Common Weakness Enumeration

CWE-286

Allowed-with-Review

Incorrect User Management

Abstraction: Class · Status: Incomplete

The product does not properly manage a user within its environment.

58 vulnerabilities reference this CWE, most recent first.

GHSA-Q49F-7FGV-7HX8

Vulnerability from github – Published: 2026-04-10 00:30 – Updated: 2026-04-10 00:30
VLAI
Details

OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the Control UI that allows unauthenticated sessions to retain self-declared privileged scopes without device identity verification. Attackers can exploit the device-less allow path in the trusted-proxy mechanism to maintain elevated permissions by declaring arbitrary scopes, bypassing device identity requirements.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-35638"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-286"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-09T22:16:33Z",
    "severity": "HIGH"
  },
  "details": "OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the Control UI that allows unauthenticated sessions to retain self-declared privileged scopes without device identity verification. Attackers can exploit the device-less allow path in the trusted-proxy mechanism to maintain elevated permissions by declaring arbitrary scopes, bypassing device identity requirements.",
  "id": "GHSA-q49f-7fgv-7hx8",
  "modified": "2026-04-10T00:30:30Z",
  "published": "2026-04-10T00:30:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-48vw-m3qc-wr99"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35638"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/ccf16cd8892402022439346ae1d23352e3707e9e"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-self-declared-scopes-in-trusted-proxy-control-ui"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-V78Q-6PRW-GCFJ

Vulnerability from github – Published: 2024-04-22 15:30 – Updated: 2024-07-03 18:36
VLAI
Details

Improper verification of a user input in Open Source MANO v7-v12 allows an authenticated attacker to execute arbitrary code within the LCM module container via a Virtual Network Function (VNF) descriptor. An attacker may be able execute code to change the normal execution of the OSM components, retrieve confidential information, or gain access other parts of a Telco Operator infrastructure other than OSM itself.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-35503"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-286"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-22T15:15:46Z",
    "severity": "HIGH"
  },
  "details": "Improper verification of a user input in Open Source MANO v7-v12 allows an authenticated attacker to execute arbitrary code within the LCM module container via a Virtual Network Function (VNF) descriptor. An attacker may be able execute code to change the normal execution of the OSM components, retrieve confidential information, or gain access other parts of a Telco Operator infrastructure other than OSM itself.",
  "id": "GHSA-v78q-6prw-gcfj",
  "modified": "2024-07-03T18:36:25Z",
  "published": "2024-04-22T15:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35503"
    },
    {
      "type": "WEB",
      "url": "https://osm.etsi.org"
    },
    {
      "type": "WEB",
      "url": "https://osm.etsi.org/news-events/blog/83-cve-2022-35503-disclosure"
    },
    {
      "type": "WEB",
      "url": "http://osm.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VCXH-WF9C-H9VV

Vulnerability from github – Published: 2025-03-25 18:30 – Updated: 2025-03-25 18:30
VLAI
Details

A vulnerability in the Trend Micro Apex One Security Agent Plug-in User Interface Manager could allow a local attacker to bypass existing security and execute arbitrary code on affected installations.

This CVE address an addtional bypass not covered in CVE-2024-58104.

Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-58105"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-286"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-25T18:15:34Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability  in the Trend Micro Apex One Security Agent Plug-in User Interface Manager could allow a local attacker to bypass existing security and execute arbitrary code on affected installations. \n\nThis CVE address an addtional bypass not covered in CVE-2024-58104.\n\nPlease note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.",
  "id": "GHSA-vcxh-wf9c-h9vv",
  "modified": "2025-03-25T18:30:54Z",
  "published": "2025-03-25T18:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-58105"
    },
    {
      "type": "WEB",
      "url": "https://success.trendmicro.com/en-US/solution/KA-0018217"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VRXJ-QH7R-W3WC

Vulnerability from github – Published: 2023-09-14 18:32 – Updated: 2024-04-04 07:40
VLAI
Details

NVIDIA ConnectX Host Firmware for the BlueField Data Processing Unit contains a vulnerability where a restricted host may cause an incorrect user management error. A successful exploit of this vulnerability may lead to escalation of privileges. 

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-25519"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-286"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-12T02:15:10Z",
    "severity": "HIGH"
  },
  "details": "\nNVIDIA ConnectX Host Firmware for the BlueField Data Processing Unit contains a vulnerability where a restricted host may cause an incorrect user management error. A successful exploit of this vulnerability may lead to escalation of privileges.\u00a0 \n\n",
  "id": "GHSA-vrxj-qh7r-w3wc",
  "modified": "2024-04-04T07:40:23Z",
  "published": "2023-09-14T18:32:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25519"
    },
    {
      "type": "WEB",
      "url": "https://https://nvidia.custhelp.com/app/answers/detail/a_id/5479"
    },
    {
      "type": "WEB",
      "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5479"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VVCP-5V5P-8JHC

Vulnerability from github – Published: 2023-08-03 06:30 – Updated: 2024-04-04 15:14
VLAI
Details

An issue has been discovered in GitLab EE affecting all versions starting from 13.12 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible for an attacker to run pipeline jobs as an arbitrary user via scheduled security scan policies.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-3932"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-286",
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-03T05:15:10Z",
    "severity": "MODERATE"
  },
  "details": "An issue has been discovered in GitLab EE affecting all versions starting from 13.12 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible for an attacker to run pipeline jobs as an arbitrary user via scheduled security scan policies.",
  "id": "GHSA-vvcp-5v5p-8jhc",
  "modified": "2024-04-04T15:14:22Z",
  "published": "2023-08-03T06:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3932"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/2057633"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/417594"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WVGF-XGQ8-6R6J

Vulnerability from github – Published: 2022-06-15 00:00 – Updated: 2024-07-09 12:30
VLAI
Details

A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1). The affected application creates temporary user credentials for UMC (User Management Component) users. An attacker could use these temporary credentials for authentication bypass in certain scenarios.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-32260"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-286"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-14T10:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability has been identified in SINEMA Remote Connect Server (All versions \u003c V3.1). The affected application creates temporary user credentials for UMC (User Management Component) users. An attacker could use these temporary credentials for authentication bypass in certain scenarios.",
  "id": "GHSA-wvgf-xgq8-6r6j",
  "modified": "2024-07-09T12:30:55Z",
  "published": "2022-06-15T00:00:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32260"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-381581.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XR73-JQ5P-CH8R

Vulnerability from github – Published: 2025-11-19 18:13 – Updated: 2025-11-19 18:59
VLAI
Summary
authentik allows a deactivated Service account to authenticate to OAuth
Details

Summary

When authenticating with client_id and client_secret to an OAuth provider, authentik creates a service account for the provider. In previous authentik versions, authentication for this account was possible even when the account was deactivated. Other permissions are correctly applied and federation with other providers still take assigned policies correctly into account.

Patches

authentik 2025.8.5 and 2025.10.2 fix this issue, for other versions the workaround below can be used.

Workarounds

You can add a policy to your application that explicitly checks if the service account is still valid, and deny access if not.

return request.user.is_active

For more information

If you have any questions or comments about this advisory:

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "goauthentik.io"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20251119140106-9dbdfc3f1be0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-64521"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-286",
      "CWE-289"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-19T18:13:03Z",
    "nvd_published_at": "2025-11-19T17:15:52Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nWhen authenticating with `client_id` and `client_secret` to an OAuth provider, authentik creates a service account for the provider. In previous authentik versions, authentication for this account was possible even when the account was deactivated. Other permissions are correctly applied and federation with other providers still take assigned policies correctly into account.\n\n### Patches\n\nauthentik 2025.8.5 and 2025.10.2 fix this issue, for other versions the workaround below can be used.\n\n### Workarounds\n\nYou can add a policy to your application that explicitly checks if the service account is still valid, and deny access if not.\n\n```python\nreturn request.user.is_active\n```\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n- Email us at [security@goauthentik.io](mailto:security@goauthentik.io).",
  "id": "GHSA-xr73-jq5p-ch8r",
  "modified": "2025-11-19T18:59:53Z",
  "published": "2025-11-19T18:13:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-xr73-jq5p-ch8r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64521"
    },
    {
      "type": "WEB",
      "url": "https://github.com/goauthentik/authentik/commit/9dbdfc3f1be0f1be36f8efce2442897b2a54a71c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/goauthentik/authentik"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "authentik allows a deactivated Service account to authenticate to OAuth"
}

GHSA-XVWC-MXM8-8HQG

Vulnerability from github – Published: 2024-09-25 03:30 – Updated: 2024-09-25 03:30
VLAI
Details

An issue discovered in CS-Cart MultiVendor 4.16.1 allows attackers to alter arbitrary user account profiles via crafted post request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-26689"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-286"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-25T01:15:33Z",
    "severity": "CRITICAL"
  },
  "details": "An issue discovered in CS-Cart MultiVendor 4.16.1 allows attackers to alter arbitrary user account profiles via crafted post request.",
  "id": "GHSA-xvwc-mxm8-8hqg",
  "modified": "2024-09-25T03:30:35Z",
  "published": "2024-09-25T03:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26689"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cybrops-io/CVEs/tree/main/CVE-2023-26689%20-%20Insufficient%20Authorization%20for%20API%20key%20creation%20in%20CS-Cart%20MultiVendor%204.16.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.