CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5504 vulnerabilities reference this CWE, most recent first.
CVE-2026-54765 (GCVE-0-2026-54765)
Vulnerability from cvelistv5 – Published: 2026-07-06 20:27 – Updated: 2026-07-07 14:19| URL | Tags |
|---|---|
| https://github.com/traefik/traefik/security/advis… | x_refsource_CONFIRM |
| https://github.com/traefik/traefik/pull/13367 | x_refsource_MISC |
| https://github.com/traefik/traefik/commit/8aada7a… | x_refsource_MISC |
| https://github.com/traefik/traefik/releases/tag/v3.7.6 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54765",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-07T14:18:17.134061Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T14:19:07.941Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "traefik",
"vendor": "traefik",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.7.0, \u003c 3.7.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Traefik is an open source HTTP reverse proxy and load balancer. From v3.7.0 prior to v3.7.6, Traefik\u0027s Kubernetes Gateway API provider may resolve two accepted HTTPRoutes that target the same backend Service:port but configure different backendRef filters to the same child service and apply only one route\u0027s filter set to all requests reaching that backend. In Gateway deployments where backendRef filters set security-sensitive headers, such as tenant identity, authorization context, or values the backend trusts, an attacker who can create an accepted HTTPRoute sharing the same backend Service:port may cause their route\u0027s filter context to be applied to another route\u0027s requests, potentially crossing namespace boundaries when a ReferenceGrant permits cross-namespace targeting. This issue is fixed in version v3.7.6."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T20:27:32.803Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/traefik/traefik/security/advisories/GHSA-6p8f-p8j2-rqmv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-6p8f-p8j2-rqmv"
},
{
"name": "https://github.com/traefik/traefik/pull/13367",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/pull/13367"
},
{
"name": "https://github.com/traefik/traefik/commit/8aada7a7d52e4588a75386d8b86d270f6fe8d549",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/commit/8aada7a7d52e4588a75386d8b86d270f6fe8d549"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v3.7.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v3.7.6"
}
],
"source": {
"advisory": "GHSA-6p8f-p8j2-rqmv",
"discovery": "UNKNOWN"
},
"title": "Traefik: Gateway HTTPRoute backendRef filters can leak backend context across routes sharing a Service:port"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54765",
"datePublished": "2026-07-06T20:27:32.803Z",
"dateReserved": "2026-06-15T23:12:41.966Z",
"dateUpdated": "2026-07-07T14:19:07.941Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54761 (GCVE-0-2026-54761)
Vulnerability from cvelistv5 – Published: 2026-06-23 19:15 – Updated: 2026-06-25 12:45| URL | Tags |
|---|---|
| https://github.com/traefik/traefik/security/advis… | x_refsource_CONFIRM |
| https://github.com/traefik/traefik/releases/tag/v3.6.21 | x_refsource_MISC |
| https://github.com/traefik/traefik/releases/tag/v3.7.5 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54761",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T12:45:14.367141Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T12:45:24.775Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "traefik",
"vendor": "traefik",
"versions": [
{
"status": "affected",
"version": "\u003c 3.6.21"
},
{
"status": "affected",
"version": "\u003e= 3.7.0-ea.1, \u003c 3.7.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.21 and 3.7.5, there is a high severity vulnerability in Traefik\u0027s Kubernetes Gateway provider affecting the crossProviderNamespaces allowlist. For HTTPRoute rules that declare multiple (WRR) backendRefs, Traefik evaluates the allowlist against the target backendRef.namespace instead of the route\u0027s own namespace. As a result, an HTTPRoute created in a namespace that is not allow-listed can reference a cross-provider TraefikService such as api@internal, dashboard@internal or rest@internal by pointing backendRef.namespace at an allow-listed namespace covered by a Gateway API ReferenceGrant, exposing internal Traefik services on the data plane. Exploitation requires the ability to create an accepted HTTPRoute and a matching ReferenceGrant from an allow-listed namespace; it does not require any change to Traefik static configuration, RBAC, or the deployment itself. This vulnerability is fixed in 3.6.21 and 3.7.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T19:15:38.410Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/traefik/traefik/security/advisories/GHSA-3g6v-2r68-prfc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-3g6v-2r68-prfc"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v3.6.21",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v3.6.21"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v3.7.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v3.7.5"
}
],
"source": {
"advisory": "GHSA-3g6v-2r68-prfc",
"discovery": "UNKNOWN"
},
"title": "Traefik: Kubernetes Gateway crossProviderNamespaces bypass allows HTTPRoute outside the allowlist to expose internal Traefik services"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54761",
"datePublished": "2026-06-23T19:15:38.410Z",
"dateReserved": "2026-06-15T23:12:41.966Z",
"dateUpdated": "2026-06-25T12:45:24.775Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54698 (GCVE-0-2026-54698)
Vulnerability from cvelistv5 – Published: 2026-07-07 21:29 – Updated: 2026-07-08 13:02- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/hasura/graphql-engine/security… | x_refsource_CONFIRM |
| Vendor | Product | Version | |
|---|---|---|---|
| hasura | graphql-engine |
Affected:
>= 2.46.0, < 2.49.2
Affected: >= 2.45.0, < 2.45.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54698",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-08T13:01:48.684963Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T13:02:17.049Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "graphql-engine",
"vendor": "hasura",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.46.0, \u003c 2.49.2"
},
{
"status": "affected",
"version": "\u003e= 2.45.0, \u003c 2.45.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hasura is an open-source product that provides users GraphQL or REST APIs. Prior to 2.49.2 and 2.45.5, a user can use a where clause on a table computed field (returning SETOF some_table) to infer row values that ought to be filtered for their role based on some_table\u0027s row-level permissions. While such rows cannot be returned directly, like predicates on strings for instance allow values to be brute forced efficiently with the where clause as an oracle. This issue is fixed in versions 2.49.2 and 2.45.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T21:29:23.595Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/hasura/graphql-engine/security/advisories/GHSA-r27x-gc74-qmxh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/hasura/graphql-engine/security/advisories/GHSA-r27x-gc74-qmxh"
}
],
"source": {
"advisory": "GHSA-r27x-gc74-qmxh",
"discovery": "UNKNOWN"
},
"title": "Hasura: Row-level authorization bypass on table computed fields"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54698",
"datePublished": "2026-07-07T21:29:23.595Z",
"dateReserved": "2026-06-15T22:58:06.562Z",
"dateUpdated": "2026-07-08T13:02:17.049Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54652 (GCVE-0-2026-54652)
Vulnerability from cvelistv5 – Published: 2026-07-08 14:52 – Updated: 2026-07-08 15:20| URL | Tags |
|---|---|
| https://github.com/blakeblackshear/frigate/securi… | x_refsource_CONFIRM |
| https://github.com/blakeblackshear/frigate/commit… | x_refsource_MISC |
| https://github.com/blakeblackshear/frigate/commit… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| blakeblackshear | frigate |
Affected:
<= 0.17.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54652",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-08T15:20:07.339673Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T15:20:23.777Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-c4qf-xxq4-vf55"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "frigate",
"vendor": "blakeblackshear",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.17.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frigate is an open source network video recorder. In version 0.17.1, the GET /api/logs/{service} endpoint allows any authenticated user including the viewer role to download Frigate and nginx logs, exposing auto-generated admin passwords and camera credentials logged in request query strings and enabling viewer-to-admin privilege escalation. A fixed release has not been identified."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-598",
"description": "CWE-598: Use of GET Request Method With Sensitive Query Strings",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T14:52:42.752Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-c4qf-xxq4-vf55",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-c4qf-xxq4-vf55"
},
{
"name": "https://github.com/blakeblackshear/frigate/commit/68e8afd35c76f05f68de47ee9588d2c91796de4b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/blakeblackshear/frigate/commit/68e8afd35c76f05f68de47ee9588d2c91796de4b"
},
{
"name": "https://github.com/blakeblackshear/frigate/commit/bd1fc1cc72cd4fa371464a087cbf3d7f3142edc6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/blakeblackshear/frigate/commit/bd1fc1cc72cd4fa371464a087cbf3d7f3142edc6"
}
],
"source": {
"advisory": "GHSA-c4qf-xxq4-vf55",
"discovery": "UNKNOWN"
},
"title": "Frigate viewer can read logs exposing admin and camera credentials"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54652",
"datePublished": "2026-07-08T14:52:42.752Z",
"dateReserved": "2026-06-15T20:16:46.199Z",
"dateUpdated": "2026-07-08T15:20:23.777Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54573 (GCVE-0-2026-54573)
Vulnerability from cvelistv5 – Published: 2026-06-25 15:59 – Updated: 2026-06-26 18:42- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/outline/outline/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54573",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T17:50:47.158963Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T18:42:57.082Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "outline",
"vendor": "outline",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Outline is a service that allows for collaborative documentation. Prior to 1.8.0, the AuthenticationHelper.canAccess function uses ctx.originalUrl to verify if an API key or OAuth token has the required scopes for a request. It extracts the resource by splitting the URL by / and taking the last segment. However, it fails to strip the URL fragment (#). Because Koa\u0027s router uses ctx.path (which strips the fragment) for routing, an attacker can append a fragment containing a permitted path (e.g., #foo/api/documents.info) to a restricted endpoint (e.g., /api/documents.create). The router will route the request to the restricted endpoint, but canAccess will evaluate the permitted path in the fragment, bypassing the API key scope restrictions and allowing privilege escalation. This vulnerability is fixed in 1.8.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T15:59:35.297Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/outline/outline/security/advisories/GHSA-5x79-rj4g-qrh8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/outline/outline/security/advisories/GHSA-5x79-rj4g-qrh8"
}
],
"source": {
"advisory": "GHSA-5x79-rj4g-qrh8",
"discovery": "UNKNOWN"
},
"title": "Authorization Bypass in API Key/OAuth Scopes via Path Parsing Discrepancy"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54573",
"datePublished": "2026-06-25T15:59:35.297Z",
"dateReserved": "2026-06-15T19:15:27.343Z",
"dateUpdated": "2026-06-26T18:42:57.082Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54563 (GCVE-0-2026-54563)
Vulnerability from cvelistv5 – Published: 2026-07-15 14:38 – Updated: 2026-07-15 15:34- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/cloudreve/cloudreve/security/a… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54563",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T15:33:29.499501Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T15:34:04.861Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/cloudreve/cloudreve/security/advisories/GHSA-w5fv-7x5q-g8qp"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cloudreve",
"vendor": "cloudreve",
"versions": [
{
"status": "affected",
"version": "\u003c 4.16.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cloudreve is a self-hosted file management and sharing system. Prior to 4.16.1, a Cloudreve WebDAV account rooted at a configured folder can send paths such as /dav/%2e%2e/outside.txt because stripPrefix in pkg/webdav/webdav.go joins the decoded request suffix to the account root with fs.URI.JoinRaw without checking containment, allowing the scoped credential to read and list files outside the configured folder and writable credentials to create, overwrite, move, or delete them. This issue is reported as fixed in version 4.16.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T14:38:54.129Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/cloudreve/cloudreve/security/advisories/GHSA-w5fv-7x5q-g8qp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/cloudreve/cloudreve/security/advisories/GHSA-w5fv-7x5q-g8qp"
}
],
"source": {
"advisory": "GHSA-w5fv-7x5q-g8qp",
"discovery": "UNKNOWN"
},
"title": "Cloudreve: Path Traversal / Broken Access Control in Cloudreve WebDAV (`/dav`) \u2014 scoped DAV credential escapes its configured account root"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54563",
"datePublished": "2026-07-15T14:38:54.129Z",
"dateReserved": "2026-06-15T19:04:14.457Z",
"dateUpdated": "2026-07-15T15:34:04.861Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54560 (GCVE-0-2026-54560)
Vulnerability from cvelistv5 – Published: 2026-07-15 14:40 – Updated: 2026-07-15 15:16- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/cloudreve/cloudreve/security/a… | x_refsource_CONFIRM |
| https://github.com/cloudreve/cloudreve/commit/ed2… | x_refsource_MISC |
| https://github.com/cloudreve/cloudreve/releases/t… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54560",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T15:16:30.603425Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T15:16:35.699Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/cloudreve/cloudreve/security/advisories/GHSA-vgj4-345g-jcf8"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cloudreve",
"vendor": "cloudreve",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.12.0, \u003c 4.16.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cloudreve is a self-hosted file management and sharing system. From 4.12.0 until 4.16.1, Cloudreve\u0027s OAuth access tokens are issued without the OAuth client_id claim, so the JWT verifier does not load token scopes into request context and RequiredScopes treats the request like non-scoped session authentication, allowing a low-scope OAuth access token to call APIs requiring higher scopes such as file, share, workflow, user setting, WebDAV account, and potentially admin scopes. This issue is fixed in version 4.16.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T14:40:24.765Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/cloudreve/cloudreve/security/advisories/GHSA-vgj4-345g-jcf8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/cloudreve/cloudreve/security/advisories/GHSA-vgj4-345g-jcf8"
},
{
"name": "https://github.com/cloudreve/cloudreve/commit/ed20843dc3df20a25fcaf6b538647e11c4d68d87",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cloudreve/cloudreve/commit/ed20843dc3df20a25fcaf6b538647e11c4d68d87"
},
{
"name": "https://github.com/cloudreve/cloudreve/releases/tag/4.16.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cloudreve/cloudreve/releases/tag/4.16.1"
}
],
"source": {
"advisory": "GHSA-vgj4-345g-jcf8",
"discovery": "UNKNOWN"
},
"title": "Cloudreve: OAuth access tokens bypass scope enforcement due to missing client_id claim"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54560",
"datePublished": "2026-07-15T14:40:24.765Z",
"dateReserved": "2026-06-15T19:04:14.457Z",
"dateUpdated": "2026-07-15T15:16:35.699Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54555 (GCVE-0-2026-54555)
Vulnerability from cvelistv5 – Published: 2026-06-23 19:05 – Updated: 2026-06-24 14:30- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/rtk-ai/rtk/security/advisories… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54555",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-24T14:29:21.375030Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T14:30:40.984Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/rtk-ai/rtk/security/advisories/GHSA-7gxq-fvfc-g327"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rtk",
"vendor": "rtk-ai",
"versions": [
{
"status": "affected",
"version": "\u003c 0.42.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "rtk filters and compresses command outputs before they reach your LLM context. Prior to 0.42.2, the permission splitter did not conservatively split or reject several shell constructs that Bash treats as command execution boundaries or nested execution. As a result, a command beginning with an allowed prefix such as git could hide a second command behind one of these constructs. rtk rewrite returned exit code 0, causing the Claude hook to emit permissionDecision: \"allow\". The rewritten command still contained the hidden command, so it ran without the user confirmation or denial that the permission rules were intended to enforce. This vulnerability is fixed in 0.42.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T19:05:20.849Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rtk-ai/rtk/security/advisories/GHSA-7gxq-fvfc-g327",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rtk-ai/rtk/security/advisories/GHSA-7gxq-fvfc-g327"
}
],
"source": {
"advisory": "GHSA-7gxq-fvfc-g327",
"discovery": "UNKNOWN"
},
"title": "rtk: Permission-gate bypass in rtk rewrite auto-allow via unsplit shell separators"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54555",
"datePublished": "2026-06-23T19:05:20.849Z",
"dateReserved": "2026-06-15T19:04:14.456Z",
"dateUpdated": "2026-06-24T14:30:40.984Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54518 (GCVE-0-2026-54518)
Vulnerability from cvelistv5 – Published: 2026-06-23 21:02 – Updated: 2026-06-24 15:32- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/FasterXML/jackson-databind/sec… | x_refsource_CONFIRM |
| https://github.com/FasterXML/jackson-databind/pull/5971 | x_refsource_MISC |
| https://github.com/FasterXML/jackson-databind/pull/5973 | x_refsource_MISC |
| https://github.com/FasterXML/jackson-databind/com… | x_refsource_MISC |
| https://github.com/FasterXML/jackson-databind/com… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| FasterXML | jackson-databind |
Affected:
>= 2.21.0, < 2.21.4
Affected: >= 3.0.0, < 3.1.4 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54518",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-24T15:25:24.319631Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T15:32:44.157Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jackson-databind",
"vendor": "FasterXML",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.21.0, \u003c 2.21.4"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.1.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties() replays buffered JSON into creator parameters but never consults prop.visibleInView(activeView). The normal property-based creator path gates creator properties on the active view, but this unwrapped-creator replay path bypasses that check, so a constructor parameter annotated with both @JsonView(AdminView.class) and @JsonUnwrapped is populated from attacker JSON even when a more restrictive view is active. This vulnerability is fixed in 2.21.4 and 3.1.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T21:02:07.539Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-rcqc-6cw3-h962",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-rcqc-6cw3-h962"
},
{
"name": "https://github.com/FasterXML/jackson-databind/pull/5971",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FasterXML/jackson-databind/pull/5971"
},
{
"name": "https://github.com/FasterXML/jackson-databind/pull/5973",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FasterXML/jackson-databind/pull/5973"
},
{
"name": "https://github.com/FasterXML/jackson-databind/commit/721fa07ebbd4aab4a659a1a68940878315c3e341",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FasterXML/jackson-databind/commit/721fa07ebbd4aab4a659a1a68940878315c3e341"
},
{
"name": "https://github.com/FasterXML/jackson-databind/commit/d633bc038f200c1397c07f1a2b46f58e72c91eea",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FasterXML/jackson-databind/commit/d633bc038f200c1397c07f1a2b46f58e72c91eea"
}
],
"source": {
"advisory": "GHSA-rcqc-6cw3-h962",
"discovery": "UNKNOWN"
},
"title": "jackson-databind: @JsonView bypass for unwrapped creator parameters in jackson-databind"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54518",
"datePublished": "2026-06-23T21:02:07.539Z",
"dateReserved": "2026-06-15T18:40:01.650Z",
"dateUpdated": "2026-06-24T15:32:44.157Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54517 (GCVE-0-2026-54517)
Vulnerability from cvelistv5 – Published: 2026-06-23 20:47 – Updated: 2026-06-24 19:13- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/FasterXML/jackson-databind/sec… | x_refsource_CONFIRM |
| https://github.com/FasterXML/jackson-databind/pull/5969 | x_refsource_MISC |
| https://github.com/FasterXML/jackson-databind/pull/5970 | x_refsource_MISC |
| https://github.com/FasterXML/jackson-databind/com… | x_refsource_MISC |
| https://github.com/FasterXML/jackson-databind/com… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| FasterXML | jackson-databind |
Affected:
>= 2.21.0, < 2.21.4
Affected: >= 3.0.0, < 3.1.4 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54517",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-24T19:13:14.390821Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T19:13:32.607Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jackson-databind",
"vendor": "FasterXML",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.21.0, \u003c 2.21.4"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.1.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer._deserializeUsingPropertyBased, the active-view (@JsonView) filter was applied only to creator properties; the regular property-buffering branch performed no prop.visibleInView(activeView) check. A change making SetterlessProperty.isMerging() return true routed setterless Collection/Map properties through this unguarded path, so a setterless collection annotated with a restricted @JsonView is populated from attacker JSON even when the active view excludes it. This vulnerability is fixed in 2.21.4 and 3.1.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T20:47:22.977Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-5hh8-q8hv-fr38",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-5hh8-q8hv-fr38"
},
{
"name": "https://github.com/FasterXML/jackson-databind/pull/5969",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FasterXML/jackson-databind/pull/5969"
},
{
"name": "https://github.com/FasterXML/jackson-databind/pull/5970",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FasterXML/jackson-databind/pull/5970"
},
{
"name": "https://github.com/FasterXML/jackson-databind/commit/5bf23edb4221f7dd2ec8e71ff6d26c61640f261d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FasterXML/jackson-databind/commit/5bf23edb4221f7dd2ec8e71ff6d26c61640f261d"
},
{
"name": "https://github.com/FasterXML/jackson-databind/commit/94c5d215b3af1505098c686405d9641f041a9962",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FasterXML/jackson-databind/commit/94c5d215b3af1505098c686405d9641f041a9962"
}
],
"source": {
"advisory": "GHSA-5hh8-q8hv-fr38",
"discovery": "UNKNOWN"
},
"title": "jackson-databind: @JsonView bypass for setterless creator properties"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54517",
"datePublished": "2026-06-23T20:47:22.977Z",
"dateReserved": "2026-06-15T18:40:01.650Z",
"dateUpdated": "2026-06-24T19:13:32.607Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.