CWE-863: Incorrect Authorization

This vulnerability allows attackers to bypass security controls in GitLab EE and execute pipeline jobs as arbitrary users via scheduled security scan ...

This vulnerability in KubeVirt allows a compromised Kubernetes node to use the virt-handler service account to modify other node specifications, poten...

In LavinMQ versions before 2.6.8, authenticated users with the 'Policymaker' management tag can bypass access controls to create shovels, allowing the...

This CVE describes an authorization bypass in Grafana's dashboard permissions API where permission checks only validate the action permission without ...

This vulnerability in Viafirma Documents v3.7.129 allows authenticated users without proper privileges to access other users' data, manipulate user ac...

Nagios Log Server versions before 2024R1 have an incorrect authorization vulnerability where authenticated users without proper API permissions can ac...

MinIO versions before RELEASE.2025-10-15T17-29-55Z contain a privilege escalation vulnerability where restricted service accounts and STS accounts can...

Adobe Commerce has an incorrect authorization vulnerability that allows low-privileged attackers to bypass security controls and maintain unauthorized...

An access control vulnerability in CLI functionality allows authenticated users with limited privileges to execute administrative commands. This enabl...

This vulnerability in Oracle Lease and Finance Management allows authenticated attackers with network access to manipulate critical data or access sen...

This vulnerability in Incus versions 6.12 and 6.13 allows attackers to bypass MAC and IP filtering security options when using ACLs on bridged devices...

This vulnerability allows unauthenticated remote attackers to send malicious Modbus TCP packets to manipulate Digital Outputs on affected devices. Att...

CVE-2025-48475 is an authorization bypass vulnerability in FreeScout help desk software where authenticated users without mailbox or conversation acce...

FreeScout help desk software versions before 1.8.180 contain an access control vulnerability where users with 'show_only_assigned_conversations' enabl...

This vulnerability allows attackers with existing user accounts to escalate privileges by exploiting incorrect authorization checks in the update user...

This vulnerability in Oracle Customer Care allows authenticated attackers with low privileges to perform unauthorized data manipulation and access via...

This vulnerability in Oracle Project Foundation allows authenticated attackers with low privileges to manipulate or access sensitive data via HTTP req...

An incorrect authorization vulnerability in lunary-ai/lunary allows users with 'Member' role to regenerate private keys for projects they shouldn't ha...

This vulnerability in Oracle Contract Lifecycle Management for Public Sector allows authenticated attackers with network access via HTTP to perform un...

This vulnerability in Oracle Service Contracts allows authenticated attackers with low privileges to perform unauthorized data manipulation and access...

This vulnerability in Oracle Financials (E-Business Suite) allows authenticated attackers with low privileges to perform unauthorized data manipulatio...

This vulnerability in Oracle Work in Process allows authenticated attackers with network access to manipulate critical data or gain unauthorized acces...

This vulnerability in Oracle Cost Management allows authenticated attackers with network access to manipulate critical data or access sensitive inform...

This vulnerability in Oracle Incentive Compensation allows authenticated attackers with low privileges to perform unauthorized data manipulation and a...

This vulnerability in Oracle Field Service allows authenticated attackers with low privileges to perform unauthorized data manipulation and access sen...

This vulnerability in Oracle Site Hub allows authenticated attackers with low privileges to perform unauthorized data manipulation and access sensitiv...

This vulnerability allows authenticated attackers to bypass access controls in Symphony XTS Web Trading platform's Preference module APIs. By manipula...

This vulnerability in Kirby CMS allows attackers with Panel access to manipulate language definitions despite permission restrictions. Users with rest...

This vulnerability in Oracle Enterprise Asset Management allows authenticated attackers with low privileges to manipulate critical data or access sens...

CVE-2024-27312 is an authorization vulnerability in ManageEngine PAM360 version 6601 that allows low-privileged users to perform administrative action...

OpenFGA versions 1.5.0 to 1.5.2 contain an authorization bypass vulnerability in Check and ListObjects APIs when using models with exclusion or inters...

This vulnerability allows less privileged users to bypass file permission controls in Frappe framework, enabling them to delete or clone files they sh...

Silverpeas Core 6.3.1 and earlier versions have an incorrect access control vulnerability that allows low-privileged users to execute administrator-on...

This vulnerability allows attackers with valid Identity Provider credentials to impersonate any TOPdesk user by manipulating SAML responses through XM...

This vulnerability in evasys software allows authenticated attackers to bypass authorization controls and access unauthorized data through direct func...

CVE-2023-25017 is an incorrect authorization vulnerability in RIFARTEK IOT Wall devices that allows authenticated users with general privileges to acc...

CVE-2022-24721 is an authorization bypass vulnerability in CometD web messaging framework that allows any remote user to subscribe to and publish on i...

This vulnerability allows attackers to bypass Istio's URI path-based authorization policies by sending HTTP requests with URL fragments (#fragment) in...

CVE-2021-38137 is an improper authorization vulnerability in Corero SecureWatch Managed Services where swa-monitor and cns-monitor users can perform a...

This vulnerability allows authenticated remote attackers to bypass authorization controls on Cisco ASR 5000 Series devices running StarOS software. At...

This vulnerability in BuddyPress allows non-privileged users to escalate their privileges to administrator level by exploiting an issue in the REST AP...

This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in Magento's customer API module. Attackers can access or modify other use...

This vulnerability allows low-privileged users in Coolify to invite themselves as administrators through a race condition exploit. By clicking the inv...

This vulnerability allows attackers to bypass authentication on affected GL-iNet routers by exploiting improperly generated session IDs (SIDs) that ar...

This vulnerability in the SDM600 web-authentication component allows attackers to escalate privileges on affected installations. It affects SDM600 dev...

This vulnerability in the Advanced Contact form 7 DB WordPress plugin allows any authenticated user to delete arbitrary files on the web server due to...

TimescaleDB versions before 2.5.2 contain a privilege escalation vulnerability during extension installation. An unprivileged database user can pre-cr...

This vulnerability allows third-party websites to trick Scratch users into revealing OAuth2 login codes, enabling attackers to impersonate users and g...

An incorrect authorization vulnerability in Adobe Dreamweaver Desktop allows attackers to execute arbitrary code with the current user's privileges. U...

This vulnerability allows memory corruption in the boot loader when loading invalid firmware, potentially enabling attackers to execute arbitrary code...