed authenticated clients to bypass tenant scoping and retrieve other clients’ d…
- CVE-2026-23572HIGHCVSS 7.2EG 7.22026-02-05
Improper access control in the TeamViewer Full and Host clients (Windows, macOS, Linux) prior version 15.74.5 allows an authenticated user to bypass additional access controls with “Allow after confirmation”��…
- CVE-2026-23632MEDIUMCVSS 6.5EG 6.52026-02-06
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, the endpoint "PUT /repos/:owner/:repo/contents/*" does not require write permissions and allows access with read permission only via repoAssignment(). After passi…
- CVE-2026-23837CRITICALCVSS 9.8EG 9.82026-01-19
MyTube is a self-hosted downloader and player for several video websites. A vulnerability present in version 1.7.65 and poetntially earlier versions allows unauthenticated users to bypass the mandatory authentication check in the roleBased…
- CVE-2026-2386MEDIUMCVSS 4.3EG 4.32026-02-18
The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 6.4.7. This is due to the tpae_…
- CVE-2026-23902HIGHCVSS 8.1EG 8.12026-04-24
Incorrect Authorization vulnerability in Apache DolphinScheduler allows authenticated users with system login permissions to use tenants that are not defined on the platform during workflow execution. This issue affects Apache DolphinSche…
- CVE-2026-23925HIGHCVSS 8.1EG 8.12026-03-06
An authenticated Zabbix user (User role) with template/host write permissions is able to create objects via the configuration.import API. This can lead to confidentiality loss by creating unauthorized hosts. Note that the User role is norm…
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →