CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,830 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 72 of 77
- CVE-2026-42843HIGHCVSS 8.8EG 8.82026-05-11
Grav API Plugin is a RESTful API for Grav CMS that provides full headless access to your site's content, media, configuration, users, and system management. Prior to 1.0.0-beta.15, an insecure direct object reference and logic flaw in the …
- CVE-2026-4286LOWCVSS 3.1EG 3.12026-05-18
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to check if {{team_id}} was being changed when updating playbooks, allowing users with only {{Manage Playbook Configurations}} permission to change a playbook's team, bypassing…
- CVE-2026-42882CRITICALCVSS 9.4EG 9.42026-05-11
oxyno-zeta/s3-proxy is an aws s3 proxy written in go. Prior to 5.0.0, s3-proxy contains an authentication bypass caused by inconsistent URL path interpretation between the authentication middleware and the bucket handler. The authenticatio…
- CVE-2026-42883MEDIUMCVSS 6.5EG 6.52026-05-11
Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the GET /api/libraries/:id/download endpoint validates that the requesting user has access to the library specified in the URL path, but fetches downloadable it…
- CVE-2026-42884MEDIUMCVSS 4.3EG 4.32026-05-11
Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the GET /api/collections and GET /api/collections/:id endpoints return collections from all libraries without checking whether the requesting user has access to…
- CVE-2026-42889CRITICALCVSS 9.1EG 9.12026-05-12
Relay adds real-time collaboration to Obsidian. Relay Server versions 0.9.0 through 0.9.6 contain an authentication bypass in the multi-document WebSocket endpoints. When authentication is configured, WebSocket connections without a token …
- CVE-2026-42998HIGHCVSS 8.8EG 6.02026-05-28
An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone application credential authentication plugin does not verify that the user supplied in the authentication request matches the owner of the application credential. An…
- CVE-2026-42999HIGHCVSS 8.8EG 6.02026-05-28
An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone RBAC policy enforcer in enforce_call unconditionally merges the raw JSON request body into the policy enforcement dictionary via policy_dict.update(json_input.copy()…
- CVE-2026-43000HIGHCVSS 8.8EG 6.02026-05-28
An issue was discovered in OpenStack Keystone before 29.0.2. When combined with an application credential impersonation vulnerability, an attacker with the member role on a project can escalate to admin by chaining unrestricted application…
- CVE-2026-43001HIGHCVSS 8.0EG 7.92026-05-01
An issue was discovered in OpenStack Keystone before 29.0.2. POST /v3/credentials did not validate that the caller-supplied project_id for an EC2-type credential matched the project of the authenticating application credential. This allowe…
- CVE-2026-43504MEDIUMCVSS 6.5EG 6.52026-05-01
An issue was discovered in Prosody before 0.12.6 and 1.0.0 through 13.0.0 before 13.0.5, when mod_proxy65 is enabled. Because mod_proxy65 mishandles access control in a paused scenario, relaying of unauthenticated traffic can occur.
- CVE-2026-43530HIGHCVSS 8.8EG 8.82026-05-05
OpenClaw versions 2026.2.23 before 2026.4.12 contain a weakened exec approval binding vulnerability in busybox and toybox applet execution that allows attackers to obscure which applet would actually run. Attackers can exploit opaque multi…
- CVE-2026-43889MEDIUMCVSS 6.5EG 6.52026-05-11
Outline is a service that allows for collaborative documentation. Prior to 1.7.0, the shares.create API accepts both collectionId and documentId simultaneously and, when published=false, only verifies read access for each—skipping the "s…
- CVE-2026-43913HIGHCVSS 8.1EG 8.12026-05-11
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden allows an unconfirmed organization owner to purge the entire organization vault. The organization invite flow uses a two-step process: accepting an …
- CVE-2026-43948CRITICALCVSS 9.9EG 9.92026-05-12
wger is a free, open-source workout and fitness manager. Prior to 2.6, the reset_user_password and gym_permissions_user_edit views in wger perform a gym-scope authorization check using Python object comparison (!=) that evaluates None != N…
- CVE-2026-43999CRITICALCVSS 9.9EG 9.92026-05-13
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, NodeVM's builtin allowlist can be bypassed when the module builtin is allowed (including via the '*' wildcard). The module builtin exposes Node's Module._load(), which loads an…
- CVE-2026-44110HIGHCVSS 8.8EG 8.82026-05-06
OpenClaw before 2026.4.15 contains an authorization bypass vulnerability in Matrix room control-command authorization that trusts DM pairing-store entries. Attackers with DM-paired sender IDs can execute room control commands without being…
- CVE-2026-44169MEDIUMCVSS 4.3EG 4.32026-06-12
MariaDB server is a community developed fork of MySQL server. From versions 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, a user getting EXECUTE access to a stored routine via a role, could see the routine definition even …
- CVE-2026-44173MEDIUMCVSS 5.0EG 5.02026-06-12
MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, MariaDB allowed SELECT ... INTO OUTFILE and SE…
- CVE-2026-44221CRITICALCVSS 9.0EG 9.02026-05-12
ArcadeDB is a Multi-Model DBMS. Prior to 2.6.4, authenticated users and API tokens scoped to a specific database could read, write, and mutate schema on any other database on the same server. Two distinct defects contributed: (1) ServerSec…
- CVE-2026-44260HIGHCVSS 8.1EG 8.12026-05-12
efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the readonly flag set on the <efw:elFinder> JSP tag is intended to prevent file modifications. When protected=true, elfinder_checkRisk enforces that the client sends readonly=tr…
- CVE-2026-44283NONECVSS 0.0EG 0.02026-05-14
etcd is a distributed key-value store for the data of a distributed system. Prior to 3.4.44, 3.5.30, and 3.6.11, a vulnerability in etcd allows read access via PrevKv, or lease attachment in Put requests within transaction operations, to b…
- CVE-2026-44314MEDIUMCVSS 4.3EG 4.32026-05-26
Traccar is an open source GPS tracking system. Prior to 6.13.0, DeviceResource.uploadImage authorizes the target device only through Condition.Permission(User.class, getUserId(), Device.class) and then immediately streams the uploaded body…
- CVE-2026-44330CRITICALCVSS 10.0EG 10.02026-05-27
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the nnef-pfdmanagement route group without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can…
- CVE-2026-44374MEDIUMCVSS 4.3EG 4.32026-05-14
Backstage is an open framework for building developer portals. Prior to 0.6.11, the unprocessed entities read endpoints in @backstage/plugin-catalog-backend-module-unprocessed do not enforce permission authorization checks. Any authenticat…
- CVE-2026-44380HIGHCVSS 7.2EG 7.22026-05-13
MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, an improper access control vulnerability in the authentication key reset functionality allowed an authenticated organization administrator to reset authentic…
- CVE-2026-44394HIGHCVSS 8.1EG 6.02026-05-28
An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone federated token rescoping mechanism does not propagate the original token's expiry to the newly issued token. When a federated user rescopes a token via POST /v3/aut…
- CVE-2026-44473HIGHCVSS 7.1EG 7.12026-05-27
Ella Core is a 5G core designed for private networks. Prior to 1.10.0, a radio with a valid NG Setup can send a forged PDUSessionResourceSetupResponse carrying any UE's AMF-UE-NGAP-ID. Ella Core does not verify the message arrived on the S…
- CVE-2026-44557MEDIUMCVSS 4.3EG 4.32026-05-15
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the _validate_collection_access function uses an incomplete allowlist that only enforces ownership checks for collections ma…
- CVE-2026-44561MEDIUMCVSS 5.4EG 5.42026-05-15
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the is_user_channel_member function checks whether a ChannelMember row exists but does not check the is_active field. When a…
- CVE-2026-44564MEDIUMCVSS 5.4EG 5.42026-05-15
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the ydoc:document:update Socket.IO event handler checks whether the sender is a member of the document's Socket.IO room (lin…
- CVE-2026-44567HIGHCVSS 7.3EG 7.32026-05-15
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.1.124, the API does not properly validate that the user has an authorized user role of user. By default, when Open WebUI is confi…
- CVE-2026-44573HIGHCVSS 7.5EG 7.52026-05-13
Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, Applications using the Pages Router with i18n configured and middleware/proxy-based authorization can allow unauthorized acces…
- CVE-2026-44633HIGHCVSS 8.1EG 8.12026-05-14
Live Helper Chat is an open-source application that enables live support websites. In 4.84v, the Live Helper Chat REST API chat update endpoint allows a REST user with lhchat/use to update a chat in a department they cannot read. The endpo…
- CVE-2026-44654HIGHCVSS 8.1EG 8.12026-06-02
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, a shared-agent editor can delete file records through `DELETE /api/files` that the owner has reused across multiple agents. …
- CVE-2026-44681MEDIUMCVSS 6.1EG 6.12026-05-27
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cau…
- CVE-2026-44735MEDIUMCVSS 6.5EG 6.52026-06-26
OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, the GET /api/v3/shares endpoint returns share details for ALL work packages in a project to any user with the view_shared_work_packages permissi…
- CVE-2026-44832HIGHCVSS 8.8EG 8.82026-05-26
Snipe-IT is an IT asset/license management system. Prior to 8.4.1, aAn authenticated user with only users.edit permission can escalate their own privileges to admin by sending a PATCH request to /api/v1/users/{id} with permissions[admin]=1…
- CVE-2026-44838HIGHCVSS 8.1EG 8.12026-05-27
RabbitMQ is a messaging and streaming broker. From 4.2.0 to before 4.2.4, RabbitMQ's MQTT plugin allows for topic-level authorization using regular expressions with variable substitution. Administrators can create patterns such as ^{client…
- CVE-2026-44850HIGHCVSS 8.5EG 8.52026-05-14
Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8, 2.39.2, and 2.41.0, Portainer of…
- CVE-2026-44882HIGHCVSS 8.1EG 8.12026-05-28
Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33., Portainer proxies requests to Kub…
- CVE-2026-44911MEDIUMCVSS 6.3EG 6.32026-06-22
Authorization handling for component configuration verification requests in Apache NiFi 1.15.0 through 2.9.0 allows clients with read access to submit proposed configuration properties. The proposed properties override current configuratio…
- CVE-2026-44991MEDIUMCVSS 4.2EG 4.22026-05-11
OpenClaw before 2026.4.21 contains an authorization bypass vulnerability in command-auth.ts that allows non-owner senders to execute owner-enforced slash commands when wildcard inbound senders are configured without explicit owner allowFro…
- CVE-2026-44998MEDIUMCVSS 5.4EG 5.42026-05-11
OpenClaw before 2026.4.20 contains a tool policy bypass vulnerability allowing bundled MCP and LSP tools to circumvent configured tool restrictions. Attackers with local agent access can append restricted tools to the effective tool set af…
- CVE-2026-45002MEDIUMCVSS 5.3EG 5.32026-05-11
OpenClaw before 2026.4.20 contains a hook session-key bypass vulnerability that allows attackers to circumvent the hooks.allowRequestSessionKey opt-in restriction. Attackers can render externally influenced session keys through templated h…
- CVE-2026-45009MEDIUMCVSS 4.3EG 4.32026-05-15
phpMyFAQ before 4.1.2 contains an insufficient authorization vulnerability in admin-api routes that allows authenticated ordinary users to access administrative endpoints by only checking login status instead of verifying backend privilege…
- CVE-2026-45042HIGHCVSS 7.1EG 7.12026-05-28
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, improper authorization in the UploadPartCopy operation allows copying objects across buckets without enforcing destination bucket restrictions on allowed c…
- CVE-2026-45075HIGHCVSS 8.3EG 8.32026-05-27
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 7.4.12 and 8.0.12, method-scoped #[IsGranted], #[IsSignatureValid], and #[IsCsrfTokenValid] attributes can be configured for GET onl…
- CVE-2026-45081MEDIUMCVSS 6.5EG 6.52026-05-27
Frappe HR is an open-source human resources management solution (HRMS). Prior to 16.5.0, authenticated employees could access other employees’ leave details due to improper authorization checks. This vulnerability is fixed in 16.5.0.
- CVE-2026-45108HIGHCVSS 8.4EG 8.42026-05-27
Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From 2.0.0 to before 3.1.5 and 2.3.11, Himmelblau contained an authentication bypass vulnerability in the Device Authorization Grant (DAG) flow that allowed a…
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →