CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,829 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 70 of 77
- CVE-2026-35663HIGHCVSS 8.8EG 8.82026-04-10
OpenClaw before 2026.3.25 contains a privilege escalation vulnerability allowing non-admin operators to self-request broader scopes during backend reconnect. Attackers can bypass pairing requirements to reconnect as operator.admin, gaining…
- CVE-2026-35669HIGHCVSS 8.8EG 8.82026-04-10
OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in gateway-authenticated plugin HTTP routes that incorrectly mint operator.admin runtime scope regardless of caller-granted scopes. Attackers can exploit this scope bo…
- CVE-2026-35673MEDIUMCVSS 6.5EG 6.52026-05-29
OpenClaw before 2026.4.29 contains an SSRF policy bypass vulnerability in browser debug and export routes that allows reuse of already-open blocked tabs. Attackers with access to these routes can bypass private-network SSRF policies by reu…
- CVE-2026-35674HIGHCVSS 8.8EG 8.82026-05-29
OpenClaw before 2026.5.18 contains a scope bypass vulnerability in the Gateway chat.send route that allows scoped clients to execute privileged commands. Attackers with operator.write scope can deliver commands through inherited external r…
- CVE-2026-3660CRITICALCVSS 9.8EG 9.82026-05-26
IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 could allow an unauthenticated remote attacker to update server property files that would allow them to gain unauthorized access to the application.
- CVE-2026-39331HIGHCVSS 8.1EG 8.12026-04-07
ChurchCRM is an open-source church management system. Prior to 7.1.0, an authenticated API user can modify any family record's state without proper authorization by simply changing the {familyId} parameter in requests, regardless of whethe…
- CVE-2026-39350MEDIUMCVSS 5.4EG 5.42026-04-15
Istio is an open platform to connect, manage, and secure microservices. In versions 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1, the serviceAccounts and notServiceAccounts fields in AuthorizationPolicy incorrectly inte…
- CVE-2026-39381MEDIUMCVSS 4.3EG 4.32026-04-07
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns _Session fields that the server operator explicitly configured…
- CVE-2026-39402MEDIUMCVSS 6.5EG 6.52026-05-05
lxc is a Linux container runtime. In the setuid helper lxc-user-nic, the delete path contains a logic flaw in the find_line() function that allows an unprivileged user to delete OVS-attached network interfaces belonging to other users. Whe…
- CVE-2026-39454HIGHCVSS 7.8EG 7.82026-04-20
SKYSEA Client View and SKYMEC IT Manager provided by Sky Co.,LTD. configure the installation folder with improper file access permission settings. A non-administrative user may manipulate and/or place arbitrary files within the installatio…
- CVE-2026-39852HIGHCVSS 8.2EG 8.22026-05-05
Quarkus is a Java framework for building cloud-native applications. In versions prior to 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2, a path normalization inconsistency between the security layer and the routing layer allows…
- CVE-2026-39903HIGHCVSS 7.1EG 7.12026-07-10
Simple Machines Forum 2.1 prior to commit 7d048f8 and 3.0 prior to commit a7875e8 contains an authorization bypass vulnerability in Sources/Actions/AttachmentApprove.php where a single-character operator error causes the permission check t…
- CVE-2026-39957MEDIUMCVSS 4.3EG 4.32026-04-09
Lychee is a free, open-source photo-management tool. Prior to 7.5.4, a SQL operator-precedence bug in SharingController::listAll() causes the orWhereNotNull('user_group_id') clause to escape the ownership filter applied by the when() block…
- CVE-2026-39966MEDIUMCVSS 6.5EG 6.52026-05-22
TypeBot is a chatbot builder tool. In versions 3.15.2, the getLinkedTypebots API endpoint returns full bot definitions to any authenticated user who references a target bot ID in a Typebot Link block, regardless of workspace ownership, lea…
- CVE-2026-40071MEDIUMCVSS 5.4EG 5.42026-04-09
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the /json/package_order, /json/link_order, and /json/abort_link WebUI JSON endpoints enforce weaker permissions than the core API methods they inv…
- CVE-2026-40099MEDIUMCVSS 6.5EG 6.52026-04-24
Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`si…
- CVE-2026-40155MEDIUMCVSS 5.4EG 5.42026-04-17
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In versions 4.12.0 through 4.17.1, simultaneous requests that trigger a nonce retry may cause the proxy cache fetcher to perform improper look…
- CVE-2026-40166HIGHCVSS 7.1EG 7.12026-05-22
authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, authenticated non-admin users with at least one OAuth2 access token can retrieve the client_secret of confidential OAuth2 prov…
- CVE-2026-40191MEDIUMCVSS 6.8EG 6.82026-04-10
ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to 5.0.4-beta-1f46165, ClearanceKit's Endpoint Security event handler only checked the source path of dual-path file operations aga…
- CVE-2026-40213HIGHCVSS 7.4EG 7.42026-05-07
OpenStack Cyborg before 16.0.1 uses rule:allow (check_str='@') as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token regardless of roles, project membership, or scope.…
- CVE-2026-40224MEDIUMCVSS 6.7EG 6.72026-04-10
In systemd 259 before 260, there is local privilege escalation in systemd-machined because varlink can be used to reach the root namespace.
- CVE-2026-40291HIGHCVSS 8.8EG 8.82026-04-14
Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an insecure direct object modification vulnerability in the PUT /api/users/{id} endpoint allows any authenticated user with ROLE_STUDENT to escalate…
- CVE-2026-40304MEDIUMCVSS 5.3EG 5.32026-04-17
zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the unaccess handler (controller/unaccess.go) contains a logical error in its ownership guard: when a frontend record has environment_id = NUL…
- CVE-2026-40350HIGHCVSS 8.8EG 8.82026-04-18
Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can access the user-management endpoints `/settings/users` and use them to enumerate all users and create a …
- CVE-2026-40452HIGHCVSS 7.5EG 7.52026-07-10
Incorrect Authorization, Improper Access Control vulnerability in Apache IoTDB. Authorization bypass in /rest/v2/fastLastQuery exposes last-value data to unauthorized authenticated users. This issue affects Apache IoTDB: from 1.3.5 befor…
- CVE-2026-40515MEDIUMCVSS 5.5EG 7.52026-04-17
OpenHarness before commit bd4df81 contains a permission bypass vulnerability that allows attackers to read sensitive files by exploiting incomplete path normalization in the permission checker. Attackers can invoke the built-in grep and g…
- CVE-2026-4055MEDIUMCVSS 4.3EG 4.32026-05-21
Mattermost versions 11.5.x <= 11.5.1 fail to validate team-level run_create permission against the target team when creating a playbook run which allows an authenticated team member to create runs in teams where they lack permission via sp…
- CVE-2026-40574MEDIUMCVSS 6.8EG 6.82026-04-21
OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Prior to 7.15.2, an authorization bypass exists in OAuth2 Proxy as part of the email_domain enforcement option. An attacker may be able to authenticate wi…
- CVE-2026-40599HIGHCVSS 7.1EG 7.12026-04-21
ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to 5.0.5, ClearanceKit incorrectly treats a process with an empty Team ID and a non-empty Signing ID as an Apple platform binary. Th…
- CVE-2026-40914MEDIUMCVSS 4.3EG 4.32026-05-28
A vulnerability exists in Apache Artemis whereby an application using the STOMP protocol with security credentials that grant either the consume or send permission on an address can augment the routing-type supported by that address even i…
- CVE-2026-41047MEDIUMCVSS 5.5EG 5.52026-06-22
Lack of authentication when using the "snapshot diff" functions in qSnapper before version 1.3.3 allowed a local attacker to see otherwise read protected information.
- CVE-2026-41048HIGHCVSS 7.1EG 7.12026-06-22
Incorrect caching of authentication between different polkit methods in qSnapper before version 1.3.3 allowed a local attacker to use functions like "restore from snapshot" even if only allowed to do "delete snapshot".
- CVE-2026-41049HIGHCVSS 7.1EG 7.12026-06-22
Incorrect caching of authentication between different users of the qSnapper dbus service before version 1.3.3 allowed any local attacker to use dbus functions after a privileged users has authenticated for them.
- CVE-2026-41050CRITICALCVSS 9.9EG 9.92026-05-13
Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by the…
- CVE-2026-41068HIGHCVSS 7.7EG 7.72026-04-24
Kyverno is a policy engine designed for cloud native platform engineering teams. The patch for CVE-2026-22039 fixed cross-namespace privilege escalation in Kyverno's `apiCall` context by validating the `URLPath` field. However, the ConfigM…
- CVE-2026-41131MEDIUMCVSS 5.0EG 5.02026-04-22
OpenFGA is an authorization/permission engine built for developers. Prior to version 1.14.1, in specific scenarios, models using conditions with caching enabled can result in two different check requests producing the same cache key. This …
- CVE-2026-41174MEDIUMCVSS 6.4EG 6.42026-04-30
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a potential vulnerability in Traefik's Kubernetes CRD provider cross-namespace isolation enforcement. When providers.kubernetes…
- CVE-2026-41189HIGHCVSS 7.1EG 7.12026-04-21
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, customer-thread editing is authorized through `ThreadPolicy::edit()`, which checks mailbox access but does not apply the assigned-only restriction from…
- CVE-2026-41190HIGHCVSS 7.1EG 7.12026-04-21
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, when `APP_SHOW_ONLY_ASSIGNED_CONVERSATIONS` is enabled, direct conversation view correctly blocks users who are neither the assignee nor the creator. T…
- CVE-2026-41191HIGHCVSS 7.1EG 7.12026-04-21
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, `MailboxesController::updateSave()` persists `chat_start_new` outside the allowed-field filter. A user with only the mailbox `sig` permission sees only…
- CVE-2026-41232MEDIUMCVSS 5.0EG 5.02026-04-23
Froxlor is open source server administration software. Prior to version 2.3.6, in `EmailSender::add()`, the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the …
- CVE-2026-41233MEDIUMCVSS 5.4EG 5.42026-04-23
Froxlor is open source server administration software. Prior to version 2.3.6, in `Domains.add()`, the `adminid` parameter is accepted from user input and used without validation when the calling reseller does not have the `customers_see_a…
- CVE-2026-41235HIGHCVSS 8.6EG 8.62026-05-29
Froxlor is open source server administration software. Version 2.3.6 lets administrators configure `system.available_shells` as the approved shell list that customers may assign to FTP users. However, the server-side FTP account handlers d…
- CVE-2026-41248CRITICALCVSS 9.1EG 9.12026-04-24
Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests, allowing them to skip middleware gating and re…
- CVE-2026-41280MEDIUMCVSS 4.9EG 4.92026-06-17
Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects This issue affects Apache DolphinScheduler versions prior to 3.4.2. Users are recommended to upgrade to …
- CVE-2026-41283CRITICALCVSS 9.9EG 9.92026-06-04
OpenStack Mistral through 22.0.0 allows Arbitrary Remote Code Execution when the API is exposed. There are endpoints that allow code execution, which can lead to exfiltration of service credentials.
- CVE-2026-41303HIGHCVSS 8.8EG 8.82026-04-21
OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in Discord text approval commands that allows non-approvers to resolve pending exec approvals. Attackers can send Discord text commands to bypass the channels.discord…
- CVE-2026-41325HIGHCVSS 8.8EG 8.82026-04-24
Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`si…
- CVE-2026-41344MEDIUMCVSS 5.4EG 5.42026-04-23
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the chat.send endpoint that allows write-scoped gateway callers to persist admin-only verboseLevel session overrides. Attackers can exploit the /verbose parameter t…
- CVE-2026-41348MEDIUMCVSS 5.4EG 5.42026-04-23
OpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord slash command and autocomplete paths that fail to enforce group DM channel allowlist restrictions. Authorized Discord users can bypass channel restrictions…
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →