CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,830 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 75 of 77
- CVE-2026-5382LOWCVSS 3.0EG 3.02026-04-07
An issue that could expose records outside of the authorized organization scope through the MCP endpoints has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR…
- CVE-2026-53828HIGHCVSS 8.8EG 8.82026-06-12
OpenClaw before 2026.5.6 contains an authorization bypass vulnerability in native command handling that allows authenticated senders to execute owner-only commands without proper policy enforcement. Attackers can trigger native command han…
- CVE-2026-5383MEDIUMCVSS 4.4EG 4.42026-04-07
An issue that could allow access to Explorer groups from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI…
- CVE-2026-53834MEDIUMCVSS 6.5EG 7.52026-06-12
OpenClaw before 2026.4.27 contains an authorization bypass vulnerability in QQBot pre-dispatch slash commands that allows authenticated senders to skip allowFrom policy checks. Attackers can invoke slash commands before configured access c…
- CVE-2026-53835MEDIUMCVSS 4.3EG 4.32026-06-12
OpenClaw before 2026.5.6 contains a configuration enforcement bypass vulnerability in Feishu dynamic-agent bindings that allows authenticated senders to create or update bindings without honoring configured config-write controls. Attackers…
- CVE-2026-5384MEDIUMCVSS 5.8EG 5.82026-04-07
An issue that could allow a credential to be updated and used for a task from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:…
- CVE-2026-53853HIGHCVSS 8.3EG 8.32026-06-16
OpenClaw before 2026.5.12 contains an argument pattern validation bypass in the exec allowlist that allows attackers to execute disallowed arguments for allowlisted executables on Linux and macOS systems. Attackers can bypass configured ar…
- CVE-2026-53854MEDIUMCVSS 6.5EG 6.52026-06-16
OpenClaw before 2026.4.25 contains a privilege escalation vulnerability in internal and webchat command authentication that allows senders to inherit wildcard ownerAllowFrom state across channel boundaries. Attackers can exploit this by se…
- CVE-2026-53855HIGHCVSS 8.1EG 8.12026-06-16
OpenClaw before 2026.4.2 contains an inline-eval bypass vulnerability allowing authenticated operators to weaken strict allowlist checks via shell positional parameters. Attackers can combine allowlisted tools with shell positional argumen…
- CVE-2026-53860MEDIUMCVSS 5.4EG 4.22026-06-16
OpenClaw before 2026.5.7 contains a sender policy bypass vulnerability in BlueBubbles that allows participants to match allowlist entries through conversation metadata rather than stable sender identity. Attackers can influence conversatio…
- CVE-2026-53902MEDIUMCVSS 6.5EG 6.52026-07-01
MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/profile-sections/group-membership endpoint. An authenticated user can modify their group membership without proper authorization checks, allowing privil…
- CVE-2026-53905HIGHCVSS 7.1EG 7.12026-07-01
MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/admin-view-hierarchy/get-acl-tree-structure endpoint. An authenticated, low-privileged user can retrieve administrator access control structures without…
- CVE-2026-53935MEDIUMCVSS 6.9EG 6.92026-07-06
Cilium is a networking, observability, and security solution. Prior to 1.17.16, from 1.18.2 to 1.18.9, and from 1.19.0 to 1.19.3, users with the ability to create CiliumLocalRedirectPolicies can specify arbitrary ClusterIPs via addressMatc…
- CVE-2026-54021MEDIUMCVSS 6.3EG 6.32026-06-17
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, several direct, index-addressed Ollama proxy routes accept a caller-supplied url_idx path parameter and use it as a raw inde…
- CVE-2026-54022MEDIUMCVSS 5.3EG 5.32026-06-17
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.11, the ydoc:document:join Socket.IO handler checks note ownership only when the document_id starts with note: (colon). However…
- CVE-2026-54091HIGHCVSS 7.5EG 7.52026-06-12
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, File Browser's public share handlers rebase the share owner's filesystem root to the …
- CVE-2026-54096HIGHCVSS 8.4EG 8.42026-06-12
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.7, `POST /api/share/<path>` accepts an authenticated request for an arbitrary path and s…
- CVE-2026-54281HIGHCVSS 8.7EG 8.72026-06-15
Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.24, an authentication bypass vulnerability exists in @nestjs/platform-fastify. When middleware is registered through NestJS's MiddlewareConsumer.forR…
- CVE-2026-54307CRITICALCVSS 9.6EG 9.62026-06-16
n8n is an open source workflow automation platform. Prior to 1.123.55, 2.25.7, and 2.26.2, a member-level user with editor access to a shared workflow could reference credentials they do not own via specific public API endpoints. Credentia…
- CVE-2026-54320HIGHCVSS 8.4EG 8.42026-06-23
Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.184.0, organization invitations could be accepted (and declined) by a user whose email matched the invitation but had no…
- CVE-2026-54321HIGHCVSS 7.0EG 7.02026-06-16
Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. From 0.101.0 until 0.184.0, sandbox previews that were switched from public to private could remain reachable without authenticatio…
- CVE-2026-54324MEDIUMCVSS 6.5EG 6.52026-06-17
Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.185.0, a cross-tenant authorization flaw in Daytona's notification WebSocket gateway allowed any authenticated user to s…
- CVE-2026-54357MEDIUMCVSS 5.1EG 5.12026-06-12
An improper authorization vulnerability in MISP allowed an authenticated organization administrator to access or modify user settings belonging to site administrator accounts within the same organization. The affected access-control checks…
- CVE-2026-54358HIGHCVSS 7.5EG 7.52026-06-12
An incorrect authorization vulnerability in MISP allows an organization administrator to target site administrator accounts belonging to the same organization through the administrative email functionality. The affected code restricted org…
- CVE-2026-54362MEDIUMCVSS 5.3EG 5.32026-06-12
An incorrect visibility condition in the MISP event template builder allowed authenticated non-site-admin users to view galaxies that should not have been visible to their organisation. The custom access-control condition intended to restr…
- CVE-2026-54397MEDIUMCVSS 6.1EG 6.12026-06-12
A vulnerability in MISP’s non-REST event editing path allowed an authenticated user with event edit permissions to manipulate the submitted form data and set an event’s sharing_group_id to a sharing group they were not authorized to us…
- CVE-2026-54398MEDIUMCVSS 5.3EG 5.32026-06-12
An authorization flaw in MISP’s object add/edit handling allowed an authenticated user with object editing permissions to assign a MISP object, or attributes contained within an object, to a sharing group that the user was not authorized…
- CVE-2026-54517MEDIUMCVSS 5.3EG 5.32026-06-23
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer._deserializeUsingPropertyBased, the active-view (@JsonView) filter …
- CVE-2026-54518MEDIUMCVSS 6.5EG 6.52026-06-23
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties() replays buffered JSON into…
- CVE-2026-54555HIGHCVSS 7.8EG 7.82026-06-23
rtk filters and compresses command outputs before they reach your LLM context. Prior to 0.42.2, the permission splitter did not conservatively split or reject several shell constructs that Bash treats as command execution boundaries or nes…
- CVE-2026-54573MEDIUMCVSS 5.3EG 5.32026-06-25
Outline is a service that allows for collaborative documentation. Prior to 1.8.0, the AuthenticationHelper.canAccess function uses ctx.originalUrl to verify if an API key or OAuth token has the required scopes for a request. It extracts th…
- CVE-2026-54652HIGHCVSS 8.1EG 8.12026-07-08
Frigate is an open source network video recorder. In version 0.17.1, the GET /api/logs/{service} endpoint allows any authenticated user including the viewer role to download Frigate and nginx logs, exposing auto-generated admin passwords a…
- CVE-2026-54698MEDIUMCVSS 6.0EG 6.02026-07-07
Hasura is an open-source product that provides users GraphQL or REST APIs. Prior to 2.49.2 and 2.45.5, a user can use a where clause on a table computed field (returning SETOF some_table) to infer row values that ought to be filtered for t…
- CVE-2026-54761HIGHCVSS 7.1EG 7.12026-06-17
Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.21 and 3.7.5, there is a high severity vulnerability in Traefik's Kubernetes Gateway provider affecting the crossProviderNamespaces allowlist. For HTTPRoute rules that declar…
- CVE-2026-54765HIGHCVSS 8.5EG 8.52026-07-06
Traefik is an open source HTTP reverse proxy and load balancer. From v3.7.0 prior to v3.7.6, Traefik's Kubernetes Gateway API provider may resolve two accepted HTTPRoutes that target the same backend Service:port but configure different ba…
- CVE-2026-54803CRITICALCVSS 9.8EG 9.82026-06-17
Subscriber Privilege Escalation in SMS Alert Order Notifications <= 3.9.4 versions.
- CVE-2026-54998HIGHCVSS 8.8EG 8.82026-07-02
Incorrect authorization in Microsoft Exchange Online allows an authorized attacker to elevate privileges over a network.
- CVE-2026-55188HIGHCVSS 8.2EG 8.22026-06-26
RustFS is a distributed object storage system built in Rust. From 1.0.0-alpha.1 until 1.0.0-beta.9, RustFS contains an authorization bypass in the bucket replication admin API. The ListRemoteTargetHandler handler for listing remote replica…
- CVE-2026-55189HIGHCVSS 7.7EG 7.72026-06-26
RustFS is a distributed object storage system built in Rust. From 1.0.0-alpha.1 until 1.0.0-beta.9, when the FTP frontend is enabled, the FTP read and probe handlers dispatch directly to the storage backend without ever calling the IAM aut…
- CVE-2026-55411MEDIUMCVSS 6.8EG 6.82026-06-25
ToolJet is the open-source foundation am AI-native platform for building and deploying internal tools, workflows and AI agents. Prior to 3.20.1780-lts, the authenticated endpoint POST /api/data-sources/decrypt returns the decrypted plainte…
- CVE-2026-55428HIGHCVSS 8.2EG 8.22026-07-06
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the tailnet coordinator validates that an agent's `Addresses` derive from its authenticated UUID b…
- CVE-2026-55435MEDIUMCVSS 5.4EG 5.42026-07-06
Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.30.0 and prior to versions 2.32.7, 2.33.8, and 2.34.2, AI Bridge proxy endpoints authenticate via `Server.IsAuthorized` in `coderd…
- CVE-2026-55460HIGHCVSS 7.1EG 7.12026-07-10
Snipe-IT is an IT asset/license management system. Prior to 8.6.2, an authenticated non-admin user with users.view and users.edit but without users.delete can directly POST to /users/bulksave with delete_user=1 because BulkUsersController:…
- CVE-2026-55462MEDIUMCVSS 4.3EG 4.32026-07-10
Snipe-IT is an IT asset/license management system. Prior to 8.6.2, UsersController::show() and printInventory() authorize only user viewing before loading and rendering assigned license, accessory, and consumable relationships, allowing an…
- CVE-2026-55472MEDIUMCVSS 4.3EG 4.32026-07-10
Snipe-IT is an IT asset/license management system. Prior to 8.6.2, when Full Multiple Companies Support and scope_locations_fmcs are enabled, the API location creation endpoint detects an invalid parent-child company mismatch but does not …
- CVE-2026-55475MEDIUMCVSS 5.7EG 5.72026-07-10
Snipe-IT is an IT asset/license management system. Prior to 8.6.1, the Importer API endpoint allows a user with CSV import capabilities and a valid API key to overwrite the created_by value of an import file, allowing unauthorized modifica…
- CVE-2026-55479MEDIUMCVSS 4.3EG 4.32026-07-10
Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the legacy single-seat license checkin flow authorizes the action with the checkout permission instead of the checkin permission, allowing a user who can assign licenses bu…
- CVE-2026-55638HIGHCVSS 8.6EG 8.62026-07-10
9Router is an AI router & token saver. Prior to 0.5.2, 9router protects /v1, /v1beta, /api/v1, and /api/v1beta in src/dashboardGuard.js but omits /codex before next.config.mjs rewrites /codex/* to /api/v1/responses. A remote unauthenticate…
- CVE-2026-55672HIGHCVSS 7.4EG 7.42026-06-18
ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL's OAuth2 and OIDC CodeExchange, RefreshToken, and device token flows fail to verify that the requesting client matches the client that initiated th…
- CVE-2026-5574MEDIUMCVSS 6.5EG 6.52026-04-05
A security vulnerability has been detected in Technostrobe HI-LED-WR120-G2 5.5.0.1R6.03.30. Affected is the function deletefile of the component FsBrowseClean. The manipulation of the argument dir/path leads to missing authorization. The a…
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →