CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5504 vulnerabilities reference this CWE, most recent first.
GHSA-X7FQ-6476-543V
Vulnerability from github – Published: 2022-02-10 00:00 – Updated: 2022-02-10 00:00Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming signed JSON-LD activities. (JSON-LD signing has been supported since version 1.6.0.)
{
"affected": [],
"aliases": [
"CVE-2022-24307"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-03T20:15:00Z",
"severity": "CRITICAL"
},
"details": "Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming signed JSON-LD activities. (JSON-LD signing has been supported since version 1.6.0.)",
"id": "GHSA-x7fq-6476-543v",
"modified": "2022-02-10T00:00:52Z",
"published": "2022-02-10T00:00:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24307"
},
{
"type": "WEB",
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.3.2"
},
{
"type": "WEB",
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.4.6"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-X7M9-MV49-FV73
Vulnerability from github – Published: 2025-01-09 21:31 – Updated: 2025-01-10 18:38An issue in the component src/api/identity.rs of Vaultwarden prior to v1.32.5 allows attackers to impersonate users, including Administrators, via a crafted authorization request.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "vaultwarden"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.32.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-55225"
],
"database_specific": {
"cwe_ids": [
"CWE-276",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-01-09T23:13:58Z",
"nvd_published_at": "2025-01-09T21:15:29Z",
"severity": "HIGH"
},
"details": "An issue in the component src/api/identity.rs of Vaultwarden prior to v1.32.5 allows attackers to impersonate users, including Administrators, via a crafted authorization request.",
"id": "GHSA-x7m9-mv49-fv73",
"modified": "2025-01-10T18:38:01Z",
"published": "2025-01-09T21:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55225"
},
{
"type": "WEB",
"url": "https://github.com/dani-garcia/vaultwarden/commit/20d9e885bfcd7df7828d92c6e59ed5fe7b40a879"
},
{
"type": "WEB",
"url": "https://github.com/dani-garcia/vaultwarden/commit/37c14c3c69b244ec50f5c62b4c9260171607c1d8"
},
{
"type": "PACKAGE",
"url": "https://github.com/dani-garcia/vaultwarden"
},
{
"type": "WEB",
"url": "https://github.com/dani-garcia/vaultwarden/releases/tag/1.32.4"
},
{
"type": "WEB",
"url": "https://github.com/dani-garcia/vaultwarden/releases/tag/1.32.5"
},
{
"type": "WEB",
"url": "https://insinuator.net/2024/11/vulnerability-disclosure-authentication-bypass-in-vaultwarden-versions-1-32-5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Vaultwarden vulnerable to user impersonation"
}
GHSA-X7P9-QFHH-R6X9
Vulnerability from github – Published: 2023-05-23 03:30 – Updated: 2024-04-04 04:17Authentication bypass vulnerability in Qrio Lock (Q-SL2) firmware version 2.0.9 and earlier allows a network-adjacent attacker to analyze the product's communication data and conduct an arbitrary operation under certain conditions.
{
"affected": [],
"aliases": [
"CVE-2023-25946"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-23T02:15:09Z",
"severity": "HIGH"
},
"details": "Authentication bypass vulnerability in Qrio Lock (Q-SL2) firmware version 2.0.9 and earlier allows a network-adjacent attacker to analyze the product\u0027s communication data and conduct an arbitrary operation under certain conditions.",
"id": "GHSA-x7p9-qfhh-r6x9",
"modified": "2024-04-04T04:17:41Z",
"published": "2023-05-23T03:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25946"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN48687031"
},
{
"type": "WEB",
"url": "https://qrio.me/article/announce/2023/4140"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X7QH-XCF8-P6CQ
Vulnerability from github – Published: 2026-06-22 18:34 – Updated: 2026-06-28 00:30Incorrect caching of authentication between different polkit methods in qSnapper before version 1.3.3 allowed a local attacker to use functions like "restore from snapshot" even if only allowed to do "delete snapshot".
{
"affected": [],
"aliases": [
"CVE-2026-41048"
],
"database_specific": {
"cwe_ids": [
"CWE-303",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-22T16:16:35Z",
"severity": "HIGH"
},
"details": "Incorrect caching of authentication between different polkit methods in qSnapper before version 1.3.3 allowed a local attacker to use functions like \"restore from snapshot\" even if only allowed to do \"delete snapshot\".",
"id": "GHSA-x7qh-xcf8-p6cq",
"modified": "2026-06-28T00:30:56Z",
"published": "2026-06-22T18:34:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41048"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1262218"
},
{
"type": "WEB",
"url": "https://github.com/presire/qSnapper/releases/tag/v1.3.3"
},
{
"type": "WEB",
"url": "https://security.opensuse.org/2026/05/26/qsnapper-dbus-issues.html#issue-auth-caching"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-X7V8-7CPC-HV73
Vulnerability from github – Published: 2024-01-12 15:30 – Updated: 2024-01-12 15:30Incorrect authorization checks in GitLab CE/EE from all versions starting from 8.13 before 16.5.6, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2, allows a user to abuse slack/mattermost integrations to execute slash commands as another user.
{
"affected": [],
"aliases": [
"CVE-2023-5356"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-12T14:15:48Z",
"severity": "CRITICAL"
},
"details": "Incorrect authorization checks in GitLab CE/EE from all versions starting from 8.13 before 16.5.6, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2, allows a user to abuse slack/mattermost integrations to execute slash commands as another user.",
"id": "GHSA-x7v8-7cpc-hv73",
"modified": "2024-01-12T15:30:32Z",
"published": "2024-01-12T15:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5356"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/2188868"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/427154"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X7WF-F6C9-X89J
Vulnerability from github – Published: 2025-01-28 00:32 – Updated: 2025-11-03 21:32A logic issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.7.3, macOS Sequoia 15.3, macOS Sonoma 14.7.3. An app may be able to modify protected parts of the file system.
{
"affected": [],
"aliases": [
"CVE-2025-24121"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-27T22:15:17Z",
"severity": "LOW"
},
"details": "A logic issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.7.3, macOS Sequoia 15.3, macOS Sonoma 14.7.3. An app may be able to modify protected parts of the file system.",
"id": "GHSA-x7wf-f6c9-x89j",
"modified": "2025-11-03T21:32:24Z",
"published": "2025-01-28T00:32:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24121"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122068"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122069"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122070"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Jan/15"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Jan/16"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Jan/17"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X83W-23JP-G6PW
Vulnerability from github – Published: 2026-05-07 00:08 – Updated: 2026-05-07 00:08Description
A flaw was identified in the OpenSearch Security plugin's document-level security (DLS) implementation. DLS restrictions were not correctly applied to search queries that use has_parent or has_child join relations. This could allow an authenticated user to access document contents that should have been restricted by DLS rules.
Impact
An authenticated user with access to an index containing parent/child join relations could bypass DLS restrictions on documents linked by those relations, potentially accessing restricted document contents. This only affects clusters that use both DLS and the join field type on the same index.
Patches
This issue is fixed in OpenSearch 2.19.4 and 3.2.0.
Workarounds
Avoid using the join field type on indices that are subject to DLS rules.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.19.3"
},
"package": {
"ecosystem": "Maven",
"name": "org.opensearch.plugin:opensearch-security"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "2.19.4.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.1.0"
},
"package": {
"ecosystem": "Maven",
"name": "org.opensearch.plugin:opensearch-security"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.2.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-07T00:08:34Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Description\n\nA flaw was identified in the OpenSearch Security plugin\u0027s document-level security (DLS) implementation. DLS restrictions were not correctly applied to search queries that use has_parent or has_child join relations. This could allow an authenticated user to access document contents that should have been restricted by DLS rules.\n\n### Impact\n\nAn authenticated user with access to an index containing parent/child join relations could bypass DLS restrictions on documents linked by those relations, potentially accessing restricted document contents. This only affects clusters that use both DLS and the `join` field type on the same index.\n\n### Patches\n\n This issue is fixed in OpenSearch `2.19.4` and `3.2.0`.\n\n### Workarounds\n\nAvoid using the `join` field type on indices that are subject to DLS rules.",
"id": "GHSA-x83w-23jp-g6pw",
"modified": "2026-05-07T00:08:34Z",
"published": "2026-05-07T00:08:34Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/opensearch-project/security/security/advisories/GHSA-x83w-23jp-g6pw"
},
{
"type": "PACKAGE",
"url": "https://github.com/opensearch-project/security"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "OpenSearch Security plugin: DLS not applied on documents linked by has_child or has_parent relation"
}
GHSA-X847-VXVJ-G6RJ
Vulnerability from github – Published: 2022-06-03 00:01 – Updated: 2022-06-14 00:00An access control bypass vulnerability found in 389-ds-base. That mishandling of the filter that would yield incorrect results, but as that has progressed, can be determined that it actually is an access control bypass. This may allow any remote unauthenticated user to issue a filter that allows searching for database items they do not have access to, including but not limited to potentially userPassword hashes and other sensitive data.
{
"affected": [],
"aliases": [
"CVE-2022-1949"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-02T14:15:00Z",
"severity": "HIGH"
},
"details": "An access control bypass vulnerability found in 389-ds-base. That mishandling of the filter that would yield incorrect results, but as that has progressed, can be determined that it actually is an access control bypass. This may allow any remote unauthenticated user to issue a filter that allows searching for database items they do not have access to, including but not limited to potentially userPassword hashes and other sensitive data.",
"id": "GHSA-x847-vxvj-g6rj",
"modified": "2022-06-14T00:00:37Z",
"published": "2022-06-03T00:01:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1949"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2091781"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X84R-583W-G39W
Vulnerability from github – Published: 2022-05-24 22:33 – Updated: 2024-01-26 00:30Access Restriction Bypass via referrer spoof was discovered in SolarWinds Web Help Desk 12.7.2. An attacker can access the “Web Help Desk Getting Started Wizard”, especially the admin account creationpage, from a non-privileged IP address network range or loopback address by intercepting the HTTP request and changing the referrer from the public IP address to the loopback.
{
"affected": [],
"aliases": [
"CVE-2021-32076"
],
"database_specific": {
"cwe_ids": [
"CWE-290",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-26T15:15:00Z",
"severity": "MODERATE"
},
"details": "Access Restriction Bypass via referrer spoof was discovered in SolarWinds Web Help Desk 12.7.2. An attacker can access the \u201cWeb Help Desk Getting Started Wizard\u201d, especially the admin account creationpage, from a non-privileged IP address network range or loopback address by intercepting the HTTP request and changing the referrer from the public IP address to the loopback.",
"id": "GHSA-x84r-583w-g39w",
"modified": "2024-01-26T00:30:24Z",
"published": "2022-05-24T22:33:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32076"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/208278"
},
{
"type": "WEB",
"url": "https://www.solarwinds.com/trust-center/security-advisories/cve-2021-32076"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X858-8GR5-586M
Vulnerability from github – Published: 2026-04-20 12:31 – Updated: 2026-05-11 18:31Fudo Enterprise in versions from 5.5.0 through 5.6.2 allows low privileged users to access certain administrator-only resources via improperly protected API endpoints. This includes sensitive information such as system logs and parts of system configuration settings. This vulnerability has been fixed in version 5.6.3
{
"affected": [],
"aliases": [
"CVE-2025-13480"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-20T10:16:16Z",
"severity": "MODERATE"
},
"details": "Fudo Enterprise in versions from 5.5.0 through 5.6.2 allows low privileged users to access certain administrator-only resources via improperly protected API endpoints. This includes sensitive information such as system logs and parts of system configuration settings.\nThis vulnerability has been fixed in version 5.6.3",
"id": "GHSA-x858-8gr5-586m",
"modified": "2026-05-11T18:31:34Z",
"published": "2026-04-20T12:31:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13480"
},
{
"type": "WEB",
"url": "https://cert.pl/en/posts/2026/04/CVE-2025-13480"
},
{
"type": "WEB",
"url": "https://download.fudosecurity.com/documentation/fudo/5_6/rn/RN_5.6.3.pdf"
},
{
"type": "WEB",
"url": "https://www.fudosecurity.com/product/enterprise"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.