CWE-284: Improper Access Control

The ECOA BAS controller has an insecure direct object reference vulnerability that allows authenticated users to bypass authorization and access hidde...

This vulnerability allows an unauthenticated attacker with network access to adjacent Cisco SD-WAN vEdge devices to bypass authentication and authoriz...

This vulnerability allows authenticated users to escalate privileges via the web interface in Schneider Electric's EcoStruxure and SmartStruxure power...

This vulnerability in Mattermost allows remote attackers to forcibly share local channels without administrator consent when shared channels are enabl...

This vulnerability allows authenticated admin users in Dell Wyse Management Suite to access pro license features they are not authorized to use, enabl...

This Azure Arc vulnerability allows authenticated attackers to elevate privileges within managed systems, potentially gaining administrative control. ...

Primakon Pi Portal 1.0.18 has a broken access control vulnerability in its user registration endpoint that allows unauthenticated attackers to create ...

This vulnerability in Flag Forge CTF platform allows unauthenticated attackers to create, modify, or delete platform resources via the /api/resources ...

An access control vulnerability in HikCentral Professional allows unauthenticated attackers to gain administrative privileges. This affects organizati...

This vulnerability in CS Cart 4.18.3 allows attackers to perform brute-force attacks against vendor login pages due to missing CAPTCHA and rate limiti...

This vulnerability in Oracle Java SE and GraalVM networking components allows unauthenticated attackers with network access to bypass Java sandbox sec...

An Improper Access Control vulnerability in EmbedAI 2.1 and earlier allows authenticated attackers to view other users' subscription information by ma...

An authenticated attacker can access other users' chat messages in EmbedAI by manipulating the CHAT_ID parameter in the load_messages endpoint. This a...

An unauthenticated remote attacker can bypass authentication and factory reset Vonets industrial wifi bridge devices via unprotected goform endpoints....

This vulnerability in Zammad allows users with customer-level access to view time accounting details for tickets via the API, which should be restrict...

This memory handling vulnerability in Apple operating systems allows malicious apps to execute arbitrary code outside their sandbox or with elevated p...

This macOS sandbox escape vulnerability allows malicious applications to break out of their security confinement and execute arbitrary code with eleva...

This vulnerability in Oracle WebLogic Server allows unauthenticated attackers with network access via HTTP to compromise the server. It enables unauth...

This vulnerability in Cisco DNA Center allows unauthenticated remote attackers to read and modify data in an internal service repository due to insuff...

Thermo Fisher Scientific ePort software through version 3.0.0 has an incorrect access control vulnerability that allows unauthorized users to bypass a...

An improper access control vulnerability in ArcGIS Server versions 11.3 and below allows authenticated attackers with low privileges to access secure ...

This vulnerability allows remote code execution in Microsoft Power Automate Desktop, enabling attackers to execute arbitrary code on affected systems....

This vulnerability in Nextcloud Server allows a malicious user to update any personal or global external storage configuration, making those storage l...

This vulnerability allows local attackers to write arbitrary files with system privileges due to improper access control in Samsung's ThemeManager. It...

This vulnerability in Oracle Business Intelligence Enterprise Edition allows high-privileged attackers with network access to compromise the system vi...

CVE-2025-26678 is an improper access control vulnerability in Windows Defender Application Control (WDAC) that allows local attackers to bypass securi...

This vulnerability allows attackers to replace legitimate Foxit PDF update files with malicious executables via side-loading attacks, enabling arbitra...

This vulnerability allows memory corruption when creating an LPAC client because the LPAC engine could access GPU registers. It affects devices with Q...

This vulnerability in Karmada allows a local attacker to execute arbitrary code by exploiting improper access control in the token component. It affec...

A vulnerable pre-installed Android app (com.factory.mmigroup) exposes system-level functionality to local third-party apps without requiring permissio...

This CVE describes a memory corruption vulnerability in Qualcomm's Automotive Multimedia systems due to improper access control in the Hardware Abstra...

This CVE describes an improper access control vulnerability in Phoenix SecureCore Technology 4's SMI handler that allows unauthorized modification of ...

This vulnerability allows memory corruption in Qualcomm's Core component when invoking calls to the Access Control core library with hardware-protecte...

CVE-2023-21642 is a memory corruption vulnerability in Qualcomm's HAB (Hardware Abstraction Layer) memory management that allows attackers with physic...

This vulnerability allows memory corruption in Automotive Android OS due to improper array index validation, potentially enabling arbitrary code execu...

CVE-2022-33243 is a memory corruption vulnerability in Qualcomm's Inter-Processor Communication (IPC) subsystem due to improper access control. This a...

This vulnerability allows any authenticated user in ChurchCRM to perform Kiosk Manager actions like allowing/accepting kiosk registrations, reloading ...

An incorrect access control vulnerability in ZwiiCMS allows authenticated low-privilege users to escalate privileges by accessing and modifying any us...

This vulnerability allows any authenticated user in N-central to read, write, and modify syslog configurations across all customer accounts on the ser...

This vulnerability in OpenCTI allows authenticated users with low privileges to escalate their permissions to administrative level through the profile...

An unauthenticated data integrity vulnerability in Peplink Smart Reader v1.2.0 allows attackers to modify device configuration via specially crafted H...

Dell InsightIQ version 5.0 has an improper access control vulnerability that allows remote low-privileged attackers to gain unauthorized access to mon...

This vulnerability in Oracle Enterprise Manager Base Platform allows high-privileged attackers with physical network access to compromise the system, ...

This vulnerability in Oracle MySQL Connector/J allows an unauthenticated attacker with network access to potentially compromise the connector through ...

This vulnerability in Oracle Health Sciences InForm allows authenticated attackers with low privileges to perform unauthorized data manipulation, acce...

CVE-2021-1600 allows unauthenticated attackers on the same network segment to bypass firewall restrictions on Cisco Intersight Virtual Appliance's ext...

CVE-2026-21535 is an improper access control vulnerability in Microsoft Teams that allows unauthorized attackers to access and disclose sensitive info...

This vulnerability allows unauthenticated attackers to trigger resource-intensive text generation operations and manipulate server state in the lollms...

OneUptime versions before 8.0.5567 contain a privilege escalation vulnerability where attackers can manipulate the login response to gain admin dashbo...

This vulnerability in AnyDesk allows a remote user with 'Control my device' permission to modify settings and set a Full Access password without confi...