CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,823 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 69 of 77
- CVE-2026-33031HIGHCVSS 8.1EG 8.12026-04-20
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, a user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account …
- CVE-2026-33105CRITICALCVSS 10.0EG 10.02026-04-03
Improper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to elevate privileges over a network.
- CVE-2026-33217MEDIUMCVSS 6.5EG 6.52026-03-25
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using ACLs on message subjects, these ACLs were not applied in the `$MQTT.>` namespace, allowing MQT…
- CVE-2026-33460MEDIUMCVSS 4.3EG 4.32026-04-08
Incorrect Authorization (CWE-863) in Kibana can lead to cross-space information disclosure via Privilege Abuse (CAPEC-122). A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from oth…
- CVE-2026-33461HIGHCVSS 7.7EG 7.72026-04-08
Incorrect Authorization (CWE-863) in Kibana can lead to information disclosure via Privilege Abuse (CAPEC-122). A user with limited Fleet privileges can exploit an internal API endpoint to retrieve sensitive configuration data, including p…
- CVE-2026-33489HIGHCVSS 7.5EG 7.52026-05-05
CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the transfer plugin can select the wrong ACL stanza when both a parent zone and a more-specific subzone are configured. The longestMatch() function in plugin/transfe…
- CVE-2026-33551MEDIUMCVSS 5.3EG 5.32026-04-10
An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential c…
- CVE-2026-33570MEDIUMCVSS 5.7EG 5.72026-05-12
PowerSYSTEM Center REST API endpoint for devices allows a low privilege authenticated user to access information normally limited by operational permissions.
- CVE-2026-33576MEDIUMCVSS 6.5EG 6.52026-03-31
OpenClaw before 2026.3.28 downloads and stores inbound media from Zalo channels before validating sender authorization. Unauthorized senders can force network fetches and disk writes to the media store by sending messages that are subseque…
- CVE-2026-33577HIGHCVSS 8.1EG 8.12026-03-31
OpenClaw before 2026.3.28 contains an insufficient scope validation vulnerability in the node pairing approval path that allows low-privilege operators to approve nodes with broader scopes. Attackers can exploit missing callerScopes valida…
- CVE-2026-33578MEDIUMCVSS 4.3EG 4.32026-03-31
OpenClaw before 2026.3.28 contains a sender policy bypass vulnerability in the Google Chat and Zalouser extensions where route-level group allowlist policies silently downgrade to open policy. Attackers can exploit this policy resolution f…
- CVE-2026-33579CRITICALCVSS 9.9EG 9.92026-03-31
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the /pair approve command path that fails to forward caller scopes into the core approval check. A caller with pairing privileges but without admin privileges can a…
- CVE-2026-33888MEDIUMCVSS 5.3EG 5.32026-04-15
ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the getRestQuery method of the @apostrophecms/piece-type module, where the method checks whether …
- CVE-2026-34023HIGHCVSS 7.1EG 7.12026-06-15
The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains an incorrect authorization vulnerability in the WebSocket communication used by the SafeController WebMessageBroker. An authenticated attacker with valid low-p…
- CVE-2026-34047CRITICALCVSS 9.9EG 9.92026-07-07
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, terminal WebSocket bootstrap routes did not enforce the expected authorization middleware, allowing an authenticat…
- CVE-2026-34082MEDIUMCVSS 4.3EG 4.32026-04-20
Dify is an open-source LLM app development platform. Prior to 1.13.1, the method `DELETE /console/api/installed-apps/<appId>/conversations/<conversationId>` has poor authorization checking and allows any Dify-authenticated user to delete s…
- CVE-2026-34364MEDIUMCVSS 5.3EG 5.32026-03-27
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `categories.json.php` endpoint, which serves the category listing API, fails to enforce user group-based access controls on categories. In the default …
- CVE-2026-34376HIGHCVSS 7.5EG 7.52026-04-01
PdfDing is a selfhosted PDF manager, viewer and editor offering a seamless user experience on multiple devices. Prior to version 1.7.0, an access-control vulnerability allows unauthenticated users to retrieve password-protected shared PDFs…
- CVE-2026-34506MEDIUMCVSS 4.3EG 4.32026-03-31
OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a team/channel route allowlist is configured with an emp…
- CVE-2026-34507MEDIUMCVSS 5.4EG 5.42026-05-29
OpenClaw before 2026.4.29 contains a policy bypass vulnerability in QQBot admin commands that allows authenticated senders to skip DM-only and allowFrom policy checks. Attackers can route admin commands from unauthorized senders or context…
- CVE-2026-34512HIGHCVSS 8.1EG 8.12026-04-09
OpenClaw before 2026.3.25 contains an improper access control vulnerability in the HTTP /sessions/:sessionKey/kill route that allows any bearer-authenticated user to invoke admin-level session termination functions without proper scope val…
- CVE-2026-34579MEDIUMCVSS 5.3EG 5.32026-05-19
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior are vulnerable to Authorization Bypass through the private issue monitoring feature . Using a crafted POST request to bug_monitor_add.php, a user with…
- CVE-2026-34600MEDIUMCVSS 5.7EG 5.72026-05-19
Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions 3.5.2 and prior contain a logic error in the delta API that allows share recipients to download notes that are no longer sha…
- CVE-2026-34645HIGHCVSS 7.5EG 7.52026-05-12
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this v…
- CVE-2026-34646HIGHCVSS 7.5EG 7.52026-05-12
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this v…
- CVE-2026-34660CRITICALCVSS 9.3EG 9.32026-05-12
Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerabilit…
- CVE-2026-34953CRITICALCVSS 9.1EG 9.12026-04-03
PraisonAI is a multi-agent teams system. Prior to version 4.5.97, OAuthManager.validate_token() returns True for any token not found in its internal store, which is empty by default. Any HTTP request to the MCP server with an arbitrary Bea…
- CVE-2026-34972MEDIUMCVSS 5.0EG 5.02026-04-06
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. From 1.8.0 to 1.13.1, under specific conditions, BatchCheck calls with multiple checks sent for the same objec…
- CVE-2026-35029HIGHCVSS 8.8EG 8.82026-04-06
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, the /config/update endpoint does not enforce admin role authorization. A user who is already authenticated into the platform can then us…
- CVE-2026-3514HIGHCVSS 7.5EG 7.52026-06-02
In version 3.6.19 of prefecthq/prefect, an authentication bypass vulnerability exists due to the improper handling of URL path exemptions for health check probes. Specifically, the authentication middleware exempts any URL path ending with…
- CVE-2026-35210HIGHCVSS 7.1EG 7.12026-07-08
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 7.260326.0, an authorization bypass vulnerability in OpenCTI allows any authenticated user with KNOWLEDGE_KNUPDATE permission to …
- CVE-2026-35211MEDIUMCVSS 6.5EG 6.52026-07-08
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 7.260401.0, the OpenCTI GraphQL API exposes a script filter operator in its FilterOperator enum that allows any authenticated use…
- CVE-2026-35370MEDIUMCVSS 4.4EG 4.42026-04-22
The id utility in uutils coreutils miscalculates the groups= section of its output. The implementation uses a user's real GID instead of their effective GID to compute the group list, leading to potentially divergent output compared to GNU…
- CVE-2026-35412HIGHCVSS 7.1EG 7.12026-04-06
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, Directus' TUS resumable upload endpoint (/files/tus) allows any authenticated user with basic file upload permissions to overwrite arbitrary…
- CVE-2026-35442HIGHCVSS 8.1EG 8.12026-04-06
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, aggregate functions (min, max) applied to fields with the conceal special type incorrectly return raw database values instead of the masked …
- CVE-2026-35464HIGHCVSS 7.5EG 7.52026-04-07
pyLoad is a free and open-source download manager written in Python. The fix for CVE-2026-33509 added an ADMIN_ONLY_OPTIONS set to block non-admin users from modifying security-critical config options. The storage_folder option is not in t…
- CVE-2026-35482HIGHCVSS 8.0EG 8.02026-06-02
alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5-2606, a sandbox escape vulnerability in the alf.io extension script engine allows an authenticated administrat…
- CVE-2026-35490CRITICALCVSS 9.8EG 9.82026-04-07
changedetection.io is a free open source web page change detection tool. Prior to 0.54.8, the @login_optionally_required decorator is placed before (outer to) @blueprint.route() instead of after it. In Flask, @route() must be the outermost…
- CVE-2026-35491MEDIUMCVSS 6.1EG 6.12026-04-07
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, Pi-hole FTL supports a CLI password feature (webserver.api.cli_pw) that creates “CLI” API sessions inten…
- CVE-2026-3553LOWCVSS 3.1EG 3.12026-06-11
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.0 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user to access confidential issu…
- CVE-2026-35555MEDIUMCVSS 6.3EG 6.32026-05-12
PowerSYSTEM Center feature for device project groups allows an authenticated user with limited permissions to perform an unauthorized deletion of project groups.
- CVE-2026-35586MEDIUMCVSS 6.8EG 6.82026-04-07
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the ADMIN_ONLY_CORE_OPTIONS authorization set in set_config_value() uses incorrect option names ssl_cert and ssl_key, while the actual configurati…
- CVE-2026-35596MEDIUMCVSS 4.3EG 4.32026-04-10
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the hasAccessToLabel function contains a SQL operator precedence bug that allows any authenticated user to read any label that has at least one task associatio…
- CVE-2026-35604HIGHCVSS 8.1EG 8.12026-04-07
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, when an admin revokes a user's Share and Download permissions, existing share links c…
- CVE-2026-35619MEDIUMCVSS 4.3EG 4.32026-04-10
OpenClaw before 2026.3.24 contains an authorization bypass vulnerability in the HTTP /v1/models endpoint that fails to enforce operator read scope requirements. Attackers with only operator.approvals scope can enumerate gateway model metad…
- CVE-2026-35635MEDIUMCVSS 4.8EG 4.82026-04-09
OpenClaw before 2026.3.22 contains a webhook path route replacement vulnerability in the Synology Chat extension that allows attackers to collapse multi-account configurations onto shared webhook paths. Attackers can exploit inherited or d…
- CVE-2026-35645HIGHCVSS 8.1EG 8.12026-04-09
OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in the gateway plugin subagent fallback deleteSession function that uses a synthetic operator.admin runtime scope. Attackers can exploit this by triggering session del…
- CVE-2026-35647MEDIUMCVSS 5.3EG 5.32026-04-10
OpenClaw before 2026.3.25 contains an access control vulnerability where verification notices bypass DM policy checks and reply to unpaired peers. Attackers can send verification notices to users outside allowed direct message policies by …
- CVE-2026-35653HIGHCVSS 8.1EG 8.12026-04-10
OpenClaw before 2026.3.24 contains an incorrect authorization vulnerability in the POST /reset-profile endpoint that allows authenticated callers with operator.write access to browser.request to bypass profile mutation restrictions. Attack…
- CVE-2026-35657MEDIUMCVSS 6.5EG 6.52026-04-10
OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in the HTTP /sessions/:sessionKey/history route that skips operator.read scope validation. Attackers can access session history without proper operator read permissio…
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →