CWE-863: Incorrect Authorization

This vulnerability in NVIDIA vGPU driver allows guest virtual machines to access unauthorized resources on the host system, potentially leading to dat...

Dell PowerScale OneFS versions 9.4.0.0 through 9.10.0.1 contain an incorrect authorization vulnerability. An unauthenticated attacker with local acces...

A privilege escalation vulnerability in Podman allows non-root users inside privileged containers to access any file, including root-owned files. This...

This CVE allows non-admin moderators with post ownership transfer permissions to change ownership of posts in private messages and restricted categori...

Auth0-PHP SDK versions 8.0.0 through 8.17.0 improperly validate audience claims in access tokens, allowing ID tokens to be accepted as access tokens. ...

An incorrect authorization vulnerability in FortiPortal versions 7.4.0 through 7.4.5 allows authenticated attackers to reboot shared FortiGate devices...

This vulnerability in Telegram Android allows a physically proximate attacker to bypass the app's passcode authentication and gain unauthorized access...

CVE-2024-6979 is a broken access control vulnerability in AXIS OS that allows less-privileged operator or viewer accounts to gain elevated privileges ...

In lunary-ai/lunary version 1.2.4, an improper access control vulnerability allows team members with management permissions to manipulate project iden...

A vulnerability in Kubernetes' NodeRestriction admission controller allows node users to delete their own node objects by manipulating OwnerReferences...

This vulnerability allows an authenticated admin user to delete other administrators through direct API calls, bypassing UI restrictions. It affects o...

CVE-2026-28715 is an improper authorization vulnerability in Acronis Cyber Protect 17 that allows unauthorized access to sensitive information. Attack...

In vaultwarden versions before 1.35.3, any organization member can access all ciphers (password entries) within their organization, bypassing collecti...

DeepAudit versions 3.0.4 and earlier contain an improper access control vulnerability in the /api/v1/users/ endpoint that allows any authenticated use...

This vulnerability in eladmin v2.7 and earlier allows attackers to reset any user's password regardless of their permission level. Attackers can gain ...

This CVE allows non-admin moderators in Discourse to view sensitive information in staff action logs that should be restricted to administrators only....

This CVE allows moderators in Discourse to access the 'top_uploads' admin report, which should be restricted to administrators only. The report reveal...

This CVE allows Discourse moderators to view user archives containing private topic/post content, violating confidentiality. It affects Discourse inst...

CVE-2026-1514 is an incorrect authorization vulnerability in 2100 Technology's Official Document Management System that allows authenticated attackers...

This CVE describes an insecure direct object reference vulnerability in Mastodon's web push subscription update endpoint. Authenticated users can tamp...

This vulnerability allows authenticated TYPO3 backend users with write permissions to bypass field-level access controls during record creation. By ex...

Frappe LMS versions before 2.41.0 have an authorization bypass vulnerability where authenticated users can perform actions beyond their assigned roles...

CVE-2025-65900 is an incorrect access control vulnerability in Kalmia CMS that allows authenticated users with basic read permissions to retrieve sens...

Tryton trytond versions before 7.6.11, 7.4.21, 7.0.40, and 6.0.70 fail to enforce access controls during data export operations. This allows authentic...

Windu CMS version 4.1 has a broken access control vulnerability in user editing functionality that allows privileged users to delete Super Admin accou...

Nagios Log Server versions before 2024R2.0.3 have an authorization flaw that lets non-admin users delete global dashboards. This affects all organizat...

This CVE describes an incorrect authorization vulnerability in Adobe Commerce that allows low-privileged attackers to bypass security controls and gai...

A Zabbix API vulnerability allows authenticated users to search other users in their group and access restricted field values they shouldn't have perm...

This vulnerability allows group administrators who are not Grouper system administrators to configure loader jobs in Internet2 Grouper. This improper ...

This CVE describes an improper access control vulnerability in Liferay Portal and DXP where guest users (unauthenticated users) can access object entr...

This CVE describes an incorrect authorization vulnerability in Kibana where the built-in reporting_user role has excessive permissions, allowing it to...

This vulnerability in JetBrains IntelliJ IDEA allows Code With Me guests to discover hidden files on the host system due to improper access control. I...

GitProxy versions 1.19.1 and below contain an authorization bypass vulnerability that allows users to push code to remote repositories without trigger...

An incorrect authorization vulnerability in Juniper Junos OS on SRX Series allows unauthenticated attackers to access the J-Web management interface t...

This vulnerability in TCMAN's GIM v11 allows unauthenticated attackers to modify user permissions via a specific POST request. Attackers can escalate ...

CVE-2025-48948 is an authorization bypass vulnerability in Navidrome music server where authenticated regular users can perform administrator-only tra...

Appsmith versions before 1.51 have an incorrect access control vulnerability where users with 'App Viewer' permissions can view development informatio...

This vulnerability allows users with viewer roles in lunary-ai/lunary to modify models owned by other users due to missing privilege checks in the PAT...

This vulnerability allows users to bypass Separate Groups mode restrictions in Moodle's Feedback activities, enabling unauthorized viewing or deletion...

This CVE describes a privilege escalation vulnerability in HPE Aruba Networking Fabric Composer's web management interface. Authenticated low-privileg...

This vulnerability in Oracle Agile PLM Framework allows authenticated attackers with low privileges to access sensitive data via HTTP. It affects orga...

This vulnerability allows unauthenticated attackers to modify WAN service settings on D-Link DIR-816 routers via a crafted POST request to form2Wan.cg...

This vulnerability allows unauthenticated attackers to remotely configure the 2.4G and 5G repeater services on affected D-Link routers. Attackers can ...

CVE-2024-56114 is an improper authorization vulnerability in Canlineapp Online 1.1 that allows users with Auditor role to create audit templates, a fe...

Apache Superset has an improper authorization vulnerability when FAB_ADD_SECURITY_API is enabled (disabled by default). This allows lower-privilege us...

This vulnerability allows authenticated users in Devolutions Server to view password history entries without proper authorization. Attackers with vali...

This vulnerability in GitLab CE/EE allows attackers with valid API tokens to access sensitive data beyond their intended permissions due to overly bro...

This CVE describes an improper authorization vulnerability in CloudPanel that allows low-privilege users to bypass access controls. Attackers can gain...

This vulnerability allows authenticated users with custom read-only roles to elevate privileges on Cisco Secure Firewall Management Center devices. At...

CVE-2024-45132 is an improper authorization vulnerability in Adobe Commerce that allows low-privileged attackers to bypass security controls and escal...