Common Weakness Enumeration

CWE-862

Allowed-with-Review

Missing Authorization

Abstraction: Class · Status: Incomplete

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

14566 vulnerabilities reference this CWE, most recent first.

CVE-2026-53633 (GCVE-0-2026-53633)

Vulnerability from cvelistv5 – Published: 2026-07-14 19:35 – Updated: 2026-07-16 03:55
VLAI
Title
Vitest: Exposed Browser Mode API Can Proxy CDP and Overwrite Config Files, Leading to RCE
Summary
Vitest is a testing framework powered by Vite. From 3.0.0 until 3.2.5, 4.1.8, and 5.0.0-beta.4, Vitest Browser Mode exposed a cdp() API that forwarded raw Chrome DevTools Protocol methods without being gated by allowWrite or allowExec, allowing a remote client with exposed browser API metadata to use CDP Page.setDownloadBehavior and Runtime.evaluate to overwrite vite.config.ts and execute attacker-controlled Node.js code. This issue is fixed in versions 3.2.5, 4.1.8, and 5.0.0-beta.
SSVC
Exploitation: poc Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-749 - Exposed Dangerous Method or Function
  • CWE-862 - Missing Authorization
Assigner
Impacted products
Vendor Product Version
vitest-dev vitest Affected: >= 3.0.0, < 3.2.5
Affected: >= 4.0.0, < 4.1.8
Affected: >= 5.0.0-beta.0, < 5.0.0-beta.4
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-53633",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-15T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-16T03:55:25.715Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "vitest",
          "vendor": "vitest-dev",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 3.0.0, \u003c 3.2.5"
            },
            {
              "status": "affected",
              "version": "\u003e= 4.0.0, \u003c 4.1.8"
            },
            {
              "status": "affected",
              "version": "\u003e= 5.0.0-beta.0, \u003c 5.0.0-beta.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Vitest is a testing framework powered by Vite. From 3.0.0 until 3.2.5, 4.1.8, and 5.0.0-beta.4, Vitest Browser Mode exposed a cdp() API that forwarded raw Chrome DevTools Protocol methods without being gated by allowWrite or allowExec, allowing a remote client with exposed browser API metadata to use CDP Page.setDownloadBehavior and Runtime.evaluate to overwrite vite.config.ts and execute attacker-controlled Node.js code. This issue is fixed in versions 3.2.5, 4.1.8, and 5.0.0-beta."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-749",
              "description": "CWE-749: Exposed Dangerous Method or Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-14T19:35:42.739Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/vitest-dev/vitest/security/advisories/GHSA-g8mr-85jm-7xhm",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/vitest-dev/vitest/security/advisories/GHSA-g8mr-85jm-7xhm"
        },
        {
          "name": "https://github.com/vitest-dev/vitest/pull/10444",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vitest-dev/vitest/pull/10444"
        },
        {
          "name": "https://github.com/vitest-dev/vitest/pull/10450",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vitest-dev/vitest/pull/10450"
        },
        {
          "name": "https://github.com/vitest-dev/vitest/pull/10456",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vitest-dev/vitest/pull/10456"
        },
        {
          "name": "https://github.com/vitest-dev/vitest/commit/385a1aefd4c2bfa5e7d58bf7c6834c929969f2c7",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vitest-dev/vitest/commit/385a1aefd4c2bfa5e7d58bf7c6834c929969f2c7"
        },
        {
          "name": "https://github.com/vitest-dev/vitest/commit/63e3b2eee4d58da56786a6333f517b9b492528c7",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vitest-dev/vitest/commit/63e3b2eee4d58da56786a6333f517b9b492528c7"
        },
        {
          "name": "https://github.com/vitest-dev/vitest/commit/e4067b3b150005fd42cf75f994300119245806b9",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vitest-dev/vitest/commit/e4067b3b150005fd42cf75f994300119245806b9"
        },
        {
          "name": "https://github.com/vitest-dev/vitest/releases/tag/v3.2.5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vitest-dev/vitest/releases/tag/v3.2.5"
        },
        {
          "name": "https://github.com/vitest-dev/vitest/releases/tag/v4.1.8",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vitest-dev/vitest/releases/tag/v4.1.8"
        },
        {
          "name": "https://github.com/vitest-dev/vitest/releases/tag/v5.0.0-beta.4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vitest-dev/vitest/releases/tag/v5.0.0-beta.4"
        }
      ],
      "source": {
        "advisory": "GHSA-g8mr-85jm-7xhm",
        "discovery": "UNKNOWN"
      },
      "title": "Vitest: Exposed Browser Mode API Can Proxy CDP and Overwrite Config Files, Leading to RCE"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-53633",
    "datePublished": "2026-07-14T19:35:42.739Z",
    "dateReserved": "2026-06-09T20:16:59.647Z",
    "dateUpdated": "2026-07-16T03:55:25.715Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-53514 (GCVE-0-2026-53514)

Vulnerability from cvelistv5 – Published: 2026-07-15 17:30 – Updated: 2026-07-15 17:30
VLAI
Title
Better Auth: Unauthorized invitation acceptance via unverified email match in organization plugin
Summary
Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, and in 1.6.14 and later when invitation IDs can be obtained outside the invited mailbox and requireEmailVerificationOnInvitation: true is not enabled, the organization plugin's acceptInvitation, rejectInvitation, getInvitation, and listUserInvitations recipient endpoints use session.user.email and an invitation ID without sufficient verified-email ownership proof, allowing a user with an unverified session for the invited email address to accept an organization invitation after obtaining the invitation ID. This issue is fixed for the original default behavior in version 1.6.11, while 1.6.14 restored compatibility for built-in opaque invitation IDs and leaves affected configurations requiring secure options.
CWE
  • CWE-287 - Improper Authentication
  • CWE-345 - Insufficient Verification of Data Authenticity
  • CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')
  • CWE-862 - Missing Authorization
Assigner
Impacted products
Vendor Product Version
better-auth better-auth Affected: < 1.6.11
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "better-auth",
          "vendor": "better-auth",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.6.11"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, and in 1.6.14 and later when invitation IDs can be obtained outside the invited mailbox and requireEmailVerificationOnInvitation: true is not enabled, the organization plugin\u0027s acceptInvitation, rejectInvitation, getInvitation, and listUserInvitations recipient endpoints use session.user.email and an invitation ID without sufficient verified-email ownership proof, allowing a user with an unverified session for the invited email address to accept an organization invitation after obtaining the invitation ID. This issue is fixed for the original default behavior in version 1.6.11, while 1.6.14 restored compatibility for built-in opaque invitation IDs and leaves affected configurations requiring secure options."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287: Improper Authentication",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-345",
              "description": "CWE-345: Insufficient Verification of Data Authenticity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-441",
              "description": "CWE-441: Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-15T17:30:46.069Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/better-auth/better-auth/security/advisories/GHSA-fmh4-wcc4-5jm3",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-fmh4-wcc4-5jm3"
        },
        {
          "name": "https://github.com/better-auth/better-auth/pull/9577",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/better-auth/better-auth/pull/9577"
        },
        {
          "name": "https://github.com/better-auth/better-auth/commit/23094a628f007f801be6d26e5b15dc5fc6fc4eb8",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/better-auth/better-auth/commit/23094a628f007f801be6d26e5b15dc5fc6fc4eb8"
        },
        {
          "name": "https://github.com/better-auth/better-auth/releases/tag/v1.6.11",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/better-auth/better-auth/releases/tag/v1.6.11"
        }
      ],
      "source": {
        "advisory": "GHSA-fmh4-wcc4-5jm3",
        "discovery": "UNKNOWN"
      },
      "title": "Better Auth: Unauthorized invitation acceptance via unverified email match in organization plugin"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-53514",
    "datePublished": "2026-07-15T17:30:46.069Z",
    "dateReserved": "2026-06-09T17:30:33.456Z",
    "dateUpdated": "2026-07-15T17:30:46.069Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-53447 (GCVE-0-2026-53447)

Vulnerability from cvelistv5 – Published: 2026-07-15 21:12 – Updated: 2026-07-15 21:12
VLAI
Title
Wekan: `cloneBoard` Meteor method has no authorization check — any user can clone (read) any private board by ID
Summary
Wekan is open source kanban built with Meteor. Prior to 9.35, the Wekan cloneBoard Meteor method in models/import.js uses caller-supplied sourceBoardId to build a board export through models/exporter.js without invoking canExport() or checking source-board membership. Any authenticated user who knows a private board ID can clone the board into their own account and read its cards, comments, attachments, member information, and activities. This issue is fixed in version 9.35.
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
  • CWE-862 - Missing Authorization
Assigner
Impacted products
Vendor Product Version
wekan wekan Affected: < 9.35
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "wekan",
          "vendor": "wekan",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 9.35"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Wekan is open source kanban built with Meteor. Prior to 9.35, the Wekan cloneBoard Meteor method in models/import.js uses caller-supplied sourceBoardId to build a board export through models/exporter.js without invoking canExport() or checking source-board membership. Any authenticated user who knows a private board ID can clone the board into their own account and read its cards, comments, attachments, member information, and activities. This issue is fixed in version 9.35."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-15T21:12:59.647Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/wekan/wekan/security/advisories/GHSA-qfqv-42qw-vvwh",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/wekan/wekan/security/advisories/GHSA-qfqv-42qw-vvwh"
        },
        {
          "name": "https://github.com/wekan/wekan/commit/357de728c03113b787065bac2c5832ad77f1a117",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/wekan/wekan/commit/357de728c03113b787065bac2c5832ad77f1a117"
        },
        {
          "name": "https://github.com/wekan/wekan/releases/tag/v9.35",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/wekan/wekan/releases/tag/v9.35"
        }
      ],
      "source": {
        "advisory": "GHSA-qfqv-42qw-vvwh",
        "discovery": "UNKNOWN"
      },
      "title": "Wekan: `cloneBoard` Meteor method has no authorization check \u2014 any user can clone (read) any private board by ID"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-53447",
    "datePublished": "2026-07-15T21:12:59.647Z",
    "dateReserved": "2026-06-09T16:31:21.494Z",
    "dateUpdated": "2026-07-15T21:12:59.647Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-53445 (GCVE-0-2026-53445)

Vulnerability from cvelistv5 – Published: 2026-07-15 21:11 – Updated: 2026-07-15 21:11
VLAI
Title
Wekan: Authorization bypass in copyBoard DDP method allows any user to copy private boards
Summary
Wekan is open source kanban built with Meteor. Prior to 9.32, the Wekan copyBoard Meteor DDP method in server/publications/boards.js copies a board by caller-supplied board ID without checking this.userId, membership, or admin access. Any authenticated user can copy a private board they are not a member of, including its cards, checklists, custom fields, labels, and rules, while the REST POST /api/boards/:boardId/copy path correctly checks board admin access. This issue is fixed in version 9.32.
CWE
Assigner
Impacted products
Vendor Product Version
wekan wekan Affected: < 9.32
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "wekan",
          "vendor": "wekan",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 9.32"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Wekan is open source kanban built with Meteor. Prior to 9.32, the Wekan copyBoard Meteor DDP method in server/publications/boards.js copies a board by caller-supplied board ID without checking this.userId, membership, or admin access. Any authenticated user can copy a private board they are not a member of, including its cards, checklists, custom fields, labels, and rules, while the REST POST /api/boards/:boardId/copy path correctly checks board admin access. This issue is fixed in version 9.32."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-15T21:11:04.683Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/wekan/wekan/security/advisories/GHSA-7w2h-g83c-jqrp",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/wekan/wekan/security/advisories/GHSA-7w2h-g83c-jqrp"
        },
        {
          "name": "https://github.com/wekan/wekan/commit/8940a103970c5da3f02b3615eef09fabfff421e3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/wekan/wekan/commit/8940a103970c5da3f02b3615eef09fabfff421e3"
        },
        {
          "name": "https://github.com/wekan/wekan/releases/tag/v9.32",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/wekan/wekan/releases/tag/v9.32"
        }
      ],
      "source": {
        "advisory": "GHSA-7w2h-g83c-jqrp",
        "discovery": "UNKNOWN"
      },
      "title": "Wekan: Authorization bypass in copyBoard DDP method allows any user to copy private boards"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-53445",
    "datePublished": "2026-07-15T21:11:04.683Z",
    "dateReserved": "2026-06-09T16:31:21.494Z",
    "dateUpdated": "2026-07-15T21:11:04.683Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-53444 (GCVE-0-2026-53444)

Vulnerability from cvelistv5 – Published: 2026-07-15 21:11 – Updated: 2026-07-15 21:11
VLAI
Title
Wekan: Missing authorization on OIDC Meteor methods allows privilege escalation to admin
Summary
Wekan is open source kanban built with Meteor. Prior to 9.32, Wekan OIDC-related Meteor methods in packages/wekan-oidc/oidc_server.js, server/models/org.js, and server/models/team.js are globally callable without the admin authorization checks used by their non-OIDC counterparts. Authenticated users can call setCreateOrgFromOidc, setOrgAllFieldsFromOidc, setCreateTeamFromOidc, setTeamAllFieldsFromOidc, boardRoutineOnLogin, or groupRoutineOnLogin to create or modify organizations and teams, and groupRoutineOnLogin can grant global admin privileges when PROPAGATE_OIDC_DATA is enabled. This issue is fixed in version 9.32.
CWE
  • CWE-269 - Improper Privilege Management
  • CWE-862 - Missing Authorization
Assigner
Impacted products
Vendor Product Version
wekan wekan Affected: < 9.32
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "wekan",
          "vendor": "wekan",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 9.32"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Wekan is open source kanban built with Meteor. Prior to 9.32, Wekan OIDC-related Meteor methods in packages/wekan-oidc/oidc_server.js, server/models/org.js, and server/models/team.js are globally callable without the admin authorization checks used by their non-OIDC counterparts. Authenticated users can call setCreateOrgFromOidc, setOrgAllFieldsFromOidc, setCreateTeamFromOidc, setTeamAllFieldsFromOidc, boardRoutineOnLogin, or groupRoutineOnLogin to create or modify organizations and teams, and groupRoutineOnLogin can grant global admin privileges when PROPAGATE_OIDC_DATA is enabled. This issue is fixed in version 9.32."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-269",
              "description": "CWE-269: Improper Privilege Management",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-15T21:11:38.711Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/wekan/wekan/security/advisories/GHSA-cv95-8h7c-2ffq",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/wekan/wekan/security/advisories/GHSA-cv95-8h7c-2ffq"
        },
        {
          "name": "https://github.com/wekan/wekan/commit/305864f0c77456ad0f2c1e616266c8a06749c951",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/wekan/wekan/commit/305864f0c77456ad0f2c1e616266c8a06749c951"
        },
        {
          "name": "https://github.com/wekan/wekan/releases/tag/v9.32",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/wekan/wekan/releases/tag/v9.32"
        }
      ],
      "source": {
        "advisory": "GHSA-cv95-8h7c-2ffq",
        "discovery": "UNKNOWN"
      },
      "title": "Wekan: Missing authorization on OIDC Meteor methods allows privilege escalation to admin"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-53444",
    "datePublished": "2026-07-15T21:11:38.711Z",
    "dateReserved": "2026-06-09T16:31:21.493Z",
    "dateUpdated": "2026-07-15T21:11:38.711Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-52892 (GCVE-0-2026-52892)

Vulnerability from cvelistv5 – Published: 2026-07-15 21:08 – Updated: 2026-07-15 21:08
VLAI
Title
Wekan: Read-only board members can create/modify/delete Custom Fields (privilege escalation via read-level authz on write ops)
Summary
Wekan is open source kanban built with Meteor. Prior to 9.32, Wekan REST handlers in server/models/customFields.js use read-level Authentication.checkBoardAccess instead of write-level Authentication.checkBoardWriteAccess for mutating custom-field routes. A read-only board member can call POST, PUT, and DELETE handlers for /api/boards/:boardId/custom-fields and custom-field dropdown items to create, update, or delete board custom fields. This issue is fixed in version 9.32.
CWE
Assigner
Impacted products
Vendor Product Version
wekan wekan Affected: < 9.32
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "wekan",
          "vendor": "wekan",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 9.32"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Wekan is open source kanban built with Meteor. Prior to 9.32, Wekan REST handlers in server/models/customFields.js use read-level Authentication.checkBoardAccess instead of write-level Authentication.checkBoardWriteAccess for mutating custom-field routes. A read-only board member can call POST, PUT, and DELETE handlers for /api/boards/:boardId/custom-fields and custom-field dropdown items to create, update, or delete board custom fields. This issue is fixed in version 9.32."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-15T21:08:42.926Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/wekan/wekan/security/advisories/GHSA-6733-4wgq-8xvr",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/wekan/wekan/security/advisories/GHSA-6733-4wgq-8xvr"
        },
        {
          "name": "https://github.com/wekan/wekan/commit/70db04a93fedabe40331f21f86e6bdc91625914e",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/wekan/wekan/commit/70db04a93fedabe40331f21f86e6bdc91625914e"
        },
        {
          "name": "https://github.com/wekan/wekan/releases/tag/v9.32",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/wekan/wekan/releases/tag/v9.32"
        }
      ],
      "source": {
        "advisory": "GHSA-6733-4wgq-8xvr",
        "discovery": "UNKNOWN"
      },
      "title": "Wekan: Read-only board members can create/modify/delete Custom Fields (privilege escalation via read-level authz on write ops)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-52892",
    "datePublished": "2026-07-15T21:08:42.926Z",
    "dateReserved": "2026-06-08T21:44:27.365Z",
    "dateUpdated": "2026-07-15T21:08:42.926Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-52870 (GCVE-0-2026-52870)

Vulnerability from cvelistv5 – Published: 2026-07-15 20:07 – Updated: 2026-07-15 20:07
VLAI
Title
MCP Python SDK: Experimental task handlers allow any client to access and cancel other clients' tasks
Summary
The MCP Python SDK, called mcp on PyPI, is a Python implementation of the Model Context Protocol (MCP). From 1.23.0 until 1.27.2, default handlers installed by server.experimental.enable_tasks() for tasks/list, tasks/get, tasks/result, and tasks/cancel operate only on task identifiers without recording the session that created each task, allowing any connected client to enumerate, read results from, consume messages for, or cancel other clients' tasks. This issue is fixed in version 1.27.2.
CWE
Assigner
Impacted products
Vendor Product Version
modelcontextprotocol python-sdk Affected: >= 1.23.0, < 1.27.2
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "python-sdk",
          "vendor": "modelcontextprotocol",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.23.0, \u003c 1.27.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The MCP Python SDK, called mcp on PyPI, is a Python implementation of the Model Context Protocol (MCP). From 1.23.0 until 1.27.2, default handlers installed by server.experimental.enable_tasks() for tasks/list, tasks/get, tasks/result, and tasks/cancel operate only on task identifiers without recording the session that created each task, allowing any connected client to enumerate, read results from, consume messages for, or cancel other clients\u0027 tasks. This issue is fixed in version 1.27.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-15T20:07:53.500Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/modelcontextprotocol/python-sdk/security/advisories/GHSA-hvrp-rf83-w775",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/modelcontextprotocol/python-sdk/security/advisories/GHSA-hvrp-rf83-w775"
        },
        {
          "name": "https://github.com/modelcontextprotocol/python-sdk/pull/2720",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/modelcontextprotocol/python-sdk/pull/2720"
        },
        {
          "name": "https://github.com/modelcontextprotocol/python-sdk/commit/62137874ff26dd74d2fea80ff528a7fd9ca7a5e7",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/modelcontextprotocol/python-sdk/commit/62137874ff26dd74d2fea80ff528a7fd9ca7a5e7"
        },
        {
          "name": "https://github.com/modelcontextprotocol/python-sdk/releases/tag/v1.27.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/modelcontextprotocol/python-sdk/releases/tag/v1.27.2"
        }
      ],
      "source": {
        "advisory": "GHSA-hvrp-rf83-w775",
        "discovery": "UNKNOWN"
      },
      "title": "MCP Python SDK: Experimental task handlers allow any client to access and cancel other clients\u0027 tasks"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-52870",
    "datePublished": "2026-07-15T20:07:53.500Z",
    "dateReserved": "2026-06-08T21:44:27.364Z",
    "dateUpdated": "2026-07-15T20:07:53.500Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-52866 (GCVE-0-2026-52866)

Vulnerability from cvelistv5 – Published: 2026-06-18 23:45 – Updated: 2026-06-22 14:52
VLAI
Title
Apollo Pharmacy Blood Glucose Monitoring System APG-01 BT Missing Authorization
Summary
An attacker within BLE communication range can monopolize the device's only available BLE connection slot, preventing legitimate users or applications from establishing a connection.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Credits
Rishitha Pucchakayala and Centre for Development of Advanced Computing (Hyderabad) reported these vulnerabilities to CISA.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-52866",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-22T14:51:51.052831Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-22T14:52:06.602Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Blood Glucose Monitoring System (Model No. APG-01 BT)",
          "vendor": "Apollo Pharmacy",
          "versions": [
            {
              "status": "affected",
              "version": "0x0110_v1.1.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Rishitha Pucchakayala and Centre for Development of Advanced Computing (Hyderabad) reported these vulnerabilities to CISA."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "An attacker within BLE communication range can monopolize the device\u0027s \nonly available BLE connection slot, preventing legitimate users or \napplications from establishing a connection."
            }
          ],
          "value": "An attacker within BLE communication range can monopolize the device\u0027s \nonly available BLE connection slot, preventing legitimate users or \napplications from establishing a connection."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "ADJACENT",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-18T23:45:34.263Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.apollopharmacy.in/contact-us"
        },
        {
          "url": "https://www.cisa.gov/news-events/news/understanding-bluetooth-technology"
        },
        {
          "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-169-01"
        },
        {
          "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsma-26-169-01.json"
        }
      ],
      "source": {
        "advisory": "ICSMA-26-169-01",
        "discovery": "EXTERNAL"
      },
      "title": "Apollo Pharmacy Blood Glucose Monitoring System APG-01 BT Missing Authorization",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eApollo Pharmacy did not respond to CISA\u0027s requests to coordinate. \nUsers are encouraged to reach out to Apollo Pharmacy directly for more \ninformation:\u003cbr\u003e\u003ca href=\"https://www.apollopharmacy.in/contact-us\"\u003ehttps://www.apollopharmacy.in/contact-us\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003e\u003cbr\u003eCISA recommends users follow the \nguidance in the Understanding Bluetooth Technology blog:\u0026nbsp;\u003cbr\u003e\u003ca href=\"https://www.cisa.gov/news-events/news/understanding-bluetooth-technology\"\u003ehttps://www.cisa.gov/news-events/news/understanding-bluetooth-technology\u003c/a\u003e\u003c/p\u003e"
            }
          ],
          "value": "Apollo Pharmacy did not respond to CISA\u0027s requests to coordinate. \nUsers are encouraged to reach out to Apollo Pharmacy directly for more \ninformation:\n https://www.apollopharmacy.in/contact-us \n\n\n\n\n\nCISA recommends users follow the \nguidance in the Understanding Bluetooth Technology blog:\u00a0\n https://www.cisa.gov/news-events/news/understanding-bluetooth-technology"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2026-52866",
    "datePublished": "2026-06-18T23:45:34.263Z",
    "dateReserved": "2026-06-10T21:21:12.261Z",
    "dateUpdated": "2026-06-22T14:52:06.602Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-52839 (GCVE-0-2026-52839)

Vulnerability from cvelistv5 – Published: 2026-07-14 15:21 – Updated: 2026-07-15 14:51
VLAI
Title
Easy!Appointments appointments/store and appointments/update allow cross-provider appointment injection — Authorization Bypass
Summary
Easy!Appointments is a self hosted appointment scheduler. Versions prior to 1.6.0 correctly filter provider-scoped appointments in the `appointments/search` response, proving that provider isolation is an intended security boundary. However, the direct mutation endpoints `appointments/store` and `appointments/update` only check generic appointment privileges and never verify that the submitted `id_users_provider` belongs to the current session. A normal authenticated provider can inject new appointments into another provider's schedule via `store`, or reassign existing appointments into a foreign provider's calendar via `update`. The `store` path contains an additional write-before-crash bug: the unauthorized row is committed to the database before the controller crashes on a type error, so the attacker receives an error response while the foreign appointment is already persisted. Version 1.6.0 patches the issue.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
  • CWE-862 - Missing Authorization
Assigner
References
Impacted products
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-52839",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-15T14:48:44.724792Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-15T14:51:02.293Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/alextselegidis/easyappointments/security/advisories/GHSA-w8xc-8g92-v77h"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "easyappointments",
          "vendor": "alextselegidis",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.6.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Easy!Appointments is a self hosted appointment scheduler. Versions prior to 1.6.0 correctly filter provider-scoped appointments in the `appointments/search` response, proving that provider isolation is an intended security boundary. However, the direct mutation endpoints `appointments/store` and `appointments/update` only check generic appointment privileges and never verify that the submitted `id_users_provider` belongs to the current session. A normal authenticated provider can inject new appointments into another provider\u0027s schedule via `store`, or reassign existing appointments into a foreign provider\u0027s calendar via `update`. The `store` path contains an additional write-before-crash bug: the unauthorized row is committed to the database before the controller crashes on a type error, so the attacker receives an error response while the foreign appointment is already persisted. Version 1.6.0 patches the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-14T15:21:23.199Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/alextselegidis/easyappointments/security/advisories/GHSA-w8xc-8g92-v77h",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/alextselegidis/easyappointments/security/advisories/GHSA-w8xc-8g92-v77h"
        },
        {
          "name": "https://github.com/alextselegidis/easyappointments/commit/4abb10545d83ac1a57d03f6502376ee67696ea7c",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/alextselegidis/easyappointments/commit/4abb10545d83ac1a57d03f6502376ee67696ea7c"
        }
      ],
      "source": {
        "advisory": "GHSA-w8xc-8g92-v77h",
        "discovery": "UNKNOWN"
      },
      "title": "Easy!Appointments appointments/store and appointments/update allow cross-provider appointment injection \u2014 Authorization Bypass"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-52839",
    "datePublished": "2026-07-14T15:21:23.199Z",
    "dateReserved": "2026-06-08T18:41:27.724Z",
    "dateUpdated": "2026-07-15T14:51:02.293Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-52812 (GCVE-0-2026-52812)

Vulnerability from cvelistv5 – Published: 2026-06-24 20:32 – Updated: 2026-06-25 23:03
VLAI
Title
Gogs: LFS dedupe path leaks private repo content across tenants
Summary
Gogs is an open source self-hosted Git service. Prior to 0.14.3, Git LFS storage is content-addressed by OID alone (<LFS-root>/<oid[0]>/<oid[1]>/<oid>) but per-repo authorization lives in the lfs_object table keyed (repo_id, oid). serveUpload skips re-uploading when the OID file already exists on disk and inserts a new (repo_id, oid) row pointing at it without verifying the request body hashes to the OID being claimed. Any user with write access to one repo can bind their repo to an OID owned by a private repo and download the original bytes via their own download endpoint. This vulnerability is fixed in 0.14.3.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-345 - Insufficient Verification of Data Authenticity
  • CWE-639 - Authorization Bypass Through User-Controlled Key
  • CWE-862 - Missing Authorization
Assigner
Impacted products
Vendor Product Version
gogs gogs Affected: < 0.14.3
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-52812",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-25T23:03:11.981996Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-25T23:03:37.203Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/gogs/gogs/security/advisories/GHSA-6p9m-q3jp-47h4"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "gogs",
          "vendor": "gogs",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.14.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Gogs is an open source self-hosted Git service. Prior to 0.14.3, Git LFS storage is content-addressed by OID alone (\u003cLFS-root\u003e/\u003coid[0]\u003e/\u003coid[1]\u003e/\u003coid\u003e) but per-repo authorization lives in the lfs_object table keyed (repo_id, oid). serveUpload skips re-uploading when the OID file already exists on disk and inserts a new (repo_id, oid) row pointing at it without verifying the request body hashes to the OID being claimed. Any user with write access to one repo can bind their repo to an OID owned by a private repo and download the original bytes via their own download endpoint. This vulnerability is fixed in 0.14.3."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-345",
              "description": "CWE-345: Insufficient Verification of Data Authenticity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-24T20:32:51.608Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/gogs/gogs/security/advisories/GHSA-6p9m-q3jp-47h4",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/gogs/gogs/security/advisories/GHSA-6p9m-q3jp-47h4"
        },
        {
          "name": "https://github.com/gogs/gogs/pull/8333",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/gogs/gogs/pull/8333"
        },
        {
          "name": "https://github.com/gogs/gogs/commit/f35a767af74e05342bafc6fdda02c791816426f8",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/gogs/gogs/commit/f35a767af74e05342bafc6fdda02c791816426f8"
        },
        {
          "name": "https://github.com/gogs/gogs/releases/tag/v0.14.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/gogs/gogs/releases/tag/v0.14.3"
        }
      ],
      "source": {
        "advisory": "GHSA-6p9m-q3jp-47h4",
        "discovery": "UNKNOWN"
      },
      "title": "Gogs: LFS dedupe path leaks private repo content across tenants"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-52812",
    "datePublished": "2026-06-24T20:32:51.608Z",
    "dateReserved": "2026-06-08T18:11:06.660Z",
    "dateUpdated": "2026-06-25T23:03:37.203Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

CAPEC-665: Exploitation of Thunderbolt Protection Flaws

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.