CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5501 vulnerabilities reference this CWE, most recent first.
GHSA-XR65-5CPM-G36X
Vulnerability from github – Published: 2026-07-01 20:45 – Updated: 2026-07-01 20:45Impact
A vulnerability in Fleet for Rancher Manager affects multi-tenancy environments where different tenants share the same downstream clusters (e.g., different privileged or untrusted teams inside the same organization).
On unpatched versions, tenants could bypass restrictions to access any config map or secret across all namespaces on the downstream cluster. They can create cluster-wide resources using HelmOp or Bundle without authorization.
Specifically, an attacker can exploit this vulnerability in the following ways:
1. Use valuesFrom in fleet.yaml(through a GitRepo resource) or a HelmOp resource to read the contents of any secret an on the downstream cluster, provided they know or can guess the name, namespace, and key.
2. DeployHelmOpandBundle` resources without being restricted to a specific service account for the Fleet agent.
If you use Fleet in a multi-tenant environment, it's recommended that you: - Review your cluster and Fleet deployments logs for indicators of unauthorized access across tenant namespaces. - Rotate any service accounts and credentials that might have been exposed.
Please consult the associated MITRE ATT&CK - Technique - Unsecured Credentials for further information about this category of attack.
Patches
To resolve this vulnerability, upgrade to a patched version of Fleet. The new Policy resource allows you to:
- Configure GitRepos, HelmOps, and Bundles to require a specific service account for the Fleet agent on downstream clusters used for deployment. The agent uses these designated service accounts for operations, blocking access to unauthorized resources.
- Restrict HelmOp repository and chart URLs by using a regular expression. The regular expression is automatically anchored with ^ and $, meaning it must match the entire URL string.
Like GitRepoRestriction, a Policy resource must be created in the specific namespace you want to restrict, and it only applies to that namespace.
Note: Before applying a policy, ensure that the required service account is available on the downstream clusters and is configured with least-privilege permissions.
Patched versions of Fleet include releases v0.15.2, v0.14.6, 0.13.11, and v0.12.15.
Workarounds
If you can't upgrade to a fixed version, please make sure that tenants do not have shared access to the same downstream clusters.
Credits
This security issue was reported by the following collaborators according to our responsible disclosure policy:
- Radisauskas Arnoldas from NATO and the NATO Cyber Security Centre (NCSC).
References
If you have any questions or comments about this advisory: - Reach out to the SUSE Rancher Security team for security related inquiries. - Open an issue in the Rancher repository. - Verify with our support matrix and product support lifecycle.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/rancher/fleet"
},
"ranges": [
{
"events": [
{
"introduced": "0.15.0"
},
{
"fixed": "0.15.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/rancher/fleet"
},
"ranges": [
{
"events": [
{
"introduced": "0.14.0"
},
{
"fixed": "0.14.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/rancher/fleet"
},
"ranges": [
{
"events": [
{
"introduced": "0.13.0"
},
{
"fixed": "0.13.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/rancher/fleet"
},
"ranges": [
{
"events": [
{
"introduced": "0.12.0"
},
{
"fixed": "0.12.15"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44935"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-01T20:45:39Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Impact\nA vulnerability in Fleet for Rancher Manager affects multi-tenancy environments where different tenants share the same downstream clusters (e.g., different privileged or untrusted teams inside the same organization). \n\nOn unpatched versions, tenants could bypass restrictions to access any config map or secret across all namespaces on the downstream cluster. They can create cluster-wide resources using `HelmOp` or `Bundle` without authorization.\nSpecifically, an attacker can exploit this vulnerability in the following ways:\n1. Use `valuesFrom` in `fleet.yaml`(through a `GitRepo` resource) or a `HelmOp resource to read the contents of any secret an on the downstream cluster, provided they know or can guess the name, namespace, and key.\n2. Deploy `HelmOp` and `Bundle` resources without being restricted to a specific service account for the Fleet agent.\n\nIf you use Fleet in a multi-tenant environment, it\u0027s recommended that you:\n- Review your cluster and Fleet deployments logs for indicators of unauthorized access across tenant namespaces.\n- Rotate any service accounts and credentials that might have been exposed.\n\nPlease consult the associated [MITRE ATT\u0026CK - Technique - Unsecured Credentials](https://attack.mitre.org/techniques/T1552/) for further information about this category of attack.\n\n### Patches\nTo resolve this vulnerability, upgrade to a patched version of Fleet. The new Policy resource allows you to:\n- Configure `GitRepos`, `HelmOps`, and `Bundles` to require a specific service account for the Fleet agent on downstream clusters used for deployment. The agent uses these designated service accounts for operations, blocking access to unauthorized resources.\n- Restrict `HelmOp` repository and chart URLs by using a regular expression. The regular expression is automatically anchored with `^` and `$`, meaning it must match the entire URL string.\n\nLike `GitRepoRestriction`, a Policy resource must be created in the specific namespace you want to restrict, and it only applies to that namespace.\n\n**Note:** Before applying a policy, ensure that the required service account is available on the downstream clusters and is configured with least-privilege permissions.\n\nPatched versions of Fleet include releases `v0.15.2`, `v0.14.6`, `0.13.11`, and `v0.12.15`.\n\n### Workarounds\nIf you can\u0027t upgrade to a fixed version, please make sure that tenants do not have shared access to the same downstream clusters.\n\n### Credits\n\nThis security issue was reported by the following collaborators according to our responsible disclosure policy:\n\n- Radisauskas Arnoldas from NATO and the NATO Cyber Security Centre (NCSC).\n\n### References\nIf you have any questions or comments about this advisory:\n- Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries.\n- Open an issue in the [Rancher](https://github.com/rancher/rancher/issues/new/choose) repository.\n- Verify with our [support matrix](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/).",
"id": "GHSA-xr65-5cpm-g36x",
"modified": "2026-07-01T20:45:39Z",
"published": "2026-07-01T20:45:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rancher/fleet/security/advisories/GHSA-xr65-5cpm-g36x"
},
{
"type": "PACKAGE",
"url": "https://github.com/rancher/fleet"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Rancher Fleet vulnerable to cross namespace secret disclosure via unvalidated `valuesFrom` references in Helm Deployer"
}
GHSA-XR6Q-PMRG-XHQR
Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2022-05-24 19:20A vulnerability has been identified in Mendix Applications using Mendix 8 (All versions < V8.18.13), Mendix Applications using Mendix 9 (All versions < V9.6.2). Applications built with affected versions of Mendix Studio Pro do not properly control write access for certain client actions. This could allow authenticated attackers to manipulate the content of System.FileDocument objects in some cases, regardless whether they have write access to it.
{
"affected": [],
"aliases": [
"CVE-2021-42025"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-09T12:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in Mendix Applications using Mendix 8 (All versions \u003c V8.18.13), Mendix Applications using Mendix 9 (All versions \u003c V9.6.2). Applications built with affected versions of Mendix Studio Pro do not properly control write access for certain client actions. This could allow authenticated attackers to manipulate the content of System.FileDocument objects in some cases, regardless whether they have write access to it.",
"id": "GHSA-xr6q-pmrg-xhqr",
"modified": "2022-05-24T19:20:09Z",
"published": "2022-05-24T19:20:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42025"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-779699.pdf"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-XR87-G5HR-3M8H
Vulnerability from github – Published: 2025-01-22 18:31 – Updated: 2025-01-23 15:31In Thermo Fisher Scientific Xcalibur before 4.7 SP1 and Thermo Foundation Instrument Control Software (ICSW) before 3.1 SP10, the driver packages have a local privilege escalation vulnerability due to improper access control permissions on Windows systems.
{
"affected": [],
"aliases": [
"CVE-2024-55957"
],
"database_specific": {
"cwe_ids": [
"CWE-276",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-22T18:15:20Z",
"severity": "HIGH"
},
"details": "In Thermo Fisher Scientific Xcalibur before 4.7 SP1 and Thermo Foundation Instrument Control Software (ICSW) before 3.1 SP10, the driver packages have a local privilege escalation vulnerability due to improper access control permissions on Windows systems.",
"id": "GHSA-xr87-g5hr-3m8h",
"modified": "2025-01-23T15:31:05Z",
"published": "2025-01-22T18:31:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55957"
},
{
"type": "WEB",
"url": "https://assets.thermofisher.com/TFS-Assets/CORP/Product-Guides/Thermo_Scientific_Xcalibur_and_Foundation.pdf"
},
{
"type": "WEB",
"url": "https://thermofisher.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XR8F-H2GW-9XH6
Vulnerability from github – Published: 2026-04-16 22:44 – Updated: 2026-04-27 15:24Am I affected?
You're affected if all of the following are true:
- Using @better-auth/oauth-provider at version specified below
- You configured clientPrivileges in the plugin options expecting it to gate who can create OAuth clients
- The /oauth2/create-client or /admin/oauth2/create-client endpoints are reachable by authenticated users you don't fully trust
If clientPrivileges is not configured, this bug has no security consequence for your deployment
### Summary
The clientPrivileges option documents a create action, but the OAuth client creation endpoints did not invoke the hook before persisting new clients. Deployments that configured clientPrivileges to restrict client registration were not actually restricted — any authenticated user could reach the create endpoints and register an OAuth client with attacker-chosen redirect URIs and metadata.
Non-create operations (read, list, update, delete, rotate) enforced the hook correctly. Only the create path was missing the check.
Impact
- Unauthorized registration of OAuth clients by any authenticated user, under deployments that expected clientPrivileges to block them.
- Attacker-controlled redirect_uris on those clients enable phishing flows that present as registered first-party applications.
- If the SERVER_ONLY admin creation endpoint is also exposed to low-privilege users (a separate deployment misconfiguration), additional sensitive fields including
skip_consentbecome writable.
Patches
Fixed in @better-auth/oauth-provider@1.6.5 Both create endpoints now call the clientPrivileges hook with action "create" before persisting the client record.
Workarounds
If you cannot upgrade immediately:
- Block the /oauth2/create-client and /admin/oauth2/create-client routes at your reverse proxy or middleware layer for any user who should not be able to register clients.
- Do not expose the admin creation endpoint (it is SERVER_ONLY by design and should not be reachable by end-user sessions).
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@better-auth/oauth-provider"
},
"ranges": [
{
"events": [
{
"introduced": "1.4.8-beta.7"
},
{
"fixed": "1.6.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@better-auth/oauth-provider"
},
"ranges": [
{
"events": [
{
"introduced": "1.7.0-beta.0"
},
{
"last_affected": "1.7.0-beta.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41427"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-16T22:44:27Z",
"nvd_published_at": "2026-04-24T20:16:27Z",
"severity": "HIGH"
},
"details": "### Am I affected?\n\n You\u0027re affected if all of the following are true:\n\n - Using @better-auth/oauth-provider at version specified below \n - You configured clientPrivileges in the plugin options expecting it to gate who can create OAuth clients\n - The /oauth2/create-client or /admin/oauth2/create-client endpoints are reachable by authenticated users you don\u0027t fully trust\n\n If clientPrivileges is not configured, this bug has no security consequence for your deployment\n\n ---\n ### Summary\n\n The clientPrivileges option documents a create action, but the OAuth client creation endpoints did not invoke the hook before persisting new clients. Deployments that configured clientPrivileges to restrict client registration were not actually restricted \u2014 any authenticated user could reach the create endpoints and register an OAuth client with attacker-chosen redirect URIs and metadata.\n\n Non-create operations (read, list, update, delete, rotate) enforced the hook correctly. Only the create path was missing the check.\n\n### Impact\n\n - Unauthorized registration of OAuth clients by any authenticated user, under deployments that expected clientPrivileges to block them.\n - Attacker-controlled redirect_uris on those clients enable phishing flows that present as registered first-party applications.\n - If the SERVER_ONLY admin creation endpoint is also exposed to low-privilege users (a separate deployment misconfiguration), additional sensitive fields including `skip_consent` become writable.\n\n### Patches\n\nFixed in `@better-auth/oauth-provider@1.6.5` Both create endpoints now call the clientPrivileges hook with action \"create\" before persisting the client record.\n\n### Workarounds\n\n If you cannot upgrade immediately:\n\n - Block the /oauth2/create-client and /admin/oauth2/create-client routes at your reverse proxy or middleware layer for any user who should not be able to register clients.\n - Do not expose the admin creation endpoint (it is SERVER_ONLY by design and should not be reachable by end-user sessions).",
"id": "GHSA-xr8f-h2gw-9xh6",
"modified": "2026-04-27T15:24:29Z",
"published": "2026-04-16T22:44:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-xr8f-h2gw-9xh6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41427"
},
{
"type": "PACKAGE",
"url": "https://github.com/better-auth/better-auth"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OAuth 2.1 Provider: Unprivileged users can register OAuth clients"
}
GHSA-XRCW-9Q57-9FRW
Vulnerability from github – Published: 2024-07-17 00:32 – Updated: 2024-09-17 15:31An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed a suspended GitHub App to retain access to the repository via a scoped user access token. This was only exploitable in public repositories while private repositories were not impacted. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.9.17, 3.10.14, 3.11.12, 3.12.6, 3.13.1. This vulnerability was reported via the GitHub Bug Bounty program.
{
"affected": [],
"aliases": [
"CVE-2024-5816"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-16T22:15:05Z",
"severity": "MODERATE"
},
"details": "An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed a suspended GitHub App to retain access to the repository via a scoped user access token. This was only exploitable in public repositories while private repositories were not impacted. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.9.17, 3.10.14, 3.11.12, 3.12.6, 3.13.1. This vulnerability was reported via the GitHub Bug Bounty program.",
"id": "GHSA-xrcw-9q57-9frw",
"modified": "2024-09-17T15:31:23Z",
"published": "2024-07-17T00:32:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5816"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.15"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.9.17"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.12"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.6"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.13.1"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.17"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-XRHH-HX36-485Q
Vulnerability from github – Published: 2025-12-05 22:02 – Updated: 2025-12-05 22:02Impact
In some situations, Strimzi creates an incorrect Kubernetes Role which grants the Apache Kafka Connect and Apache Kafka MirrorMaker 2 operands the GET access to all Kubernetes Secrets that exist in the given Kubernetes namespace. The exact scenario when this happens is when:
* Apache Kafka Connect is deployed without at least one of the following options configured:
* TLS encryption with configured trusted certificates (no .spec.tls.trustedCertificates section in the KafkaConnect CR)
* mTLS authentication (no type: tls in .spec.authentication section of the KafkaConnect CR)
* TLS encryption with configured trusted certificates for type: oauth authentication (no .spec.authentication.tlsTrustedCertificates section in the KafkaConnect CR)
* Apache Kafka MirrorMaker2 is deployed without at least one of the following options configured for the target cluster:
* TLS encryption with configured trusted certificates (no .spec.target.tls.trustedCertificates section in the KafkaConnect CR)
* mTLS authentication (no type: tls in .spec.target.authentication section of the KafkaConnect CR)
* TLS encryption with configured trusted certificates for type: oauth authentication (no .spec.target.authentication.tlsTrustedCertificates section in the KafkaConnect CR)
* TLS encryption with configured trusted certificates (no .spec.clusters[].tls.trustedCertificates section in the KafkaConnect CR for the target cluster)
* mTLS authentication (no type: tls in .spec.clusters[].authentication section of the KafkaConnect CR for the target cluster)
* TLS encryption with configured trusted certificates for type: oauth authentication (no .spec.clusters[].authentication.tlsTrustedCertificates section in the KafkaConnect CR for the target cluster)
When the operands configured as described above are deployed with Strimzi >= 0.47.0 and <= 0.49.0, any code running within their Pods and using their Service Account for authentication will be able to GET any Kubernetes Secret from the same namespace. This can be done by executing 3rd party tools from the Pods. Or directly from the Kafka Connect code, for example, using configuration providers or HTTP connectors. The Pods are allowed to only GET the Secrets. They are not allowed to list, watch, modify, or delete the Secrets.
Patches
The issue is fixed in Strimzi 0.49.1.
Workarounds
There is no workaround for this issue when using the affected operands with the affected configurations.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "io.strimzi:strimzi"
},
"ranges": [
{
"events": [
{
"introduced": "0.47.0"
},
{
"fixed": "0.49.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-66623"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-05T22:02:37Z",
"nvd_published_at": "2025-12-05T19:15:52Z",
"severity": "HIGH"
},
"details": "### Impact\n\nIn some situations, Strimzi creates an incorrect Kubernetes `Role` which grants the Apache Kafka Connect and Apache Kafka MirrorMaker 2 operands the `GET` access to all Kubernetes Secrets that exist in the given Kubernetes namespace. The exact scenario when this happens is when:\n* Apache Kafka Connect is deployed without at least one of the following options configured:\n * TLS encryption with configured trusted certificates (no `.spec.tls.trustedCertificates` section in the `KafkaConnect` CR)\n * mTLS authentication (no `type: tls` in `.spec.authentication` section of the `KafkaConnect` CR)\n * TLS encryption with configured trusted certificates for `type: oauth` authentication (no `.spec.authentication.tlsTrustedCertificates` section in the `KafkaConnect` CR)\n* Apache Kafka MirrorMaker2 is deployed without at least one of the following options configured for the target cluster:\n * TLS encryption with configured trusted certificates (no `.spec.target.tls.trustedCertificates` section in the `KafkaConnect` CR)\n * mTLS authentication (no `type: tls` in `.spec.target.authentication` section of the `KafkaConnect` CR)\n * TLS encryption with configured trusted certificates for `type: oauth` authentication (no `.spec.target.authentication.tlsTrustedCertificates` section in the `KafkaConnect` CR)\n * TLS encryption with configured trusted certificates (no `.spec.clusters[].tls.trustedCertificates` section in the `KafkaConnect` CR for the target cluster)\n * mTLS authentication (no `type: tls` in `.spec.clusters[].authentication` section of the `KafkaConnect` CR for the target cluster)\n * TLS encryption with configured trusted certificates for `type: oauth` authentication (no `.spec.clusters[].authentication.tlsTrustedCertificates` section in the `KafkaConnect` CR for the target cluster)\n\nWhen the operands configured as described above are deployed with Strimzi \u003e= 0.47.0 and \u003c= 0.49.0, any code running within their Pods and using their Service Account for authentication will be able to `GET` any Kubernetes Secret from the same namespace. This can be done by executing 3rd party tools from the Pods. Or directly from the Kafka Connect code, for example, using configuration providers or HTTP connectors. The Pods are allowed to only `GET` the Secrets. They are not allowed to list, watch, modify, or delete the Secrets.\n\n### Patches\n\nThe issue is fixed in Strimzi 0.49.1.\n\n### Workarounds\n\nThere is no workaround for this issue when using the affected operands with the affected configurations.",
"id": "GHSA-xrhh-hx36-485q",
"modified": "2025-12-05T22:02:37Z",
"published": "2025-12-05T22:02:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/strimzi/strimzi-kafka-operator/security/advisories/GHSA-xrhh-hx36-485q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66623"
},
{
"type": "WEB",
"url": "https://github.com/strimzi/strimzi-kafka-operator/commit/c8a14935e99c91eb0dd865431f46515da9f82ccc"
},
{
"type": "PACKAGE",
"url": "https://github.com/strimzi/strimzi-kafka-operator"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Strimzi allows unrestricted access to all Secrets in the same Kubernetes namespace from Kafka Connect and MirrorMaker 2 operands"
}
GHSA-XRMJ-XM38-42WC
Vulnerability from github – Published: 2025-07-10 09:32 – Updated: 2025-07-10 09:32An issue has been discovered in GitLab EE affecting all versions from 18.0 before 18.0.4 and 18.1 before 18.1.2 that could have allowed authenticated maintainers to bypass group-level user invitation restrictions by sending crafted API requests.
{
"affected": [],
"aliases": [
"CVE-2025-6168"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-10T09:15:30Z",
"severity": "LOW"
},
"details": "An issue has been discovered in GitLab EE affecting all versions from 18.0 before 18.0.4 and 18.1 before 18.1.2 that could have allowed authenticated maintainers to bypass group-level user invitation restrictions by sending crafted API requests.",
"id": "GHSA-xrmj-xm38-42wc",
"modified": "2025-07-10T09:32:32Z",
"published": "2025-07-10T09:32:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6168"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/3196745"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/549725"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XRQ9-JM7V-G9H7
Vulnerability from github – Published: 2026-04-25 23:49 – Updated: 2026-04-25 23:49Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
< 2026.4.20 - Patched version:
2026.4.20
Impact
A paired device session with limited pairing scope could enumerate global pairing state and act on pairing requests that belonged to another device within the same gateway scope ceiling.
This is a same-gateway paired-device authorization bug, not a remote unauthenticated issue. Severity is low.
Fix
Pairing management actions are now limited to the caller device, so non-admin paired-device sessions cannot approve or operate on unrelated pending device requests.
Fix commit:
5a12f30441d5b0b151f550daa2c5c9e8db61e2e6
Release
Fixed in OpenClaw 2026.4.20.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.4.20"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-25T23:49:00Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c 2026.4.20`\n- Patched version: `2026.4.20`\n\n## Impact\n\nA paired device session with limited pairing scope could enumerate global pairing state and act on pairing requests that belonged to another device within the same gateway scope ceiling.\n\nThis is a same-gateway paired-device authorization bug, not a remote unauthenticated issue. Severity is low.\n\n## Fix\n\nPairing management actions are now limited to the caller device, so non-admin paired-device sessions cannot approve or operate on unrelated pending device requests.\n\nFix commit:\n\n- `5a12f30441d5b0b151f550daa2c5c9e8db61e2e6`\n\n## Release\n\nFixed in OpenClaw `2026.4.20`.",
"id": "GHSA-xrq9-jm7v-g9h7",
"modified": "2026-04-25T23:49:00Z",
"published": "2026-04-25T23:49:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xrq9-jm7v-g9h7"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/5a12f30441d5b0b151f550daa2c5c9e8db61e2e6"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: Paired-device pairing actions were not limited to the caller device"
}
GHSA-XRRV-GJCC-H93V
Vulnerability from github – Published: 2022-12-01 15:30 – Updated: 2022-12-05 21:30Symantec Endpoint Protection (Windows) agent, prior to 14.3 RU6/14.3 RU5 Patch 1, may be susceptible to a Security Control Bypass vulnerability, which is a type of issue that can potentially allow a threat actor to circumvent existing security controls. This CVE applies narrowly to the Client User Interface Password protection and Policy Import/Export Password protection, if it has been enabled.
{
"affected": [],
"aliases": [
"CVE-2022-37017"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-01T14:15:00Z",
"severity": "HIGH"
},
"details": "Symantec Endpoint Protection (Windows) agent, prior to 14.3 RU6/14.3 RU5 Patch 1, may be susceptible to a Security Control Bypass vulnerability, which is a type of issue that can potentially allow a threat actor to circumvent existing security controls. This CVE applies narrowly to the Client User Interface Password protection and Policy Import/Export Password protection, if it has been enabled.",
"id": "GHSA-xrrv-gjcc-h93v",
"modified": "2022-12-05T21:30:42Z",
"published": "2022-12-01T15:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37017"
},
{
"type": "WEB",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/21014"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XRVG-VG5W-7CH7
Vulnerability from github – Published: 2022-05-13 01:44 – Updated: 2022-05-13 01:44Memory write mechanism in NCR S1 Dispenser controller before firmware version 0x0156 allows an unauthenticated user to upgrade or downgrade the firmware of the device, including to older versions with known vulnerabilities.
{
"affected": [],
"aliases": [
"CVE-2017-17668"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-03-20T14:29:00Z",
"severity": "HIGH"
},
"details": "Memory write mechanism in NCR S1 Dispenser controller before firmware version 0x0156 allows an unauthenticated user to upgrade or downgrade the firmware of the device, including to older versions with known vulnerabilities.",
"id": "GHSA-xrvg-vg5w-7ch7",
"modified": "2022-05-13T01:44:27Z",
"published": "2022-05-13T01:44:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17668"
},
{
"type": "WEB",
"url": "https://www.ncr.com/sites/default/files/ncr_security_alert_-_2018-04_v3.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.