CWE-862
Allowed-with-ReviewMissing Authorization
Abstraction: Class · Status: Incomplete
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
14562 vulnerabilities reference this CWE, most recent first.
GHSA-J6R7-6FHX-77WX
Vulnerability from github – Published: 2026-07-14 19:07 – Updated: 2026-07-14 19:07Impact
In multi-tenant HTTP deployments — where a single n8n-mcp server serves several tenants — the locally stored workflow version history (the automatic backups taken before workflow updates) was not isolated per tenant. An authenticated tenant could read workflow version snapshots belonging to other tenants, and could delete or destroy other tenants' stored backups.
A stored snapshot includes full node definitions, so the exposed data can contain credential references and authorization headers configured on nodes. This is therefore a confidentiality issue in addition to an integrity/availability one.
Affected configurations
- HTTP mode with multi-tenancy enabled (
ENABLE_MULTI_TENANT=true), where multiple tenants are served by a single shared instance and database.
Not affected:
- stdio / single-user deployments (e.g. Claude Desktop).
- Single-tenant HTTP deployments (one tenant per instance and database).
Affected versions
<= 2.56.0
Patched version
2.56.1. The stored version history is now isolated per instance, so a tenant can only access its own backups. Upgrading runs a one-time migration that isolates existing history and clears previously stored, un-scoped backups (these are auto-created, short-retention backups).
Workarounds
If users cannot upgrade immediately:
- Disable the workflow version tool by setting
DISABLED_TOOLS=n8n_workflow_versionsin the server environment (for example, in your Docker.env). This removes the affected tool from the deployment for all tenants; automatic backups are unaffected, but the cross-tenant access path is closed. - Alternatively, do not run in multi-tenant mode — serve each tenant from a separate instance with its own database, so no local store is shared between tenants.
- Restrict network access to the HTTP endpoint to trusted operators.
stdio and single-tenant HTTP deployments are not affected.
Credit
Reported by Francisco Rosales (@0xmagic0) and coordinated by Ax Sharma (@axsharma) of Manifold Security.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.56.0"
},
"package": {
"ecosystem": "npm",
"name": "n8n-mcp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.56.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-54052"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-14T19:07:14Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "## Impact\n\nIn multi-tenant HTTP deployments \u2014 where a single n8n-mcp server serves several tenants \u2014 the locally stored workflow version history (the automatic backups taken before workflow updates) was not isolated per tenant. An authenticated tenant could read workflow version snapshots belonging to other tenants, and could delete or destroy other tenants\u0027 stored backups.\n\nA stored snapshot includes full node definitions, so the exposed data can contain credential references and authorization headers configured on nodes. This is therefore a confidentiality issue in addition to an integrity/availability one.\n\n## Affected configurations\n\n- HTTP mode with multi-tenancy enabled (`ENABLE_MULTI_TENANT=true`), where multiple tenants are served by a single shared instance and database.\n\nNot affected:\n\n- stdio / single-user deployments (e.g. Claude Desktop).\n- Single-tenant HTTP deployments (one tenant per instance and database).\n\n## Affected versions\n\n`\u003c= 2.56.0`\n\n## Patched version\n\n`2.56.1`. The stored version history is now isolated per instance, so a tenant can only access its own backups. Upgrading runs a one-time migration that isolates existing history and clears previously stored, un-scoped backups (these are auto-created, short-retention backups).\n\n## Workarounds\n\nIf users cannot upgrade immediately:\n\n- Disable the workflow version tool by setting `DISABLED_TOOLS=n8n_workflow_versions` in the server environment (for example, in your Docker `.env`). This removes the affected tool from the deployment for all tenants; automatic backups are unaffected, but the cross-tenant access path is closed.\n- Alternatively, do not run in multi-tenant mode \u2014 serve each tenant from a separate instance with its own database, so no local store is shared between tenants.\n- Restrict network access to the HTTP endpoint to trusted operators.\n\nstdio and single-tenant HTTP deployments are not affected.\n\n## Credit\n\nReported by Francisco Rosales (@0xmagic0) and coordinated by Ax Sharma (@axsharma) of Manifold Security.",
"id": "GHSA-j6r7-6fhx-77wx",
"modified": "2026-07-14T19:07:14Z",
"published": "2026-07-14T19:07:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/czlonkowski/n8n-mcp/security/advisories/GHSA-j6r7-6fhx-77wx"
},
{
"type": "PACKAGE",
"url": "https://github.com/czlonkowski/n8n-mcp"
},
{
"type": "WEB",
"url": "https://github.com/czlonkowski/n8n-mcp/releases/tag/v2.56.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "n8n-MCP: Cross-tenant access to workflow version backups in multi-tenant HTTP deployments"
}
GHSA-J6VJ-J7Q6-95QQ
Vulnerability from github – Published: 2026-04-16 15:31 – Updated: 2026-04-16 15:31Missing Authorization vulnerability in Long Watch Studio MyRewards woorewards allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MyRewards: from n/a through <= 5.7.3.
{
"affected": [],
"aliases": [
"CVE-2026-40786"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-15T11:16:37Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in Long Watch Studio MyRewards woorewards allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MyRewards: from n/a through \u003c= 5.7.3.",
"id": "GHSA-j6vj-j7q6-95qq",
"modified": "2026-04-16T15:31:32Z",
"published": "2026-04-16T15:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40786"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/woorewards/vulnerability/wordpress-myrewards-plugin-5-7-3-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J6VR-HF47-35CX
Vulnerability from github – Published: 2024-03-13 18:31 – Updated: 2024-03-13 18:31The Categorify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the categorifyAjaxAddCategory function in all versions up to, and including, 1.0.7.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to add categories.
{
"affected": [],
"aliases": [
"CVE-2024-0385"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-13T16:15:11Z",
"severity": "MODERATE"
},
"details": "The Categorify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the categorifyAjaxAddCategory function in all versions up to, and including, 1.0.7.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to add categories.",
"id": "GHSA-j6vr-hf47-35cx",
"modified": "2024-03-13T18:31:32Z",
"published": "2024-03-13T18:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0385"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3034410/categorify"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1c7c74cf-a109-4f77-a740-5a43ccd4e96a?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J6X8-V233-X3MM
Vulnerability from github – Published: 2022-05-24 17:47 – Updated: 2022-08-06 00:00Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older initiate SSH connections to the Fibaro cloud to provide remote access and remote support capabilities. This connection can be intercepted using DNS spoofing attack and a device initiated remote port-forward channel can be used to connect to the web management interface. Knowledge of authorization credentials to the management interface is required to perform any further actions.
{
"affected": [],
"aliases": [
"CVE-2021-20989"
],
"database_specific": {
"cwe_ids": [
"CWE-295",
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-19T14:15:00Z",
"severity": "MODERATE"
},
"details": "Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older initiate SSH connections to the Fibaro cloud to provide remote access and remote support capabilities. This connection can be intercepted using DNS spoofing attack and a device initiated remote port-forward channel can be used to connect to the web management interface. Knowledge of authorization credentials to the management interface is required to perform any further actions.",
"id": "GHSA-j6x8-v233-x3mm",
"modified": "2022-08-06T00:00:41Z",
"published": "2022-05-24T17:47:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20989"
},
{
"type": "WEB",
"url": "https://www.iot-inspector.com/blog/advisory-fibaro-home-center"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/162243/Fibaro-Home-Center-MITM-Missing-Authentication-Code-Execution.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2021/Apr/27"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J724-5C6C-68G5
Vulnerability from github – Published: 2026-03-26 18:06 – Updated: 2026-03-27 21:38Summary
Three list.json.php endpoints in the Scheduler plugin lack any authentication check, while every other endpoint in the same plugin directories (add.json.php, delete.json.php, index.php) requires User::isAdmin(). An unauthenticated attacker can retrieve all scheduled tasks (including internal callback URLs and parameters), admin-composed email messages, and user-to-email targeting mappings by sending simple GET requests.
Details
The vulnerable files are:
1. plugin/Scheduler/View/Scheduler_commands/list.json.php:1-7
<?php
require_once '../../../../videos/configuration.php';
require_once $global['systemRootPath'] . 'plugin/Scheduler/Objects/Scheduler_commands.php';
header('Content-Type: application/json');
$rows = Scheduler_commands::getAll();
?>
{"data": <?php echo json_encode($rows); ?>}
2. plugin/Scheduler/View/Emails_messages/list.json.php:1-10
<?php
require_once '../../../../videos/configuration.php';
require_once $global['systemRootPath'] . 'plugin/Scheduler/Objects/Emails_messages.php';
header('Content-Type: application/json');
$rows = Emails_messages::getAll();
$total = Emails_messages::getTotal();
?>
{"data": <?php echo json_encode($rows); ?>, ...}
3. plugin/Scheduler/View/Email_to_user/list.json.php:1-10
<?php
require_once '../../../../videos/configuration.php';
require_once $global['systemRootPath'] . 'plugin/Scheduler/Objects/Email_to_user.php';
header('Content-Type: application/json');
$rows = Email_to_user::getAll();
$total = Email_to_user::getTotal();
?>
{"data": <?php echo json_encode($rows); ?>, ...}
None of these files check authentication before calling getAll(), which executes SELECT * FROM {table} and returns the entire table contents.
In contrast, every sibling endpoint requires admin access. For example, plugin/Scheduler/View/Scheduler_commands/add.json.php:12-15:
if(!User::isAdmin()){
$obj->msg = "You cant do this";
die(json_encode($obj));
}
The Scheduler_commands table (defined in plugin/Scheduler/Objects/Scheduler_commands.php) stores fields including callbackURL (internal server URLs with query parameters), parameters (JSON blobs containing user IDs and email configuration), status, timezone, and cron scheduling fields. The Emails_messages table stores subject and message (full HTML email bodies composed by admins). The Email_to_user table maps users_id to emails_messages_id, revealing which users are targeted by which email campaigns.
PoC
# 1. Retrieve all scheduled tasks — exposes internal callbackURLs and parameters
curl -s 'https://target/plugin/Scheduler/View/Scheduler_commands/list.json.php' | jq '.data[] | {id, callbackURL, parameters, status, type}'
# 2. Retrieve all admin-composed email messages — exposes subject and HTML body
curl -s 'https://target/plugin/Scheduler/View/Emails_messages/list.json.php' | jq '.data[] | {id, subject, message}'
# 3. Retrieve user-to-email targeting mappings — reveals which users receive which emails
curl -s 'https://target/plugin/Scheduler/View/Email_to_user/list.json.php' | jq '.data[] | {users_id, emails_messages_id, sent_at}'
All three return full database contents with no authentication required. No session cookie or token is needed.
Impact
An unauthenticated attacker can:
- Enumerate internal infrastructure:
callbackURLfields expose internal server URLs and query parameters used by the scheduler, potentially revealing internal API endpoints and their parameter structures - Read admin email campaigns: Full email subjects and HTML message bodies composed by administrators are exposed
- Map user targeting: The
Email_to_usertable reveals whichusers_idvalues are targeted by which email campaigns, enabling user enumeration and profiling - Gather reconnaissance: Scheduling configuration (cron fields, execution status, timezone) reveals operational patterns and timing of automated tasks
The information disclosed could be used to facilitate further attacks (e.g., using discovered internal URLs for SSRF, or user IDs for targeted account attacks).
Recommended Fix
Add User::isAdmin() checks to all three list.json.php files, matching the pattern used by sibling endpoints. For each file, add the following after the require_once lines and before the data retrieval:
plugin/Scheduler/View/Scheduler_commands/list.json.php:
<?php
require_once '../../../../videos/configuration.php';
require_once $global['systemRootPath'] . 'plugin/Scheduler/Objects/Scheduler_commands.php';
header('Content-Type: application/json');
if(!User::isAdmin()){
die(json_encode(['error' => true, 'msg' => 'Not authorized']));
}
$rows = Scheduler_commands::getAll();
?>
{"data": <?php echo json_encode($rows); ?>}
Apply the same pattern to Emails_messages/list.json.php and Email_to_user/list.json.php.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "wwbn/avideo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "26.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33761"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-26T18:06:39Z",
"nvd_published_at": "2026-03-27T15:16:58Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nThree `list.json.php` endpoints in the Scheduler plugin lack any authentication check, while every other endpoint in the same plugin directories (`add.json.php`, `delete.json.php`, `index.php`) requires `User::isAdmin()`. An unauthenticated attacker can retrieve all scheduled tasks (including internal callback URLs and parameters), admin-composed email messages, and user-to-email targeting mappings by sending simple GET requests.\n\n## Details\n\nThe vulnerable files are:\n\n**1. `plugin/Scheduler/View/Scheduler_commands/list.json.php:1-7`**\n```php\n\u003c?php\nrequire_once \u0027../../../../videos/configuration.php\u0027;\nrequire_once $global[\u0027systemRootPath\u0027] . \u0027plugin/Scheduler/Objects/Scheduler_commands.php\u0027;\nheader(\u0027Content-Type: application/json\u0027);\n\n$rows = Scheduler_commands::getAll();\n?\u003e\n{\"data\": \u003c?php echo json_encode($rows); ?\u003e}\n```\n\n**2. `plugin/Scheduler/View/Emails_messages/list.json.php:1-10`**\n```php\n\u003c?php\nrequire_once \u0027../../../../videos/configuration.php\u0027;\nrequire_once $global[\u0027systemRootPath\u0027] . \u0027plugin/Scheduler/Objects/Emails_messages.php\u0027;\nheader(\u0027Content-Type: application/json\u0027);\n\n$rows = Emails_messages::getAll();\n$total = Emails_messages::getTotal();\n?\u003e\n{\"data\": \u003c?php echo json_encode($rows); ?\u003e, ...}\n```\n\n**3. `plugin/Scheduler/View/Email_to_user/list.json.php:1-10`**\n```php\n\u003c?php\nrequire_once \u0027../../../../videos/configuration.php\u0027;\nrequire_once $global[\u0027systemRootPath\u0027] . \u0027plugin/Scheduler/Objects/Email_to_user.php\u0027;\nheader(\u0027Content-Type: application/json\u0027);\n\n$rows = Email_to_user::getAll();\n$total = Email_to_user::getTotal();\n?\u003e\n{\"data\": \u003c?php echo json_encode($rows); ?\u003e, ...}\n```\n\nNone of these files check authentication before calling `getAll()`, which executes `SELECT * FROM {table}` and returns the entire table contents.\n\nIn contrast, every sibling endpoint requires admin access. For example, `plugin/Scheduler/View/Scheduler_commands/add.json.php:12-15`:\n```php\nif(!User::isAdmin()){\n $obj-\u003emsg = \"You cant do this\";\n die(json_encode($obj));\n}\n```\n\nThe `Scheduler_commands` table (defined in `plugin/Scheduler/Objects/Scheduler_commands.php`) stores fields including `callbackURL` (internal server URLs with query parameters), `parameters` (JSON blobs containing user IDs and email configuration), `status`, `timezone`, and cron scheduling fields. The `Emails_messages` table stores `subject` and `message` (full HTML email bodies composed by admins). The `Email_to_user` table maps `users_id` to `emails_messages_id`, revealing which users are targeted by which email campaigns.\n\n## PoC\n\n```bash\n# 1. Retrieve all scheduled tasks \u2014 exposes internal callbackURLs and parameters\ncurl -s \u0027https://target/plugin/Scheduler/View/Scheduler_commands/list.json.php\u0027 | jq \u0027.data[] | {id, callbackURL, parameters, status, type}\u0027\n\n# 2. Retrieve all admin-composed email messages \u2014 exposes subject and HTML body\ncurl -s \u0027https://target/plugin/Scheduler/View/Emails_messages/list.json.php\u0027 | jq \u0027.data[] | {id, subject, message}\u0027\n\n# 3. Retrieve user-to-email targeting mappings \u2014 reveals which users receive which emails\ncurl -s \u0027https://target/plugin/Scheduler/View/Email_to_user/list.json.php\u0027 | jq \u0027.data[] | {users_id, emails_messages_id, sent_at}\u0027\n```\n\nAll three return full database contents with no authentication required. No session cookie or token is needed.\n\n## Impact\n\nAn unauthenticated attacker can:\n\n- **Enumerate internal infrastructure**: `callbackURL` fields expose internal server URLs and query parameters used by the scheduler, potentially revealing internal API endpoints and their parameter structures\n- **Read admin email campaigns**: Full email subjects and HTML message bodies composed by administrators are exposed\n- **Map user targeting**: The `Email_to_user` table reveals which `users_id` values are targeted by which email campaigns, enabling user enumeration and profiling\n- **Gather reconnaissance**: Scheduling configuration (cron fields, execution status, timezone) reveals operational patterns and timing of automated tasks\n\nThe information disclosed could be used to facilitate further attacks (e.g., using discovered internal URLs for SSRF, or user IDs for targeted account attacks).\n\n## Recommended Fix\n\nAdd `User::isAdmin()` checks to all three `list.json.php` files, matching the pattern used by sibling endpoints. For each file, add the following after the `require_once` lines and before the data retrieval:\n\n**`plugin/Scheduler/View/Scheduler_commands/list.json.php`:**\n```php\n\u003c?php\nrequire_once \u0027../../../../videos/configuration.php\u0027;\nrequire_once $global[\u0027systemRootPath\u0027] . \u0027plugin/Scheduler/Objects/Scheduler_commands.php\u0027;\nheader(\u0027Content-Type: application/json\u0027);\n\nif(!User::isAdmin()){\n die(json_encode([\u0027error\u0027 =\u003e true, \u0027msg\u0027 =\u003e \u0027Not authorized\u0027]));\n}\n\n$rows = Scheduler_commands::getAll();\n?\u003e\n{\"data\": \u003c?php echo json_encode($rows); ?\u003e}\n```\n\nApply the same pattern to `Emails_messages/list.json.php` and `Email_to_user/list.json.php`.",
"id": "GHSA-j724-5c6c-68g5",
"modified": "2026-03-27T21:38:00Z",
"published": "2026-03-26T18:06:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-j724-5c6c-68g5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33761"
},
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/commit/83390ab1fa8dca2de3f8fa76116a126428405431"
},
{
"type": "PACKAGE",
"url": "https://github.com/WWBN/AVideo"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "AVideo: Unauthenticated Access to Scheduler Plugin Endpoints Leaks Scheduled Tasks, Email Content, and User Mappings"
}
GHSA-J73W-MHFQ-5M8P
Vulnerability from github – Published: 2025-01-24 18:31 – Updated: 2026-04-01 18:33Missing Authorization vulnerability in Foliovision FV Thoughtful Comments allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects FV Thoughtful Comments: from n/a through 0.3.5.
{
"affected": [],
"aliases": [
"CVE-2025-24613"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-24T18:15:37Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in Foliovision FV Thoughtful Comments allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects FV Thoughtful Comments: from n/a through 0.3.5.",
"id": "GHSA-j73w-mhfq-5m8p",
"modified": "2026-04-01T18:33:24Z",
"published": "2025-01-24T18:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24613"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/thoughtful-comments/vulnerability/wordpress-fv-thoughtful-comments-plugin-0-3-5-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J76C-Q2WF-W8XX
Vulnerability from github – Published: 2025-12-18 09:30 – Updated: 2026-01-20 15:32Missing Authorization vulnerability in bPlugins Parallax Section block parallax-section allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Parallax Section block: from n/a through <= 1.0.9.
{
"affected": [],
"aliases": [
"CVE-2025-60079"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-18T08:16:08Z",
"severity": "HIGH"
},
"details": "Missing Authorization vulnerability in bPlugins Parallax Section block parallax-section allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Parallax Section block: from n/a through \u003c= 1.0.9.",
"id": "GHSA-j76c-q2wf-w8xx",
"modified": "2026-01-20T15:32:28Z",
"published": "2025-12-18T09:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60079"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/parallax-section/vulnerability/wordpress-parallax-section-block-plugin-1-0-9-broken-authentication-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://vdp.patchstack.com/database/Wordpress/Plugin/parallax-section/vulnerability/wordpress-parallax-section-block-plugin-1-0-9-broken-authentication-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J77W-W4MP-8H58
Vulnerability from github – Published: 2024-12-13 15:30 – Updated: 2026-04-28 21:35Missing Authorization vulnerability in Dynamic.ooo Dynamic Visibility for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Dynamic Visibility for Elementor: from n/a through 5.0.5.
{
"affected": [],
"aliases": [
"CVE-2023-35046"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-13T15:15:15Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in Dynamic.ooo Dynamic Visibility for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Dynamic Visibility for Elementor: from n/a through 5.0.5.",
"id": "GHSA-j77w-w4mp-8h58",
"modified": "2026-04-28T21:35:23Z",
"published": "2024-12-13T15:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35046"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/dynamic-visibility-for-elementor/vulnerability/wordpress-dynamic-visibility-for-elementor-plugin-5-0-5-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-J7C9-9CR2-9PQ2
Vulnerability from github – Published: 2026-05-14 06:31 – Updated: 2026-05-14 06:31GitLab has remediated an issue in GitLab EE affecting all versions from 15.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to bypass merge request approval requirements due to improper cleanup of orphaned policy records.
{
"affected": [],
"aliases": [
"CVE-2026-6883"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-14T06:16:25Z",
"severity": "LOW"
},
"details": "GitLab has remediated an issue in GitLab EE affecting all versions from 15.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to bypass merge request approval requirements due to improper cleanup of orphaned policy records.",
"id": "GHSA-j7c9-9cr2-9pq2",
"modified": "2026-05-14T06:31:34Z",
"published": "2026-05-14T06:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6883"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/596350"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J7CF-X368-V6H6
Vulnerability from github – Published: 2026-02-19 18:31 – Updated: 2026-02-25 00:31Missing Authorization vulnerability in Automattic WP Job Manager wp-job-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Manager: from n/a through <= 2.4.0.
{
"affected": [],
"aliases": [
"CVE-2026-25404"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-19T09:16:22Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in Automattic WP Job Manager wp-job-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Manager: from n/a through \u003c= 2.4.0.",
"id": "GHSA-j7cf-x368-v6h6",
"modified": "2026-02-25T00:31:21Z",
"published": "2026-02-19T18:31:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25404"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/wp-job-manager/vulnerability/wordpress-wp-job-manager-plugin-2-4-0-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.