Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3193 vulnerabilities reference this CWE, most recent first.

CVE-2026-61971 (GCVE-0-2026-61971)

Vulnerability from cvelistv5 – Published: 2026-07-13 08:41 – Updated: 2026-07-13 14:38
VLAI
Title
WordPress User Profile Picture plugin <= 2.6.3 - Insecure Direct Object References (IDOR) vulnerability
Summary
Authorization Bypass Through User-Controlled Key vulnerability in Cozmoslabs User Profile Picture metronet-profile-picture allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Profile Picture: from n/a through <= 2.6.3.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
Vendor Product Version
Cozmoslabs User Profile Picture Affected: 0 , ≤ 2.6.3 (custom)
Create a notification for this product.
Date Public
2026-07-13 10:40
Credits
Ananda Dhakal (Patchstack)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-61971",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-13T13:54:22.588601Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-13T14:38:02.877Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "metronet-profile-picture",
          "product": "User Profile Picture",
          "vendor": "Cozmoslabs",
          "versions": [
            {
              "changes": [
                {
                  "at": "2.6.4",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "2.6.3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Ananda Dhakal (Patchstack)"
        }
      ],
      "datePublic": "2026-07-13T10:40:47.478Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Authorization Bypass Through User-Controlled Key vulnerability in Cozmoslabs User Profile Picture metronet-profile-picture allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects User Profile Picture: from n/a through \u003c= 2.6.3.\u003c/p\u003e"
            }
          ],
          "value": "Authorization Bypass Through User-Controlled Key vulnerability in Cozmoslabs User Profile Picture metronet-profile-picture allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Profile Picture: from n/a through \u003c= 2.6.3."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-180",
          "descriptions": [
            {
              "lang": "en",
              "value": "Exploiting Incorrectly Configured Access Control Security Levels"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 2.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-13T08:41:25.805Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Plugin/metronet-profile-picture/vulnerability/wordpress-user-profile-picture-plugin-2-6-3-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress User Profile Picture plugin \u003c= 2.6.3 - Insecure Direct Object References (IDOR) vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2026-61971",
    "datePublished": "2026-07-13T08:41:25.805Z",
    "dateReserved": "2026-07-13T06:13:50.885Z",
    "dateUpdated": "2026-07-13T14:38:02.877Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-61460 (GCVE-0-2026-61460)

Vulnerability from cvelistv5 – Published: 2026-07-10 18:24 – Updated: 2026-07-10 19:10 X_Open Source
VLAI
Title
Krayin CRM Insecure Direct Object Reference via Controllers
Summary
Krayin CRM through 2.2.3 contains an insecure direct object reference vulnerability in LeadController, PersonController, OrganizationController, QuoteController, and ActivityController that allows authenticated users to edit, update, or delete records owned by other users. Attackers can modify CRM records and reassign ownership by exploiting missing record-level ownership validation in edit, update, and destroy methods.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
Vendor Product Version
krayin laravel-crm Affected: 0 , ≤ 2.2.3 (semver)
Create a notification for this product.
Date Public
2026-06-13 00:00
Credits
George Chen
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-61460",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-10T19:10:01.301600Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-10T19:10:15.675Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageURL": "pkg:composer/krayin/laravel-crm",
          "product": "laravel-crm",
          "repo": "https://github.com/krayin/laravel-crm",
          "vendor": "krayin",
          "versions": [
            {
              "lessThanOrEqual": "2.2.3",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "George Chen"
        }
      ],
      "datePublic": "2026-06-13T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Krayin CRM through 2.2.3 contains an insecure direct object reference vulnerability in LeadController, PersonController, OrganizationController, QuoteController, and ActivityController that allows authenticated users to edit, update, or delete records owned by other users. Attackers can modify CRM records and reassign ownership by exploiting missing record-level ownership validation in edit, update, and destroy methods."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-10T18:24:49.586Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "name": "Researcher Disclosure",
          "tags": [
            "technical-description",
            "exploit"
          ],
          "url": "https://github.com/krayin/laravel-crm/issues/2559"
        },
        {
          "name": "Pull Request",
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/krayin/laravel-crm/pull/2567"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/krayin-crm-insecure-direct-object-reference-via-controllers"
        }
      ],
      "tags": [
        "x_open-source"
      ],
      "title": "Krayin CRM Insecure Direct Object Reference via Controllers",
      "x_generator": {
        "engine": "vulncheck-endgame"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2026-61460",
    "datePublished": "2026-07-10T18:24:49.586Z",
    "dateReserved": "2026-07-09T14:07:55.624Z",
    "dateUpdated": "2026-07-10T19:10:15.675Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-60104 (GCVE-0-2026-60104)

Vulnerability from cvelistv5 – Published: 2026-07-08 19:34 – Updated: 2026-07-14 22:03 X_Open Source
VLAI
Title
Bitwarden Server < 2026.6.0 Authorization Bypass via Admin Auth Request
Summary
Bitwarden Server before 2026.6.0 does not verify that the email in a POST /auth-requests/admin-request body belongs to the authenticated caller, allowing a low-privileged organization member to obtain another user's vault key and a victim-scoped access token by creating a Trusted Device Encryption authentication request, bound to an attacker-controlled public key, that is readable from an unauthenticated endpoint once approved resulting in disclosure of the victim's vault key and account takeover.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Vendor Product Version
bitwarden server Affected: 0 , < 2026.6.0 (semver)
Create a notification for this product.
Date Public
2026-05-12 00:00
Credits
Sanjok Karki
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-60104",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-09T13:35:41.639610Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-09T13:35:51.135Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "packageURL": "pkg:github/bitwarden/server",
          "product": "server",
          "repo": "https://github.com/bitwarden/server",
          "vendor": "bitwarden",
          "versions": [
            {
              "lessThan": "2026.6.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:bitwarden:server:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2026.6.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Sanjok Karki"
        }
      ],
      "datePublic": "2026-05-12T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Bitwarden Server before 2026.6.0 does not verify that the email in a POST /auth-requests/admin-request body belongs to the authenticated caller, allowing a low-privileged organization member to obtain another user\u0027s vault key and a victim-scoped access token by creating a Trusted Device Encryption authentication request, bound to an attacker-controlled public key, that is readable from an unauthenticated endpoint once approved resulting in disclosure of the victim\u0027s vault key and account takeover."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-14T22:03:31.357Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "name": "Researcher Disclosure",
          "tags": [
            "technical-description",
            "exploit"
          ],
          "url": "https://sanjokkarki.com.np/blog/bitwarden-vault-key-heist"
        },
        {
          "name": "Release Notes",
          "tags": [
            "release-notes"
          ],
          "url": "https://github.com/bitwarden/server/releases#release-v2026.6.0"
        },
        {
          "name": "Fix PR",
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/bitwarden/server/pull/7615"
        },
        {
          "name": "Fix Commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/bitwarden/server/commit/dcf4c486b2b5bedecc03a48b427243328cc74a9a"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/bitwarden-server-authorization-bypass-via-admin-auth-request"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "tags": [
        "x_open-source"
      ],
      "title": "Bitwarden Server \u003c 2026.6.0 Authorization Bypass via Admin Auth Request",
      "x_generator": {
        "engine": "vulncheck"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2026-60104",
    "datePublished": "2026-07-08T19:34:49.127Z",
    "dateReserved": "2026-07-08T13:27:53.030Z",
    "dateUpdated": "2026-07-14T22:03:31.357Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-59817 (GCVE-0-2026-59817)

Vulnerability from cvelistv5 – Published: 2026-07-09 17:40 – Updated: 2026-07-14 01:04
VLAI
Title
Ghost: Paid gift memberships obtainable at minimal cost via the donations feature
Summary
Ghost is a Node.js content management system. From 6.27.0 before 6.44.0, Ghost's public donation checkout flow allowed an unauthenticated attacker to control donation checkout metadata and obtain full paid gift memberships for a minimal payment without exposing customer or member data or stealing money from a site or its members. This issue is fixed in version 6.44.0.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-472 - External Control of Assumed-Immutable Web Parameter
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Vendor Product Version
TryGhost Ghost Affected: >= 6.27.0, < 6.44.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-59817",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-14T01:04:43.336631Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-14T01:04:55.237Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Ghost",
          "vendor": "TryGhost",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 6.27.0, \u003c 6.44.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Ghost is a Node.js content management system. From 6.27.0 before 6.44.0, Ghost\u0027s public donation checkout flow allowed an unauthenticated attacker to control donation checkout metadata and obtain full paid gift memberships for a minimal payment without exposing customer or member data or stealing money from a site or its members. This issue is fixed in version 6.44.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-472",
              "description": "CWE-472: External Control of Assumed-Immutable Web Parameter",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-09T17:40:15.629Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-xm43-3m56-w3wf",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-xm43-3m56-w3wf"
        },
        {
          "name": "https://github.com/TryGhost/Ghost/pull/28351",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/TryGhost/Ghost/pull/28351"
        },
        {
          "name": "https://github.com/TryGhost/Ghost/pull/28352",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/TryGhost/Ghost/pull/28352"
        },
        {
          "name": "https://github.com/TryGhost/Ghost/commit/cab716cd015ac04b7ee50c7a405478d97bc7b1e0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/TryGhost/Ghost/commit/cab716cd015ac04b7ee50c7a405478d97bc7b1e0"
        },
        {
          "name": "https://github.com/TryGhost/Ghost/commit/ee7b991b466a7849c70f9d1caed8e491ee4113c6",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/TryGhost/Ghost/commit/ee7b991b466a7849c70f9d1caed8e491ee4113c6"
        }
      ],
      "source": {
        "advisory": "GHSA-xm43-3m56-w3wf",
        "discovery": "UNKNOWN"
      },
      "title": "Ghost: Paid gift memberships obtainable at minimal cost via the donations feature"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-59817",
    "datePublished": "2026-07-09T17:40:15.629Z",
    "dateReserved": "2026-07-07T15:00:50.978Z",
    "dateUpdated": "2026-07-14T01:04:55.237Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-59733 (GCVE-0-2026-59733)

Vulnerability from cvelistv5 – Published: 2026-07-14 21:38 – Updated: 2026-07-14 21:38
VLAI
Title
rclone `serve restic --private-repos` authorization bypass: `..` in the URL path lets an authenticated user read, overwrite and delete other users' repositories
Summary
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Prior to 1.74.4, rclone serve restic --private-repos enforces authorization using the routed user path segment while building the backend object key from the raw uncleaned URL path, allowing an authenticated user to include .. in a request such as //..//config and read, overwrite, or delete another user's private repository on backends that clean path components. This issue is fixed in version 1.74.4.
CWE
  • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Vendor Product Version
rclone rclone Affected: < 1.74.4
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "rclone",
          "vendor": "rclone",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.74.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Prior to 1.74.4, rclone serve restic --private-repos enforces authorization using the routed user path segment while building the backend object key from the raw uncleaned URL path, allowing an authenticated user to include .. in a request such as //..//config and read, overwrite, or delete another user\u0027s private repository on backends that clean path components. This issue is fixed in version 1.74.4."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-14T21:38:37.116Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/rclone/rclone/security/advisories/GHSA-fqj9-69pf-6pjg",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/rclone/rclone/security/advisories/GHSA-fqj9-69pf-6pjg"
        },
        {
          "name": "https://github.com/rclone/rclone/commit/015fd0eba1cb138eef081517795fed47a2873f2d",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rclone/rclone/commit/015fd0eba1cb138eef081517795fed47a2873f2d"
        },
        {
          "name": "https://github.com/rclone/rclone/commit/dade21c1616035b044df0eef7ee6a85aeb06a139",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rclone/rclone/commit/dade21c1616035b044df0eef7ee6a85aeb06a139"
        },
        {
          "name": "https://github.com/rclone/rclone/releases/tag/v1.74.4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rclone/rclone/releases/tag/v1.74.4"
        }
      ],
      "source": {
        "advisory": "GHSA-fqj9-69pf-6pjg",
        "discovery": "UNKNOWN"
      },
      "title": "rclone `serve restic --private-repos` authorization bypass: `..` in the URL path lets an authenticated user read, overwrite and delete other users\u0027 repositories"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-59733",
    "datePublished": "2026-07-14T21:38:37.116Z",
    "dateReserved": "2026-07-06T15:34:16.917Z",
    "dateUpdated": "2026-07-14T21:38:37.116Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-59712 (GCVE-0-2026-59712)

Vulnerability from cvelistv5 – Published: 2026-07-06 20:43 – Updated: 2026-07-09 18:32
VLAI
Title
Leantime - JSON-RPC API Broken Access Control via users.getUser
Summary
Leantime's Users::getUser method in the JSON-RPC API lacks proper authorization checks, allowing authenticated users to retrieve full user credential rows including password hashes, TOTP secrets, and session tokens. Attackers can exploit this by calling users.getUser with arbitrary user IDs to enumerate all accounts and obtain credentials for offline password cracking, 2FA bypass, and session hijacking.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Vendor Product Version
Leantime Leantime Affected: 0 , ≤ 3.4.4 (semver)
Create a notification for this product.
Date Public
2026-06-20 00:00
Credits
George Chen
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-59712",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-07T13:43:37.598340Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-07T13:43:53.031Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageURL": "pkg:npm/leantime",
          "product": "Leantime",
          "vendor": "Leantime",
          "versions": [
            {
              "lessThanOrEqual": "3.4.4",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:leantime:leantime:*:*:*:*:*:*:*:*",
                  "vulnerable": true
                }
              ],
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "George Chen"
        }
      ],
      "datePublic": "2026-06-20T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Leantime\u0027s Users::getUser method in the JSON-RPC API lacks proper authorization checks, allowing authenticated users to retrieve full user credential rows including password hashes, TOTP secrets, and session tokens. Attackers can exploit this by calling users.getUser with arbitrary user IDs to enumerate all accounts and obtain credentials for offline password cracking, 2FA bypass, and session hijacking."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-09T18:32:24.327Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "name": "GitHub Issue",
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/Leantime/leantime/issues/3556"
        },
        {
          "name": "Product",
          "tags": [
            "product"
          ],
          "url": "https://github.com/Leantime/leantime"
        },
        {
          "name": "Patch Commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/Leantime/leantime/commit/4f2612d13e0e8a2093092a846b44506cf133b671"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/leantime-credential-disclosure-via-unauthenticated-json-rpc-users-getuser-method"
        }
      ],
      "title": "Leantime - JSON-RPC API Broken Access Control via users.getUser",
      "x_generator": {
        "engine": "vulncheck-endgame"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2026-59712",
    "datePublished": "2026-07-06T20:43:50.296Z",
    "dateReserved": "2026-07-06T15:31:46.188Z",
    "dateUpdated": "2026-07-09T18:32:24.327Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-59253 (GCVE-0-2026-59253)

Vulnerability from cvelistv5 – Published: 2026-07-08 13:49 – Updated: 2026-07-08 14:31
VLAI
Title
n8n - Improper Authorization in Workflow Assignment to Folders
Summary
n8n before 2.28.0 contains an improper authorization vulnerability allowing authenticated users to assign workflows to folders in other projects. Attackers can bypass project and folder authorization boundaries by supplying crafted request payloads during workflow creation, causing logical integrity violations in target project folder structures.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
Vendor Product Version
n8n n8n Affected: 0 , < 2.28.0 (semver)
Unaffected: 2.28.0 (semver)
Create a notification for this product.
Date Public
2026-06-24 00:00
Credits
HO-9
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-59253",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-08T14:31:38.587009Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-08T14:31:44.900Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageURL": "pkg:npm/n8n",
          "product": "n8n",
          "vendor": "n8n",
          "versions": [
            {
              "lessThan": "2.28.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "2.28.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*",
                  "versionEndExcluding": "2.28.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "HO-9"
        }
      ],
      "datePublic": "2026-06-24T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "n8n before 2.28.0 contains an improper authorization vulnerability allowing authenticated users to assign workflows to folders in other projects. Attackers can bypass project and folder authorization boundaries by supplying crafted request payloads during workflow creation, causing logical integrity violations in target project folder structures."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-08T13:49:12.902Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "name": "GitHub Security Advisory (GHSA-2xgm-wc4g-5jvg)",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-2xgm-wc4g-5jvg"
        },
        {
          "name": "VulnCheck Advisory: n8n - Improper Authorization in Workflow Assignment to Folders",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/n8n-improper-authorization-in-workflow-assignment-to-folders"
        }
      ],
      "title": "n8n - Improper Authorization in Workflow Assignment to Folders",
      "x_generator": {
        "engine": "vulncheck-endgame"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2026-59253",
    "datePublished": "2026-07-08T13:49:12.902Z",
    "dateReserved": "2026-07-04T12:17:14.301Z",
    "dateUpdated": "2026-07-08T14:31:44.900Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-59235 (GCVE-0-2026-59235)

Vulnerability from cvelistv5 – Published: 2026-07-15 10:38 – Updated: 2026-07-15 10:38 X_Open Source
VLAI
Title
Missing authorization in Prospero Flow CRM allows low-privileged users to read all bank accounts
Summary
Missing Authorization (CWE-862) in BankAccountListController (app/Http/Controllers/Api/BankAccount/BankAccountListController.php), exposed at GET /api/bank-account, in Prospero Flow CRM <5.5.3, which allows a remote, authenticated attacker holding a low-privileged role (e.g. the "User"/"Usuario" role) to read arbitrary bank account records belonging to their company by sending an authenticated request to the endpoint with a valid bearer token, because the API route is protected only by the auth:api middleware and carries no permission gate, unlike the equivalent web route, which enforces can('read bank'), and the handler resolves records with Account::where('company_id', Auth::user()->company_id)->get(), performing only company scoping and no role or permission check before returning the data. This results in the unauthorized disclosure of sensitive banking information (e.g. IBAN, SWIFT/BIC, account identifiers) to users who should not have access to it.
CWE
  • CWE-639 - Authorization bypass through User-Controlled key
Assigner
Impacted products
Vendor Product Version
Roskus Prospero Flow CRM Affected: 4.6.0 , < 5.5.3 (semver)
Create a notification for this product.
Date Public
2026-07-15 10:37
Credits
David Moreno Urbanos YoyoDavelion Gustavo Novaro Secur0 CNA Xoan M. Otero Jorge Cristian Fernández Cornejo
Show details on NVD website

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Prospero Flow CRM",
          "programFiles": [
            "app/Http/Controllers/Api/BankAccount/BankAccountListController.php"
          ],
          "repo": "https://github.com/Roskus/prospero-flow-crm",
          "vendor": "Roskus",
          "versions": [
            {
              "lessThan": "5.5.3",
              "status": "affected",
              "version": "4.6.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:roskus:prospero_flow_crm:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.5.3",
                  "versionStartIncluding": "4.6.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "David Moreno Urbanos"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "YoyoDavelion"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Gustavo Novaro"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Secur0 CNA"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Xoan M. Otero Jorge"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Cristian Fern\u00e1ndez Cornejo"
        }
      ],
      "datePublic": "2026-07-15T10:37:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Missing Authorization (CWE-862) in \u003ccode\u003eBankAccountListController\u003c/code\u003e (\u003ccode\u003eapp/Http/Controllers/Api/BankAccount/BankAccountListController.php\u003c/code\u003e), exposed at \u003ccode\u003eGET /api/bank-account\u003c/code\u003e, in Prospero Flow CRM \u0026lt;5.5.3, which allows a remote, authenticated attacker holding a low-privileged role (e.g. the \"User\"/\"Usuario\" role) to read arbitrary bank account records belonging to their company by sending an authenticated request to the endpoint with a valid bearer token, because the API route is protected only by the \u003ccode\u003eauth:api\u003c/code\u003e middleware and carries no permission gate, unlike the equivalent web route, which enforces \u003ccode\u003ecan(\u0027read bank\u0027)\u003c/code\u003e, and the handler resolves records with \u003ccode\u003eAccount::where(\u0027company_id\u0027, Auth::user()-\u0026gt;company_id)-\u0026gt;get()\u003c/code\u003e, performing only company scoping and no role or permission check before returning the data. This results in the unauthorized disclosure of sensitive banking information (e.g. IBAN, SWIFT/BIC, account identifiers) to users who should not have access to it."
            }
          ],
          "value": "Missing Authorization (CWE-862) in BankAccountListController (app/Http/Controllers/Api/BankAccount/BankAccountListController.php), exposed at GET /api/bank-account, in Prospero Flow CRM \u003c5.5.3, which allows a remote, authenticated attacker holding a low-privileged role (e.g. the \"User\"/\"Usuario\" role) to read arbitrary bank account records belonging to their company by sending an authenticated request to the endpoint with a valid bearer token, because the API route is protected only by the auth:api middleware and carries no permission gate, unlike the equivalent web route, which enforces can(\u0027read bank\u0027), and the handler resolves records with Account::where(\u0027company_id\u0027, Auth::user()-\u003ecompany_id)-\u003eget(), performing only company scoping and no role or permission check before returning the data. This results in the unauthorized disclosure of sensitive banking information (e.g. IBAN, SWIFT/BIC, account identifiers) to users who should not have access to it."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization bypass through User-Controlled key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-15T10:38:20.180Z",
        "orgId": "4daa8cea-433a-44bd-9456-53b127fc289a",
        "shortName": "Secur0"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/Roskus/prospero-flow-crm/commit/57bb57212af03151c989d67d6723d5ddb3e81e7b"
        },
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://github.com/Roskus/prospero-flow-crm/releases#release-v5.5.3"
        },
        {
          "tags": [
            "technical-description"
          ],
          "url": "https://secur0.com/en/cna/cve-list/cve-2026-59235-missing-authorization-in-prospero-flow-crm-allows-low-privileged-users-to-read-all-bank-accounts"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Upgrade to version 5.5.3 or higher."
            }
          ],
          "value": "Upgrade to version 5.5.3 or higher."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "tags": [
        "x_open-source"
      ],
      "title": "Missing authorization in Prospero Flow CRM allows low-privileged users to read all bank accounts",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4daa8cea-433a-44bd-9456-53b127fc289a",
    "assignerShortName": "Secur0",
    "cveId": "CVE-2026-59235",
    "datePublished": "2026-07-15T10:38:20.180Z",
    "dateReserved": "2026-07-03T11:24:39.242Z",
    "dateUpdated": "2026-07-15T10:38:20.180Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-59234 (GCVE-0-2026-59234)

Vulnerability from cvelistv5 – Published: 2026-07-03 12:47 – Updated: 2026-07-06 15:57 X_Open Source
VLAI
Title
Authorization Bypass Through User-Controlled Key in Prospero Flow CRM calendar event deletion
Summary
Authorization Bypass Through User-Controlled Key (CWE-639) in CalendarDeleteEventController (app/Http/Controllers/Calendar/CalendarDeleteEventController.php), exposed at GET /calendar/event/delete/{id}, in Prospero Flow CRM before 5.5.3 allows a remote, authenticated attacker to delete arbitrary calendar events belonging to other users by manipulating the {id} path parameter, because the delete handler resolves the record with Calendar::find($id)->delete() and performs no ownership check (no user_id/company_id scoping) before deletion. This results in unauthorized destruction of other users' calendar events across the platform.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Vendor Product Version
Roskus Prospero Flow CRM Affected: 1.0.0 , < 5.5.3 (semver)
    cpe:2.3:a:roskus:prospero_flow_crm:*:*:*:*:*:*:*:*
Create a notification for this product.
Date Public
2026-07-02 22:00
Credits
Robert Mihaila Amirreza Fadaeizadeh Bidari Xoan M. Otero Jorge Secur0 CNA Gustavo Novaro
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-59234",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-06T15:57:03.621583Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-06T15:57:11.131Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/Roskus/prospero-flow-crm",
          "cpes": [
            "cpe:2.3:a:roskus:prospero_flow_crm:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "product": "Prospero Flow CRM",
          "programFiles": [
            "app/Http/Controllers/Calendar/CalendarDeleteEventController.php"
          ],
          "repo": "https://github.com/Roskus/prospero-flow-crm",
          "vendor": "Roskus",
          "versions": [
            {
              "lessThan": "5.5.3",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:roskus:prospero_flow_crm:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.5.3",
                  "versionStartIncluding": "1.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Robert Mihaila"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Amirreza Fadaeizadeh Bidari"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Xoan M. Otero Jorge"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Secur0 CNA"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Gustavo Novaro"
        }
      ],
      "datePublic": "2026-07-02T22:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAuthorization Bypass Through User-Controlled Key (CWE-639) in CalendarDeleteEventController (app/Http/Controllers/Calendar/CalendarDeleteEventController.php), exposed at GET /calendar/event/delete/{id}, in Prospero Flow CRM before 5.5.3 allows a remote, authenticated attacker to delete arbitrary calendar events belonging to other users by manipulating the {id} path parameter, because the delete handler resolves the record with Calendar::find($id)-\u0026gt;delete() and performs no ownership check (no user_id/company_id scoping) before deletion. This results in unauthorized destruction of other users\u0027 calendar events across the platform.\u003c/p\u003e"
            }
          ],
          "value": "Authorization Bypass Through User-Controlled Key (CWE-639) in CalendarDeleteEventController (app/Http/Controllers/Calendar/CalendarDeleteEventController.php), exposed at GET /calendar/event/delete/{id}, in Prospero Flow CRM before 5.5.3 allows a remote, authenticated attacker to delete arbitrary calendar events belonging to other users by manipulating the {id} path parameter, because the delete handler resolves the record with Calendar::find($id)-\u003edelete() and performs no ownership check (no user_id/company_id scoping) before deletion. This results in unauthorized destruction of other users\u0027 calendar events across the platform."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-77",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-77 Manipulating User-Controlled Variables"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-03T12:47:38.445Z",
        "orgId": "4daa8cea-433a-44bd-9456-53b127fc289a",
        "shortName": "Secur0"
      },
      "references": [
        {
          "name": "Fix commit 8c26eed4 - add user_id ownership check before delete",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/Roskus/prospero-flow-crm/commit/8c26eed4d80544c30e55448e12a8e999af6d2b70"
        },
        {
          "name": "Release v5.5.3 (fixed version)",
          "tags": [
            "release-notes"
          ],
          "url": "https://github.com/Roskus/prospero-flow-crm/releases/tag/v5.5.3"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://secur0.com/en/cna/cve-list/cve-2026-59234-idor-in-prospero-flow-crm-allows-deletion-of-other-users-calendar-events"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Upgrade to version 5.5.3 or higher."
            }
          ],
          "value": "Upgrade to version 5.5.3 or higher."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "tags": [
        "x_open-source"
      ],
      "title": "Authorization Bypass Through User-Controlled Key in Prospero Flow CRM calendar event deletion",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4daa8cea-433a-44bd-9456-53b127fc289a",
    "assignerShortName": "Secur0",
    "cveId": "CVE-2026-59234",
    "datePublished": "2026-07-03T12:47:38.445Z",
    "dateReserved": "2026-07-03T11:24:39.241Z",
    "dateUpdated": "2026-07-06T15:57:11.131Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-59216 (GCVE-0-2026-59216)

Vulnerability from cvelistv5 – Published: 2026-07-09 16:48 – Updated: 2026-07-10 03:55
VLAI
Title
Open WebUI: Cross-user code-interpreter and tool execution via unvalidated Socket.IO event-caller session_id
Summary
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, get_event_call delivered execute:python and execute:tool Socket.IO events to a client-supplied session_id after checking only that the session was connected, allowing authenticated users who learned another socket ID through ydoc:document:join to run code interpreter Python or tools in that user session. This issue is fixed in version 0.10.0.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-94 - Improper Control of Generation of Code ('Code Injection')
  • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
  • CWE-639 - Authorization Bypass Through User-Controlled Key
  • CWE-862 - Missing Authorization
Assigner
Impacted products
Vendor Product Version
open-webui open-webui Affected: < 0.10.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-59216",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-09T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-10T03:55:47.517Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-74h3-cxq7-vc5q"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "open-webui",
          "vendor": "open-webui",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.10.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, get_event_call delivered execute:python and execute:tool Socket.IO events to a client-supplied session_id after checking only that the session was connected, allowing authenticated users who learned another socket ID through ydoc:document:join to run code interpreter Python or tools in that user session. This issue is fixed in version 0.10.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-09T16:48:55.663Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-74h3-cxq7-vc5q",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-74h3-cxq7-vc5q"
        },
        {
          "name": "https://github.com/open-webui/open-webui/pull/25763",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/open-webui/open-webui/pull/25763"
        },
        {
          "name": "https://github.com/open-webui/open-webui/commit/386ac958144dbbbf0aa6e268070d72b681a318aa",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/open-webui/open-webui/commit/386ac958144dbbbf0aa6e268070d72b681a318aa"
        },
        {
          "name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
        }
      ],
      "source": {
        "advisory": "GHSA-74h3-cxq7-vc5q",
        "discovery": "UNKNOWN"
      },
      "title": "Open WebUI: Cross-user code-interpreter and tool execution via unvalidated Socket.IO event-caller session_id"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-59216",
    "datePublished": "2026-07-09T16:48:55.663Z",
    "dateReserved": "2026-07-02T21:05:02.924Z",
    "dateUpdated": "2026-07-10T03:55:47.517Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.