CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,830 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 74 of 77
- CVE-2026-48349HIGHCVSS 8.1EG 8.12026-07-14
Animate is affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. Exploit depends on conditions beyond the attacker's control. Exploitation of this issue does …
- CVE-2026-48489HIGHCVSS 8.7EG 8.72026-06-15
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.53, 6.4.41, 7.4.13, and 8.0.13, DefaultAuthenticationFailureHandler honored the request-supplied _failure_path parameter when fa…
- CVE-2026-48493MEDIUMCVSS 5.5EG 5.52026-06-23
Snipe-IT is an IT asset/license management system. In versions prior to 8.6.0, a user with only users.edit can send a PATCH to /api/v1/users/{their_own_id} and grant themselves any permission except admin and superuser — for example `ass…
- CVE-2026-48501CRITICALCVSS 9.1EG 9.12026-05-29
GitHub CLI (gh) is GitHub’s official command line tool. Prior to 2.93.0, GitHub CLI incorrectly includes authorization header in API requests to TUF repository mirrors via gh attestation, gh release verify, and gh release verify-asset co…
- CVE-2026-48507HIGHCVSS 7.1EG 7.12026-06-08
Snipe-IT is an IT asset/license management system. A vulnerability in versions prior to 8.6.0 allows a non-admin user holding only the granular `users.edit` permission to lock every admin out of the instance by editing the `activated` fla…
- CVE-2026-4857HIGHCVSS 8.4EG 8.42026-04-15
IdentityIQ 8.5, all IdentityIQ 8.5 patch levels prior to 8.5p2, IdentityIQ 8.4, and all IdentityIQ 8.4 patch levels prior to 8.4p4 allow authenticated users assigned the Debug Pages Read Only capability or any custom capability with the Vi…
- CVE-2026-48772CRITICALCVSS 10.0EG 10.02026-06-19
ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. In versions 2.0.0 through 3.0.8, the ProxySQL MySQL frontend accepts the `PROXY UNKNOWN <addr> <addr> <port> <port>\r\n` PP1 frame as a well-formed PROXY protocol header. …
- CVE-2026-48776CRITICALCVSS 9.1EG 9.12026-06-17
LangGraph Python SDK is used to connect to running LangGraph API servers, manage assistants, threads and stream runs from Python applications. Versions 0.3.14 and prior have unsafe URL path construction through unsanitized caller-supplied …
- CVE-2026-48781CRITICALCVSS 9.9EG 9.92026-06-17
Postiz is an AI social media scheduling tool. In versions prior to 2.21.8, the Skool integration callback signed an attacker-controlled JSON blob into a session-shape JWT using the application's JWT_SECRET, and the auth middleware trusted …
- CVE-2026-48794LOWCVSS 1.3EG 1.32026-06-19
Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web portal. In versions 4.36.0 through 4.39.19, due to lack of canonicalization of domai…
- CVE-2026-48806HIGHCVSS 7.1EG 7.12026-06-30
Twig is a template language for PHP. Prior to 3.27.0, ArrayExpression does not guard dynamic mapping keys that are coerced to strings, allowing PHP to invoke __toString() on a Stringable object used as a mapping key without calling Sandbox…
- CVE-2026-48807HIGHCVSS 7.1EG 7.12026-06-30
Twig is a template language for PHP. Prior to 3.27.0, the sandbox __toString() checks do not fully cover Traversable values passed to join and replace filters or operands evaluated by the in and not in operators, allowing contained Stringa…
- CVE-2026-48808MEDIUMCVSS 6.0EG 6.02026-06-30
Twig is a template language for PHP. Prior to 3.27.0, the column filter passes the active sandbox state as a boolean but does not forward the current Source to SandboxExtension::checkPropertyAllowed(), so SourcePolicyInterface decisions ar…
- CVE-2026-48860MEDIUMCVSS 6.5EG 6.52026-06-10
Reliance on IP Address for Authentication vulnerability in Erlang/OTP ssl (inet_tls_dist module) allows unauthenticated bypass of the distribution-over-TLS LAN allowlist. The inet_tls_dist:check_ip/1 function, which enforces a LAN allowli…
- CVE-2026-49219MEDIUMCVSS 5.5EG 5.52026-06-10
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-24, an incorrect parsing of the filename can result in a policy bypass and read files disallowed by a secu…
- CVE-2026-49288MEDIUMCVSS 4.3EG 4.32026-06-19
Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.23 and 6.20.0, an authenticated Control Panel user could view metadata and content for resources they don't have permission to view, including entries, as…
- CVE-2026-49299MEDIUMCVSS 5.3EG 5.32026-05-28
In OpenStack Neutron before 28.0.1, the tagging controller enforces plural policy action names on single-tag write operations while the defined policy rules use singular names. The mismatched names evaluate as allowed under the default pol…
- CVE-2026-49369MEDIUMCVSS 4.3EG 4.32026-05-29
In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on Users and Groups pages
- CVE-2026-49376MEDIUMCVSS 6.5EG 6.52026-05-29
In JetBrains TeamCity before 2026.1 insufficient username validation in the SAML plugin
- CVE-2026-49397MEDIUMCVSS 5.3EG 5.32026-06-10
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 2.0.0 to before version 2.0.14, private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking n…
- CVE-2026-49823HIGHCVSS 7.7EG 7.72026-06-10
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, a Fission Function spec carries three reference types — Secret, Config…
- CVE-2026-49824HIGHCVSS 8.5EG 8.52026-06-10
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, the Fission Function admission webhook (pkg/webhook/function.go) validat…
- CVE-2026-49981MEDIUMCVSS 6.0EG 6.02026-07-01
Twig is a template language for PHP. Prior to 3.27.0, the per-template filter, tag, and function allow-list verdict is computed when a Template instance is constructed and can remain cached after sandbox state changes between renders, allo…
- CVE-2026-49983MEDIUMCVSS 5.2EG 5.22026-06-16
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, environment access is gated by the env permission. You can deny it with --deny-env, or restrict it to a specific allowlist with --allow-env=FOO,BAR. The expectation…
- CVE-2026-50008MEDIUMCVSS 6.9EG 6.92026-06-12
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.3, the routeAllowList server option restricts external client access to a configured l…
- CVE-2026-50266LOWCVSS 2.2EG 2.22026-06-04
In OpenStack Neutron before 28.0.1, a project manager can create or update a port on a shared network owned by another project and set device_owner to a value that has "network:" at the beginning ("network:dhcp" for example). The default p…
- CVE-2026-50528HIGHCVSS 8.2EG 8.22026-07-14
Incorrect authorization in .NET allows an unauthorized attacker to bypass a security feature over a network.
- CVE-2026-50529HIGHCVSS 8.7EG 8.72026-07-07
DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, the /de2api/share/proxyInfo share interface generates and returns X-DE-LINK-TOKEN before validating the share password or ticket, allowing unauthenticated a…
- CVE-2026-50559HIGHCVSS 7.5EG 7.52026-06-19
Quarkus is a Java framework for building cloud-native applications. Prior to versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2, Quarkus HTTP path-based authorization policies can be bypassed using encoded semicolons…
- CVE-2026-5069MEDIUMCVSS 5.4EG 5.42026-07-10
The Fluent Forms plugin for WordPress is vulnerable to incorrect authorization via the 'subscription_id' parameter in versions up to, and including, 6.2.1. This is due to insufficient ownership authorization checks in the payment cancellat…
- CVE-2026-5149MEDIUMCVSS 6.5EG 6.52026-06-16
The RTMKit plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.7 This is due to the get_submission_content AJAX endpoint lacking a capability check to verify that a user has permission to…
- CVE-2026-52779MEDIUMCVSS 5.4EG 5.42026-06-26
OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, a cross-project IDOR / authorization context confusion in the Calendar and Team Planner modules allows a user with management permissions in one…
- CVE-2026-52795MEDIUMCVSS 4.3EG 4.32026-06-24
Gogs is an open source self-hosted Git service. In 0.14.3 and earlier, any authenticated user can watch a private repository they have no access to, because the access check in the Watch API handler is inverted. The code checks if repoCtx.…
- CVE-2026-52808HIGHCVSS 7.1EG 7.12026-06-23
Gogs is an open source self-hosted Git service. Prior to 0.14.3, three API endpoints — PATCH /api/v1/repos/:owner/:repo/issue-tracker, PATCH /api/v1/repos/:owner/:repo/wiki, and POST /api/v1/repos/:owner/:repo/mirror-sync — are gated b…
- CVE-2026-53492CRITICALCVSS 9.6EG 9.62026-06-19
containerd is an open-source container runtime. In Versions prior to 2.3.2, 2.2.5 and 2.1.9, the CRI implementation improperly trusts Container Device Interface (CDI) annotations found within untrusted checkpoint image metadata during cont…
- CVE-2026-53521MEDIUMCVSS 6.4EG 6.42026-06-12
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 2.0.14 to before version 2.1.0, PATCH /server/{id} accepts and persists nonexistent ddns_profiles IDs for a member-owned server. I…
- CVE-2026-53552CRITICALCVSS 9.6EG 9.62026-07-07
Goploy: Cross-namespace IDOR and RCE via body-supplied row id in project and project_file handlers ### Summary `Project.AddFile`, `Project.EditFile`, `Project.RemoveFile`, and `Project.Edit` in `cmd/server/api/project/handler.go` accept …
- CVE-2026-53577MEDIUMCVSS 6.5EG 6.52026-06-26
Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the previewFileFromExecution endpoint (GET /api/v1/{tenant}/executions/{executionId}/file/preview) contains an access control bypass that allows any…
- CVE-2026-53642MEDIUMCVSS 5.3EG 5.32026-07-06
FOSSBilling is a free, open-source billing and client management system. In versions 0.5.6 through 0.7.2, when the "Require Email Confirmation" setting is enabled, a logged-in client with an unverified email address (`email_approved = 0`) …
- CVE-2026-53721HIGHCVSS 8.2EG 8.22026-06-12
Nuxt is an open-source web development framework for Vue.js. From versions 3.11.0 to before 3.21.7 and 4.0.0 to before 4.4.7, there is a route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules match…
- CVE-2026-53738HIGHCVSS 8.1EG 8.12026-06-10
Copy & Delete Posts through 1.5.4 lets any plugin-enabled non-admin role invoke every operation in the cdp_action_handling AJAX handler. Attackers with an enabled role can delete posts or overwrite plugin settings via the f parameter, bypa…
- CVE-2026-5374MEDIUMCVSS 5.8EG 5.82026-04-07
An issue that allowed MCP agents to access remediation and asset information from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of C…
- CVE-2026-5377MEDIUMCVSS 4.3EG 4.32026-04-22
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.1 that could have allowed an authenticated user to access titles of confidential or private issues in public projects due to improper access cont…
- CVE-2026-5378MEDIUMCVSS 5.8EG 5.82026-04-07
An issue that allowed administrators to create and update users outside of their authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:…
- CVE-2026-5379LOWCVSS 3.0EG 3.02026-04-07
An issue that allowed MCP agents to access certificate information from outside of their authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/…
- CVE-2026-5380MEDIUMCVSS 5.3EG 5.32026-04-07
An issue that could allow an authorized user to view the clear-text secrets for a subset of credential types and fields has been resolved. This is an instance of CWE-522: Insufficiently Protected Credentials, and has an estimated CVSS scor…
- CVE-2026-53807HIGHCVSS 8.8EG 8.82026-06-11
OpenClaw before 2026.5.6 contains an authorization bypass vulnerability in Telegram interactive callbacks that allows authenticated users to skip commands.allowFrom validation. Attackers can invoke affected callbacks to mark themselves as …
- CVE-2026-53808MEDIUMCVSS 6.5EG 6.52026-06-11
OpenClaw before 2026.5.6 contains an approval policy bypass vulnerability in the Skill Workshop apply flow that allows agent tool calls to set apply: true despite approvalPolicy: pending configuration. Attackers can exploit this by reachin…
- CVE-2026-53809LOWCVSS 3.8EG 3.82026-06-11
OpenClaw before 2026.4.25 contains a policy bypass vulnerability in embedded runner policy that allows requests using provider aliases to compare against aliases instead of canonical provider identities. Attackers can exploit this confusio…
- CVE-2026-5381LOWCVSS 2.2EG 2.22026-04-07
An issue that could expose task information outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:…
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →