CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,812 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 67 of 77
- CVE-2026-23961MEDIUMCVSS 5.3EG 5.32026-01-22
Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows server administrators to suspend remote users to prevent interactions. However, some logic errors allow already-known posts from such suspended use…
- CVE-2026-23964MEDIUMCVSS 6.5EG 6.52026-01-22
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, an insecure direct object reference in the web push subscription update endpoint lets any authenticated user update an…
- CVE-2026-23989HIGHCVSS 8.2EG 8.22026-02-06
REVA is an interoperability platform. Prior to 2.42.3 and 2.40.3, a bug in the GRPC authorization middleware of the "Reva" component of OpenCloud allows a malicious user to bypass the scope verification of a public link. By exploiting this…
- CVE-2026-24003MEDIUMCVSS 4.3EG 4.32026-01-26
EVerest is an EV charging software stack. In versions up to and including 2025.12.1, it is possible to bypass the sequence state verification including authentication, and send requests that transition to forbidden states relative to the c…
- CVE-2026-24029MEDIUMCVSS 6.5EG 6.52026-03-31
When the early_acl_drop (earlyACLDrop in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the nghttp2 provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured …
- CVE-2026-24069MEDIUMCVSS 5.4EG 5.42026-04-14
Kiuwan SAST improperly authorizes SSO logins for locally disabled mapped user accounts, allowing disabled users to continue accessing the application. Kiuwan Cloud was affected, and Kiuwan SAST on-premise (KOP) was affected before 2.8.2509…
- CVE-2026-24176MEDIUMCVSS 4.3EG 4.32026-04-21
NVIDIA KAI Scheduler contains a vulnerability where an attacker could cause improper authorization through cross-namespace pod references. A successful exploit of this vulnerability might lead to data tampering.
- CVE-2026-24428HIGHCVSS 8.8EG 8.82026-01-26
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) contain an authorization flaw in the user management API that allows a low-privileged authenticated user to change the administrator account password. By sendin…
- CVE-2026-24480HIGHCVSS 8.7EG 8.72026-01-27
QGIS is a free, open source, cross platform geographical information system (GIS) The repository contains a GitHub Actions workflow called "pre-commit checks" that, before commit 76a693cd91650f9b4e83edac525e5e4f90d954e9, was vulnerable to …
- CVE-2026-2465HIGHCVSS 8.8EG 8.82026-05-12
Incorrect Authorization vulnerability in E-Kalite Software Hardware Engineering Design and Internet Services Industry and Trade Ltd. Co. Turboard FOR-S allows Privilege Escalation. This issue affects Turboard FOR-S: from 7.01.2026 before …
- CVE-2026-2470MEDIUMCVSS 4.3EG 4.32026-06-13
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.9. This is due to the pagelayer_save_content AJAX handler allowing users …
- CVE-2026-24724HIGHCVSS 8.1EG 8.12026-06-10
An incorrect authorization vulnerability has been reported to affect File Station 6. If a remote attacker gains a user account, they can then exploit the vulnerability to bypass intended access restrictions. We have already fixed the vuln…
- CVE-2026-24740CRITICALCVSS 9.9EG 9.92026-01-27
Dozzle is a realtime log viewer for docker containers. Prior to version 9.0.3, a flaw in Dozzle’s agent-backed shell endpoints allows a user restricted by label filters (for example, `label=env=dev`) to obtain an interactive root shell i…
- CVE-2026-24742MEDIUMCVSS 6.5EG 6.52026-01-28
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators can view sensitive information in staff action logs that should be restricted to administrators only. The…
- CVE-2026-24748HIGHCVSS 7.2EG 7.22026-01-27
Kargo manages and automates the promotion of software artifacts. Prior to versions 1.8.7, 1.7.7, and 1.6.3, a bug was found with authentication checks on the `GetConfig()` API endpoint. This allowed unauthenticated users to access this end…
- CVE-2026-24749MEDIUMCVSS 5.3EG 5.32026-04-16
The Silverstripe Assets Module is a required component of Silverstripe Framework. In versions prior to 2.4.5 and 3.0.0-rc1 through 3.1.2, images rendered in templates or otherwise accessed via DBFile::getURL() or DBFile::getSourceURL() inc…
- CVE-2026-24780HIGHCVSS 8.8EG 8.82026-01-29
AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.44, AutoGPT Platform's block execution endpoints (both mai…
- CVE-2026-24851HIGHCVSS 8.8EG 8.82026-02-06
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.5 to v1.11.2 ( openfga-0.2.22<= Helm chart <= openfga-0.2.51, v.1.8.5 <= docker <= v.1.11.2) are …
- CVE-2026-25040HIGHCVSS 8.8EG 8.82026-01-29
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In versions up to and including 3.26.3, a Creator-level user, who normally has no UI permission to invite users, can manipulate API requests to invit…
- CVE-2026-25293CRITICALCVSS 9.6EG 9.62026-05-04
Buffer overflow due to incorrect authorization in PLC FW
- CVE-2026-25561HIGHCVSS 7.5EG 7.52026-02-07
WeKan versions prior to 8.19 contain an authorization weakness in the attachment upload API. The API does not fully validate that provided identifiers (such as boardId, cardId, swimlaneId, and listId) are consistent and refer to a coherent…
- CVE-2026-25565MEDIUMCVSS 6.5EG 6.52026-02-07
WeKan versions prior to 8.19 contain an authorization vulnerability where certain card update API paths validate only board read access rather than requiring write permission. This can allow users with read-only roles to perform card updat…
- CVE-2026-25566MEDIUMCVSS 5.4EG 5.42026-02-07
WeKan versions prior to 8.19 contain an authorization vulnerability in card move logic. A user can specify a destination board/list/swimlane without adequate authorization checks for the destination and without validating that destination …
- CVE-2026-25568MEDIUMCVSS 4.3EG 4.32026-02-07
WeKan versions prior to 8.19 contain an authorization logic vulnerability where the instance configuration setting allowPrivateOnly is not sufficiently enforced at board creation time. When allowPrivateOnly is enabled, users can still crea…
- CVE-2026-25660CRITICALCVSS 9.8EG 9.82026-04-24
CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Authentication bypass occurs when the URL ends with Authentication with certain function calls. This bypass allows as…
- CVE-2026-25729MEDIUMCVSS 6.5EG 6.52026-02-06
DeepAudit is a multi-agent system for code vulnerability discovery. In 3.0.4 and earlier, there is an improper access control vulnerability in the /api/v1/users/ endpoint allows any authenticated user to enumerate all users in the system a…
- CVE-2026-25767HIGHCVSS 8.1EG 8.12026-02-12
LavinMQ is a high-performance message queue & streaming server. Before 2.6.8, an authenticated user, with the “Policymaker” tag, could create shovels bypassing access controls. an authenticated user with the "Policymaker" management ta…
- CVE-2026-25811CRITICALCVSS 9.1EG 9.12026-02-09
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application derives the tenant identifier directly from the email domain provided by the user, without validating domain ownership or reg…
- CVE-2026-25859HIGHCVSS 8.8EG 8.82026-02-07
Wekan versions prior to 8.20 allow non-administrative users to access migration functionality due to insufficient permission checks, potentially resulting in unauthorized migration operations.
- CVE-2026-25875CRITICALCVSS 9.8EG 9.82026-02-09
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, The admin authorization middleware trusts client-controlled JWT claims (role and scope) without enforcing server-side role verification.
- CVE-2026-25890HIGHCVSS 8.1EG 8.12026-02-09
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to 2.57.1, an authenticated user can bypass the application's "Disallow" file path rul…
- CVE-2026-25924HIGHCVSS 8.4EG 8.42026-02-11
Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, a security control bypass vulnerability in Kanboard allows an authenticated administrator to achieve full Remote Code Execution (RCE). Although the app…
- CVE-2026-26012MEDIUMCVSS 6.5EG 6.52026-02-11
vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to 1.35.3, a regular organization member can retrieve all ciphers within an organization, regardless of collection permissions.…
- CVE-2026-26031MEDIUMCVSS 5.3EG 5.32026-02-11
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.44.0, security issue was identified in Frappe Learning, where unauthorised users were able to access the full list of enrolle…
- CVE-2026-26067MEDIUMCVSS 4.9EG 4.92026-04-21
October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions c…
- CVE-2026-26141HIGHCVSS 7.8EG 7.82026-03-10
Improper authentication in Azure Arc allows an authorized attacker to elevate privileges locally.
- CVE-2026-2619MEDIUMCVSS 4.3EG 4.32026-04-08
GitLab has remediated an issue in GitLab EE affecting all versions from 18.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that under certain circumstances could have allowed an authenticated user with auditor privileges to m…
- CVE-2026-26231HIGHCVSS 8.5EG 8.52026-06-16
Gitea versions up to and including 1.26.1 allow the Allow edits from maintainers permission path to authorize commits to repositories that the user can read but should not be able to write.
- CVE-2026-26274MEDIUMCVSS 6.6EG 6.62026-04-21
October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a vulnerability was identified in the Twig sandbox security policy that allowed database write operations when cms.safe_mode is enabled. Backend use…
- CVE-2026-26289HIGHCVSS 8.2EG 8.22026-05-12
PowerSYSTEM Center REST API endpoint for device account export allows an authenticated user with limited permissions to expose sensitive information normally restricted to administrative permissions only.
- CVE-2026-2712MEDIUMCVSS 5.4EG 5.42026-04-10
The WP-Optimize plugin for WordPress is vulnerable to unauthorized access of functionality due to missing capability checks in the `receive_heartbeat()` function in `includes/class-wp-optimize-heartbeat.php` in all versions up to, and incl…
- CVE-2026-27140HIGHCVSS 8.8EG 8.82026-04-08
SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.
- CVE-2026-27183MEDIUMCVSS 5.3EG 5.32026-03-23
OpenClaw versions prior to 2026.3.7 contain a shell approval gating bypass vulnerability in system.run dispatch-wrapper handling that allows attackers to skip shell wrapper approval requirements. The approval classifier and execution plann…
- CVE-2026-2725MEDIUMCVSS 6.0EG 6.02026-05-13
Incorrect authorization in the "submitted together" feature in Gerrit versions 2.12 and later allows an authenticated attacker with force push permissions on a secondary branch to bypass code review and forcefully submit code to restricted…
- CVE-2026-27447MEDIUMCVSS 4.8EG 4.82026-04-03
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, CUPS daemon (cupsd) contains an authorization bypass vulnerability due to case-insensitive username comparis…
- CVE-2026-27604CRITICALCVSS 10.0EG 10.02026-06-23
FOSSBilling is a free, open-source billing and client management system. Starting in version 0.5.4 and prior to version 0.8.0, an authorization bypass in the API role handling allows unauthenticated access to privileged `/api/system/*` end…
- CVE-2026-27646MEDIUMCVSS 6.1EG 6.12026-03-23
OpenClaw versions prior to 2026.3.7 contain a sandbox escape vulnerability in the /acp spawn command that allows authorized sandboxed sessions to initialize host-side ACP runtime. Attackers can bypass sandbox restrictions by invoking the /…
- CVE-2026-27761MEDIUMCVSS 4.3EG 4.32026-07-03
Gitea versions up to and including 1.26.2 allow repository RSS and Atom feed endpoints to bypass API access token scope checks, exposing private repository commit data to tokens without the required repository scope.
- CVE-2026-27775HIGHCVSS 8.8EG 8.82026-07-03
Gitea 1.25.5 caches a branch-specific write-permission result across multiple refs in one pre-receive hook session, allowing a per-branch maintainer-edit grant to be reused for other refs and escalate to full repository write access.
- CVE-2026-27780CRITICALCVSS 9.8EG 9.82026-07-03
Gitea versions before 1.26.0 do not fail closed on bufio.Scanner errors while processing pre-receive hook input, allowing oversized input to bypass branch-protection checks.
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →