CWE-284: Improper Access Control

A permission inheritance vulnerability in Directus allows stale field-level permissions to persist after field deletion. When a deleted field's name i...

This vulnerability allows physically proximate attackers to bypass USB debugging authorization on Motorola Droid Razr HD devices, enabling full device...

This Secure Boot vulnerability allows attackers with physical access or administrative privileges to bypass security features during the boot process....

An improper access control vulnerability in Intel RAID Web Console allows authenticated users on the same network segment to potentially cause denial ...

This vulnerability allows attackers with valid viewer join links to manipulate BigBlueButton into generating signed moderator links, enabling unauthor...

This vulnerability in Intel CIP software allows unprivileged software running with a privileged user to potentially disclose information via adjacent ...

A macOS vulnerability allows apps with root privileges to access private information due to insufficient redaction of sensitive data. This affects mac...

This CVE describes an improper access control vulnerability in Windows Hyper-V that allows an authenticated attacker with local access to a Hyper-V ho...

This vulnerability in Intel's Kubernetes Device Plugins allows privileged users to potentially cause denial of service through local access. It affect...

This vulnerability allows unauthorized access to bypass app lock protections on affected Huawei devices. Attackers could access locked applications wi...

This vulnerability allows authenticated users with local access to potentially escalate privileges on systems running vulnerable Intel Granulate softw...

This vulnerability allows malicious applications with root privileges to modify system files on affected Apple operating systems. It affects visionOS ...

This vulnerability in Intel CST software allows authenticated local users to potentially escalate privileges due to improper access control. It affect...

OpenProject versions before 17.0.5 and 17.1.2 contain an improper authentication vulnerability that allows attackers to create wiki pages in projects ...

This vulnerability in IBM Cloud Pak System allows authenticated users to perform unauthorized actions due to improper access controls. It affects IBM ...

This vulnerability in Gitea allows users with read access to pull requests to cancel scheduled auto-merges created by other users. It's an authorizati...

CVE-2026-24039 is an improper access control vulnerability in Horilla HRMS version 1.4.0 that allows low-privileged employees to self-approve document...

This vulnerability allows any authenticated employee in Horilla HRMS to upload documents on behalf of any other employee without proper authorization....

This CVE describes an authorization bypass vulnerability in Pimcore's API endpoint for static routes. Authenticated backend users without proper permi...

This vulnerability allows authenticated backend users without proper permissions to access the complete list of Predefined Properties configurations i...

LibreChat version 0.8.1-rc2 has an improper access control vulnerability where authenticated users can read permissions of arbitrary agents by knowing...

This vulnerability in Plane.io allows guest users to access an API endpoint that lists workspace members, potentially exposing admin email addresses t...

CVE-2025-67715 is an information disclosure vulnerability in Weblate that allows unauthorized API access to user notification settings and user lists....

This vulnerability allows authenticated users in Xinhu Rainrock RockOA 2.7.0 to modify PHP configuration files through a specific endpoint. Attackers ...

CVE-2025-65796 is an improper access control vulnerability in usememos memos v0.25.2 that allows authenticated users with low-level privileges to dele...

Open WebUI v0.6.33 has an access control vulnerability where the /api/tasks/stop/ endpoint allows any authenticated user to cancel arbitrary LLM respo...

This vulnerability in RomM (ROM Manager) allows authenticated users to access private game collections belonging to other users by directly querying c...

This vulnerability allows attackers with low-level privileges to read server logs via the /aux1/ocussd/trace endpoint in OpenCode Systems USSD Gateway...

The Database Inventory Plugin for GLPI allows any authenticated user to send requests to inventory agents, potentially enabling unauthorized access to...

An incorrect access control vulnerability in Desktop Alert PingAlert's Application Server (versions 6.1.0.11 to 6.1.1.2) allows unauthorized remote ac...

The Tutor LMS WordPress plugin up to version 3.8.3 contains an access control vulnerability that allows authenticated users with tutor-level permissio...

This vulnerability allows unauthorized users to view limited course information they shouldn't have access to due to insufficient permission checks in...

This vulnerability allows users with lower-level permissions to access cohort information from the system context, potentially exposing restricted adm...

This vulnerability in Oracle Applications Framework allows authenticated attackers with low privileges to modify data through the Upload Attachments c...

This vulnerability in Oracle Applications Framework allows authenticated attackers with low privileges to modify data through HTTP requests. It affect...

An improper access control vulnerability in Samsung Exynos processors allows unauthorized access to log files. This affects devices using Exynos 980, ...

This vulnerability allows authenticated users in Tenable Security Center to access resources beyond their assigned permissions. It affects all Tenable...

Discourse versions 3.5.0 and below contain an authorization bypass vulnerability in AI suggestion endpoints. Authenticated users can access restricted...

The SmartCrawl SEO plugin for WordPress has an authorization bypass vulnerability that allows authenticated users with Subscriber-level access or high...

This vulnerability in IBM License Metric Tool allows authenticated users to bypass access controls in the REST API interface, enabling unauthorized ac...

The Jenkins global-build-stats plugin has a missing authorization vulnerability in its REST API endpoints. Attackers with Overall/Read permission can ...

This vulnerability allows authenticated back-end users in Contao CMS to access modules they shouldn't have permission to view. It affects Contao insta...

A vulnerability in the RISC-V BOOMv1.2 processor implementation causes valid memory store operations to incorrectly trigger access faults, potentially...

Netwrix Directory Manager versions 11.0.0.0 through 11.1.25162.01 expose sensitive information in data sent to authenticated users. This vulnerability...

CVE-2025-53112 is an improper access control vulnerability in GLPI that allows unauthorized users to delete specific resources. This affects GLPI inst...

An improper access control vulnerability in FortiIsolator's logging component allows authenticated read-only users to alter logs via crafted HTTP requ...

This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to modify the featured image of any post without proper...

This vulnerability allows attackers to bypass the user limit for direct messages (DMs) in Discourse, potentially creating DMs that include every user ...

This CVE allows low-privileged Splunk users without admin or power roles to edit and delete other users' data in App Key Value Store (KVStore) collect...

Unifiedtransform 2.0 has an incorrect access control vulnerability that allows teachers to take attendance for other teachers. This affects all deploy...