CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5510 vulnerabilities reference this CWE, most recent first.
CVE-2026-44380 (GCVE-0-2026-44380)
Vulnerability from cvelistv5 – Published: 2026-05-13 20:51 – Updated: 2026-05-14 19:52- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/MISP/MISP/security/advisories/… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44380",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T16:05:19.358078Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T19:52:16.587Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "MISP",
"vendor": "MISP",
"versions": [
{
"status": "affected",
"version": "\u003c 2.5.37"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, an improper access control vulnerability in the authentication key reset functionality allowed an authenticated organization administrator to reset authentication keys belonging to site administrator accounts within the same organization. Because non-site administrators were not explicitly prevented from accessing or resetting site administrator auth keys, an attacker with organization administrator privileges could potentially obtain a newly generated auth key for a higher-privileged account and use it to escalate privileges. This vulnerability is fixed in 2.5.37."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T20:51:30.955Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/MISP/MISP/security/advisories/GHSA-3939-4g6m-m3hc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/MISP/MISP/security/advisories/GHSA-3939-4g6m-m3hc"
}
],
"source": {
"advisory": "GHSA-3939-4g6m-m3hc",
"discovery": "UNKNOWN"
},
"title": "MISP: Improper access control in auth key reset allows privilege escalation to site administrator"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44380",
"datePublished": "2026-05-13T20:51:30.955Z",
"dateReserved": "2026-05-05T20:15:20.632Z",
"dateUpdated": "2026-05-14T19:52:16.587Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44374 (GCVE-0-2026-44374)
Vulnerability from cvelistv5 – Published: 2026-05-14 14:30 – Updated: 2026-05-14 19:51- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/backstage/backstage/security/a… | x_refsource_CONFIRM |
| Vendor | Product | Version | |
|---|---|---|---|
| @backstage | plugin-catalog-backend-module-unprocessed |
Affected:
< 0.6.11
|
|
| @backstage | plugin-catalog-unprocessed-entities |
Affected:
< 0.2.30
|
|
| @backstage | plugin-catalog-unprocessed-entities-common |
Affected:
< 0.0.15
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44374",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T16:02:43.037594Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T19:51:53.801Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "plugin-catalog-backend-module-unprocessed",
"vendor": "@backstage",
"versions": [
{
"status": "affected",
"version": "\u003c 0.6.11"
}
]
},
{
"product": "plugin-catalog-unprocessed-entities",
"vendor": "@backstage",
"versions": [
{
"status": "affected",
"version": "\u003c 0.2.30"
}
]
},
{
"product": "plugin-catalog-unprocessed-entities-common",
"vendor": "@backstage",
"versions": [
{
"status": "affected",
"version": "\u003c 0.0.15"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Backstage is an open framework for building developer portals. Prior to 0.6.11, the unprocessed entities read endpoints in @backstage/plugin-catalog-backend-module-unprocessed do not enforce permission authorization checks. Any authenticated user can access unprocessed entity records regardless of ownership. This is an information disclosure vulnerability affecting Backstage installations using this module. This is patched in @backstage/plugin-catalog-backend-module-unprocessed version 0.6.11, @backstage/plugin-catalog-unprocessed-entities-common version 0.0.15 and @backstage/plugin-catalog-unprocessed-entities version 0.2.30."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T14:30:04.945Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/backstage/backstage/security/advisories/GHSA-p7g9-rp3g-mgfg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/backstage/backstage/security/advisories/GHSA-p7g9-rp3g-mgfg"
}
],
"source": {
"advisory": "GHSA-p7g9-rp3g-mgfg",
"discovery": "UNKNOWN"
},
"title": "Backstage: Catalog unprocessed read endpoints allow authenticated cross-owner data access without permission checks"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44374",
"datePublished": "2026-05-14T14:30:04.945Z",
"dateReserved": "2026-05-05T20:15:20.631Z",
"dateUpdated": "2026-05-14T19:51:53.801Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44330 (GCVE-0-2026-44330)
Vulnerability from cvelistv5 – Published: 2026-05-27 15:36 – Updated: 2026-05-27 18:47- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/free5gc/free5gc/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44330",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T18:47:29.139152Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T18:47:32.545Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-rwww-x45w-p52w"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "free5gc",
"vendor": "free5gc",
"versions": [
{
"status": "affected",
"version": "\u003c 4.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC\u0027s NEF mounts the nnef-pfdmanagement route group without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can use a forged or arbitrary bearer token (e.g. Authorization: Bearer not-a-real-token) to read PFD application data via GET /applications and GET /applications/{appID}, and to create or delete PFD change-notification subscriptions via POST /subscriptions and DELETE /subscriptions/{subID}. Same root cause as the other NEF SBI findings: the route group is mounted without any inbound auth middleware. Unlike the OAM and traffic-influence groups, nnef-pfdmanagement IS declared in the runtime ServiceList, so this is the production-intended path that operators expect to be protected by OAuth2 setting receive from NRF: true -- and it is not. This vulnerability is fixed in 4.2.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T15:36:40.809Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/free5gc/free5gc/security/advisories/GHSA-rwww-x45w-p52w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-rwww-x45w-p52w"
}
],
"source": {
"advisory": "GHSA-rwww-x45w-p52w",
"discovery": "UNKNOWN"
},
"title": "free5GC: NEF nnef-pfdmanagement API is unauthenticated; forged bearer tokens can read PFD data and create/delete PFD subscriptions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44330",
"datePublished": "2026-05-27T15:36:40.809Z",
"dateReserved": "2026-05-05T19:00:06.023Z",
"dateUpdated": "2026-05-27T18:47:32.545Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44314 (GCVE-0-2026-44314)
Vulnerability from cvelistv5 – Published: 2026-05-26 16:02 – Updated: 2026-05-26 17:36- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/traccar/traccar/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44314",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T17:35:49.161502Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T17:36:58.670Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/traccar/traccar/security/advisories/GHSA-33v4-5x2g-7mjm"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "traccar",
"vendor": "traccar",
"versions": [
{
"status": "affected",
"version": "\u003c 6.13.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Traccar is an open source GPS tracking system. Prior to 6.13.0, DeviceResource.uploadImage authorizes the target device only through Condition.Permission(User.class, getUserId(), Device.class) and then immediately streams the uploaded body into mediaManager.createFileStream(...). Unlike the generic mutation path in BaseObjectResource.update and the explicit device mutation handler updateAccumulators, this route never invokes permissionsService.checkEdit(getUserId(), Device.class, false, false). The skipped guard is exactly where Traccar enforces readonly and deviceReadonly restrictions for non-admin users. An unauthorized user can replace a device\u2019s stored image file under the server media directory. This allows modification of UI-visible device media and any downstream workflows that rely on the persisted image, despite other device update paths correctly rejecting the same identity. This vulnerability is fixed in 6.13.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T16:02:15.561Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/traccar/traccar/security/advisories/GHSA-33v4-5x2g-7mjm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/traccar/traccar/security/advisories/GHSA-33v4-5x2g-7mjm"
}
],
"source": {
"advisory": "GHSA-33v4-5x2g-7mjm",
"discovery": "UNKNOWN"
},
"title": "Traccar: Missing edit authorization on device image upload allows read-only users to write files"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44314",
"datePublished": "2026-05-26T16:02:15.561Z",
"dateReserved": "2026-05-05T19:00:06.022Z",
"dateUpdated": "2026-05-26T17:36:58.670Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44283 (GCVE-0-2026-44283)
Vulnerability from cvelistv5 – Published: 2026-05-14 17:01 – Updated: 2026-05-16 00:40- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/etcd-io/etcd/security/advisori… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44283",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-16T00:40:39.014184Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-16T00:40:51.007Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "etcd",
"vendor": "etcd-io",
"versions": [
{
"status": "affected",
"version": "\u003c 3.4.44"
},
{
"status": "affected",
"version": "\u003e= 3.5.0, \u003c= 3.5.29"
},
{
"status": "affected",
"version": "\u003e= 3.6.0, \u003c= 3.6.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "etcd is a distributed key-value store for the data of a distributed system. Prior to 3.4.44, 3.5.30, and 3.6.11, a vulnerability in etcd allows read access via PrevKv, or lease attachment in Put requests within transaction operations, to bypass RBAC authorization checks. An authenticated user without sufficient read or lease-related permissions may be able to access unauthorized data or attach leases by invoking transaction operations with these features enabled. This vulnerability is fixed in 3.4.44, 3.5.30, and 3.6.11."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 0,
"baseSeverity": "NONE",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T17:01:33.598Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/etcd-io/etcd/security/advisories/GHSA-x35m-3gp4-4fh5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/etcd-io/etcd/security/advisories/GHSA-x35m-3gp4-4fh5"
}
],
"source": {
"advisory": "GHSA-x35m-3gp4-4fh5",
"discovery": "UNKNOWN"
},
"title": "etcd: Read access via PrevKv in etcd transactions may bypass RBAC authorization checks"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44283",
"datePublished": "2026-05-14T17:01:33.598Z",
"dateReserved": "2026-05-05T17:39:31.112Z",
"dateUpdated": "2026-05-16T00:40:51.007Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44260 (GCVE-0-2026-44260)
Vulnerability from cvelistv5 – Published: 2026-05-12 21:09 – Updated: 2026-05-13 15:37- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/efwGrp/efw4.X/security/advisor… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44260",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T15:03:54.867112Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T15:37:13.906Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/efwGrp/efw4.X/security/advisories/GHSA-5454-qhrf-vcvh"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "efw4.X",
"vendor": "efwGrp",
"versions": [
{
"status": "affected",
"version": "\u003c 4.08.010"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the readonly flag set on the \u003cefw:elFinder\u003e JSP tag is intended to prevent file modifications. When protected=true, elfinder_checkRisk enforces that the client sends readonly=true (matching the session value), but no event handler checks the readonly value before performing write operations. The flag only controls client-side UI elements (disabling buttons) and response metadata (write: 0, locked: 1). An attacker who sends requests directly (bypassing the UI) can perform all file operations despite readonly=true. This vulnerability is fixed in 4.08.010."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T21:09:34.549Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/efwGrp/efw4.X/security/advisories/GHSA-5454-qhrf-vcvh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/efwGrp/efw4.X/security/advisories/GHSA-5454-qhrf-vcvh"
}
],
"source": {
"advisory": "GHSA-5454-qhrf-vcvh",
"discovery": "UNKNOWN"
},
"title": "efw4.X: readonly Flag Not Enforced Server-Side"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44260",
"datePublished": "2026-05-12T21:09:34.549Z",
"dateReserved": "2026-05-05T16:33:55.844Z",
"dateUpdated": "2026-05-13T15:37:13.906Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44221 (GCVE-0-2026-44221)
Vulnerability from cvelistv5 – Published: 2026-05-12 19:53 – Updated: 2026-05-13 14:48- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/ArcadeData/arcadedb/security/a… | x_refsource_CONFIRM |
| https://github.com/ArcadeData/arcadedb/commit/041… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| ArcadeData | arcadedb |
Affected:
< 2.6.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44221",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T14:48:34.987565Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T14:48:45.728Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "arcadedb",
"vendor": "ArcadeData",
"versions": [
{
"status": "affected",
"version": "\u003c 2.6.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ArcadeDB is a Multi-Model DBMS. Prior to 2.6.4, authenticated users and API tokens scoped to a specific database could read, write, and mutate schema on any other database on the same server. Two distinct defects contributed: (1) ServerSecurityUser.getDatabaseUser() returned a DB user with an uninitialized fileAccessMap, which requestAccessOnFile treated as allow-all; (2) ArcadeDBServer.createDatabase() omitted factory.setSecurity(...) so any database created via POST /api/v1/server {\"command\":\"create database X\"} had its entire record-level authorization system silently disabled. In combination, record-level and database-level authorization could be bypassed by any authenticated principal. This vulnerability is fixed in 2.6.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T19:53:39.307Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ArcadeData/arcadedb/security/advisories/GHSA-fxc7-fm93-6q77",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ArcadeData/arcadedb/security/advisories/GHSA-fxc7-fm93-6q77"
},
{
"name": "https://github.com/ArcadeData/arcadedb/commit/04110c06315da55604ac107f71fe7182f3a3deb8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ArcadeData/arcadedb/commit/04110c06315da55604ac107f71fe7182f3a3deb8"
}
],
"source": {
"advisory": "GHSA-fxc7-fm93-6q77",
"discovery": "UNKNOWN"
},
"title": "ArcadeDB: Cross-database authorization bypass and unsecured newly-created databases"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44221",
"datePublished": "2026-05-12T19:53:39.307Z",
"dateReserved": "2026-05-05T15:42:40.518Z",
"dateUpdated": "2026-05-13T14:48:45.728Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44173 (GCVE-0-2026-44173)
Vulnerability from cvelistv5 – Published: 2026-06-12 17:34 – Updated: 2026-07-15 00:54| URL | Tags |
|---|---|
| https://github.com/MariaDB/server/security/adviso… | x_refsource_CONFIRM |
| https://jira.mariadb.org/browse/MDEV-39493 | x_refsource_MISC |
| https://access.redhat.com/security/cve/CVE-2026-44173 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2488460 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| https://access.redhat.com/errata/RHSA-2026:33093 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:33412 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:33464 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:33482 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:33481 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:25145 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:25143 | vendor-advisoryx_refsource_REDHAT |
| Vendor | Product | Version | |
|---|---|---|---|
| MariaDB | server |
Affected:
>= 10.6.1, < 10.6.26
Affected: >= 10.11.1, < 10.11.17 Affected: >= 11.4.1, < 11.4.11 Affected: >= 11.8.1, < 11.8.7 Affected: >= 12.3.1, < 12.3.2 |
|
| Red Hat | Red Hat Enterprise Linux 10 |
Unaffected:
3:10.11.18-1.el10_2 , < *
(rpm)
cpe:/o:redhat:enterprise_linux:10.2 |
|
| Red Hat | Red Hat Enterprise Linux 10 |
Unaffected:
3:11.8.8-1.el10_2 , < *
(rpm)
cpe:/o:redhat:enterprise_linux:10.2 |
|
| Red Hat | Red Hat Enterprise Linux 8 |
Unaffected:
8100020260616102001.489197e6 , < *
(rpm)
cpe:/a:redhat:enterprise_linux:8 |
|
| Red Hat | Red Hat Enterprise Linux 9 |
Unaffected:
9080020260612104015.rhel9 , < *
(rpm)
cpe:/a:redhat:enterprise_linux:9 |
|
| Red Hat | Red Hat Enterprise Linux 9 |
Unaffected:
9080020260612103452.rhel9 , < *
(rpm)
cpe:/a:redhat:enterprise_linux:9 |
|
| Red Hat | Red Hat Hardened Images |
Unaffected:
11.8.8-1.hum1 , < *
(rpm)
cpe:/a:redhat:hummingbird:1 |
|
| Red Hat | Red Hat Hardened Images |
Unaffected:
10.11.18-1.hum1 , < *
(rpm)
cpe:/a:redhat:hummingbird:1 |
|
| Red Hat | Red Hat Enterprise Linux 7 |
cpe:/o:redhat:enterprise_linux:7 |
|
| Red Hat | Red Hat Enterprise Linux 9 |
cpe:/o:redhat:enterprise_linux:9 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44173",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T18:03:24.496133Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T18:03:34.244Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"packageName": "mariadb10.11",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "3:10.11.18-1.el10_2",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"packageName": "mariadb11.8",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "3:11.8.8-1.el10_2",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"packageName": "mariadb:10.11",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "8100020260616102001.489197e6",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"packageName": "mariadb:11.8",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "9080020260612104015.rhel9",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"packageName": "mariadb:10.11",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "9080020260612103452.rhel9",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:hummingbird:1"
],
"defaultStatus": "affected",
"packageName": "mariadb11-8-main",
"product": "Red Hat Hardened Images",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "11.8.8-1.hum1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:hummingbird:1"
],
"defaultStatus": "affected",
"packageName": "mariadb10-11-main",
"product": "Red Hat Hardened Images",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "10.11.18-1.hum1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"packageName": "mariadb",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "unaffected",
"packageName": "mariadb",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
}
],
"datePublic": "2026-06-12T17:34:30.301Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in MariaDB server. This vulnerability allows a low-privileged authenticated user to bypass a security control that normally restricts file operations. Specifically, the system failed to verify the necessary \u0027FILE\u0027 privilege when certain \u0027SELECT\u0027 statements, which write data to files, were executed with subqueries in their \u0027FROM\u0027 clause. This could enable an attacker to write unauthorized files to the server\u0027s file system, potentially leading to the disclosure of sensitive information or a denial of service by corrupting or filling disk space."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T00:54:42.791Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-44173"
},
{
"name": "RHBZ#2488460",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488460"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-44173.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33093"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33412"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33464"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33482"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33481"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25145"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25143"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:33093: Red Hat Enterprise Linux AppStream (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:33412: Red Hat Enterprise Linux AppStream (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:33464: Red Hat Enterprise Linux AppStream (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:33482: Red Hat Enterprise Linux AppStream (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:33481: Red Hat Enterprise Linux AppStream (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:25145: Red Hat Hardened Images"
},
{
"lang": "en",
"value": "RHSA-2026:25143: Red Hat Hardened Images"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-12T18:01:36.157Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-06-12T17:34:30.301Z",
"value": "Made public."
}
],
"title": "mariadb: MariaDB: Privilege bypass allows unauthorized file write via subqueries",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"product": "server",
"vendor": "MariaDB",
"versions": [
{
"status": "affected",
"version": "\u003e= 10.6.1, \u003c 10.6.26"
},
{
"status": "affected",
"version": "\u003e= 10.11.1, \u003c 10.11.17"
},
{
"status": "affected",
"version": "\u003e= 11.4.1, \u003c 11.4.11"
},
{
"status": "affected",
"version": "\u003e= 11.8.1, \u003c 11.8.7"
},
{
"status": "affected",
"version": "\u003e= 12.3.1, \u003c 12.3.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, MariaDB allowed SELECT ... INTO OUTFILE and SELECT ... INTO DUMPFILE without verifying the FILE privilege if the FROM clause contained only subqueries. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T17:34:30.301Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/MariaDB/server/security/advisories/GHSA-667j-m53j-wpmc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/MariaDB/server/security/advisories/GHSA-667j-m53j-wpmc"
},
{
"name": "https://jira.mariadb.org/browse/MDEV-39493",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.mariadb.org/browse/MDEV-39493"
}
],
"source": {
"advisory": "GHSA-667j-m53j-wpmc",
"discovery": "UNKNOWN"
},
"title": "MariaDB: FILE privilege was not checked for subqueries in the FROM clause"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44173",
"datePublished": "2026-06-12T17:34:30.301Z",
"dateReserved": "2026-05-05T14:39:34.923Z",
"dateUpdated": "2026-07-15T00:54:42.791Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44169 (GCVE-0-2026-44169)
Vulnerability from cvelistv5 – Published: 2026-06-12 17:31 – Updated: 2026-06-13 03:24- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/MariaDB/server/security/adviso… | x_refsource_CONFIRM |
| https://jira.mariadb.org/browse/MDEV-39288 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44169",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-13T03:24:33.051833Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-13T03:24:46.192Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "server",
"vendor": "MariaDB",
"versions": [
{
"status": "affected",
"version": "\u003e= 11.4.1, \u003c 11.4.11"
},
{
"status": "affected",
"version": "\u003e= 11.8.1, \u003c 11.8.7"
},
{
"status": "affected",
"version": "\u003e= 12.3.1, \u003c 12.3.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MariaDB server is a community developed fork of MySQL server. From versions 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, a user getting EXECUTE access to a stored routine via a role, could see the routine definition even without SHOW CREATE ROUTINE privilege. This issue has been patched in versions 11.4.11, 11.8.7, and 12.3.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T17:31:53.344Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/MariaDB/server/security/advisories/GHSA-22xq-vq3f-87x2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/MariaDB/server/security/advisories/GHSA-22xq-vq3f-87x2"
},
{
"name": "https://jira.mariadb.org/browse/MDEV-39288",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.mariadb.org/browse/MDEV-39288"
}
],
"source": {
"advisory": "GHSA-22xq-vq3f-87x2",
"discovery": "UNKNOWN"
},
"title": "MariaDB: Authorization bypass in role-based routine-level privilege check exposes stored routine definitions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44169",
"datePublished": "2026-06-12T17:31:53.344Z",
"dateReserved": "2026-05-05T14:39:34.923Z",
"dateUpdated": "2026-06-13T03:24:46.192Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44110 (GCVE-0-2026-44110)
Vulnerability from cvelistv5 – Published: 2026-05-06 19:49 – Updated: 2026-05-07 13:58 X_Open Source- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/openclaw/openclaw/security/adv… | vendor-advisory |
| https://github.com/openclaw/openclaw/commit/f8705… | patch |
| https://github.com/openclaw/openclaw/commit/2bfd8… | patch |
| https://www.vulncheck.com/advisories/openclaw-aut… | third-party-advisory |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44110",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-07T13:58:00.390073Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T13:58:12.038Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:npm/openclaw",
"product": "OpenClaw",
"vendor": "OpenClaw",
"versions": [
{
"lessThan": "2026.4.15",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "2026.4.15",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"versionEndExcluding": "2026.4.15",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Nathan (@nexrin)"
},
{
"lang": "en",
"type": "finder",
"value": "KeenSecurityLab"
},
{
"lang": "en",
"type": "finder",
"value": "qclawer"
}
],
"datePublic": "2026-04-16T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "OpenClaw before 2026.4.15 contains an authorization bypass vulnerability in Matrix room control-command authorization that trusts DM pairing-store entries. Attackers with DM-paired sender IDs can execute room control commands without being in configured allowlists by posting in bot rooms, potentially enabling privileged OpenClaw behavior."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T19:49:28.347Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "GitHub Security Advisory (GHSA-2gvc-4f3c-2855)",
"tags": [
"vendor-advisory"
],
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2gvc-4f3c-2855"
},
{
"name": "Patch Commit (1)",
"tags": [
"patch"
],
"url": "https://github.com/openclaw/openclaw/commit/f8705f512b09043df02b5da372c33374734bd921"
},
{
"name": "Patch Commit (2)",
"tags": [
"patch"
],
"url": "https://github.com/openclaw/openclaw/commit/2bfd808a83116bd888e3e2633a61473fa2ed81b6"
},
{
"name": "VulnCheck Advisory: OpenClaw \u003c 2026.4.15 - Authorization Bypass in Matrix Room Control Commands via DM Pairing Store",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-matrix-room-control-commands-via-dm-pairing-store"
}
],
"tags": [
"x_open-source"
],
"title": "OpenClaw \u003c 2026.4.15 - Authorization Bypass in Matrix Room Control Commands via DM Pairing Store",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-44110",
"datePublished": "2026-05-06T19:49:28.347Z",
"dateReserved": "2026-05-05T11:30:46.259Z",
"dateUpdated": "2026-05-07T13:58:12.038Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.