CWE-862
Allowed-with-ReviewMissing Authorization
Abstraction: Class · Status: Incomplete
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
14623 vulnerabilities reference this CWE, most recent first.
GHSA-VFVQ-VR53-W2JG
Vulnerability from github – Published: 2026-03-13 21:31 – Updated: 2026-03-13 21:31Missing Authorization vulnerability in WBW Plugins WBW Currency Switcher for WooCommerce woo-currency allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WBW Currency Switcher for WooCommerce: from n/a through <= 2.2.5.
{
"affected": [],
"aliases": [
"CVE-2026-32410"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-13T19:54:57Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in WBW Plugins WBW Currency Switcher for WooCommerce woo-currency allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WBW Currency Switcher for WooCommerce: from n/a through \u003c= 2.2.5.",
"id": "GHSA-vfvq-vr53-w2jg",
"modified": "2026-03-13T21:31:49Z",
"published": "2026-03-13T21:31:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32410"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/woo-currency/vulnerability/wordpress-wbw-currency-switcher-for-woocommerce-plugin-2-2-5-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VG28-9F43-GMH5
Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2023-10-27 14:13Jenkins Team Foundation Server Plugin 5.157.1 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.
As of publication of this advisory, there is no fix.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:tfs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "5.157.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-21636"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-15T16:59:25Z",
"nvd_published_at": "2021-03-30T12:16:00Z",
"severity": "MODERATE"
},
"details": "Jenkins Team Foundation Server Plugin 5.157.1 and earlier does not perform a permission check in an HTTP endpoint.\n\nThis allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.\n\nAs of publication of this advisory, there is no fix.",
"id": "GHSA-vg28-9f43-gmh5",
"modified": "2023-10-27T14:13:17Z",
"published": "2022-05-24T17:45:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21636"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/tfs-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2021-03-30/#SECURITY-2283%20(1)"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/03/30/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Missing permission check in Jenkins Team Foundation Server Plugin allows enumerating credentials IDs"
}
GHSA-VG3C-WMWV-CGG7
Vulnerability from github – Published: 2025-09-06 18:30 – Updated: 2025-09-06 18:30Missing authorization in AMD RomArmor could allow an attacker to bypass ROMArmor protections during system resume from a standby state, potentially resulting in a loss of confidentiality and integrity.
{
"affected": [],
"aliases": [
"CVE-2024-36326"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-06T18:15:39Z",
"severity": "HIGH"
},
"details": "Missing authorization in AMD RomArmor could allow an attacker to bypass ROMArmor protections during system resume from a standby state, potentially resulting in a loss of confidentiality and integrity.",
"id": "GHSA-vg3c-wmwv-cgg7",
"modified": "2025-09-06T18:30:33Z",
"published": "2025-09-06T18:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36326"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-4012.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VG3R-VR52-6V9G
Vulnerability from github – Published: 2023-07-12 09:30 – Updated: 2024-04-04 06:03In telephony service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed.
{
"affected": [],
"aliases": [
"CVE-2023-33881"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-12T09:15:12Z",
"severity": "MODERATE"
},
"details": "In telephony service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed.",
"id": "GHSA-vg3r-vr52-6v9g",
"modified": "2024-04-04T06:03:11Z",
"published": "2023-07-12T09:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33881"
},
{
"type": "WEB",
"url": "https://www.unisoc.com/en_us/secy/announcementDetail/1676902764208259073"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VG3W-GQWR-GVV2
Vulnerability from github – Published: 2025-04-09 18:30 – Updated: 2026-04-01 18:34Missing Authorization vulnerability in Asaquzzaman mishu Woo Product Feed For Marketing Channels allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Woo Product Feed For Marketing Channels: from n/a through 1.9.0.
{
"affected": [],
"aliases": [
"CVE-2025-31377"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-09T17:15:36Z",
"severity": "HIGH"
},
"details": "Missing Authorization vulnerability in Asaquzzaman mishu Woo Product Feed For Marketing Channels allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Woo Product Feed For Marketing Channels: from n/a through 1.9.0.",
"id": "GHSA-vg3w-gqwr-gvv2",
"modified": "2026-04-01T18:34:34Z",
"published": "2025-04-09T18:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31377"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/woocommerce-to-google-merchant-center/vulnerability/wordpress-woo-product-feed-for-marketing-channels-1-9-0-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VG43-9R8M-Q2CC
Vulnerability from github – Published: 2026-06-12 21:31 – Updated: 2026-07-14 15:32Camaleon CMS 2.9.2 contains an improper authorization vulnerability in the administrator draft autosave endpoint. A low-privileged authenticated user can send an arbitrary post_id to POST /admin/post_type//drafts and overwrite the draft associated with another user's post.
{
"affected": [],
"aliases": [
"CVE-2026-10715"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-12T19:16:25Z",
"severity": "MODERATE"
},
"details": "Camaleon CMS 2.9.2 contains an improper authorization vulnerability in the administrator draft autosave endpoint. A low-privileged authenticated user can send an arbitrary post_id to POST /admin/post_type/\u003cPOST_TYPE_ID\u003e/drafts and overwrite the draft associated with another user\u0027s post.",
"id": "GHSA-vg43-9r8m-q2cc",
"modified": "2026-07-14T15:32:01Z",
"published": "2026-06-12T21:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10715"
},
{
"type": "WEB",
"url": "https://github.com/owen2345/camaleon-cms/pull/1196"
},
{
"type": "WEB",
"url": "https://fluidattacks.com/es/advisories/billie"
},
{
"type": "WEB",
"url": "https://github.com/owen2345/camaleon-cms"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-VG5R-G84J-286H
Vulnerability from github – Published: 2024-07-09 09:30 – Updated: 2026-04-08 18:33The Product Designer plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the product_designer_ajax_delete_attach_id() function in all versions up to, and including, 1.0.33. This makes it possible for unauthenticated attackers to delete arbitrary attachments.
{
"affected": [],
"aliases": [
"CVE-2024-3608"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-09T09:15:05Z",
"severity": "MODERATE"
},
"details": "The Product Designer plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the product_designer_ajax_delete_attach_id() function in all versions up to, and including, 1.0.33. This makes it possible for unauthenticated attackers to delete arbitrary attachments.",
"id": "GHSA-vg5r-g84j-286h",
"modified": "2026-04-08T18:33:32Z",
"published": "2024-07-09T09:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3608"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/product-designer/trunk/includes/designer-function.php#L412"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3129823/product-designer/trunk/includes/designer-function.php"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2f127fe5-67b8-40e1-a916-c607410b08b3?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-VG6G-2P3V-PX29
Vulnerability from github – Published: 2025-09-05 18:31 – Updated: 2026-04-01 18:36Missing Authorization vulnerability in Stylemix MasterStudy LMS allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects MasterStudy LMS: from n/a through 3.6.15.
{
"affected": [],
"aliases": [
"CVE-2025-54744"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-05T17:15:38Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in Stylemix MasterStudy LMS allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects MasterStudy LMS: from n/a through 3.6.15.",
"id": "GHSA-vg6g-2p3v-px29",
"modified": "2026-04-01T18:36:07Z",
"published": "2025-09-05T18:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54744"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/masterstudy-lms-learning-management-system/vulnerability/wordpress-masterstudy-lms-plugin-3-6-15-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VG6X-6PG9-6QWG
Vulnerability from github – Published: 2026-07-16 20:08 – Updated: 2026-07-16 20:08Impact
The fix for CVE-2026-44221 (GHSA-fxc7-fm93-6q77) added an UPDATE_SCHEMA authorization check to a single schema-mutating method (LocalDocumentType.createProperty). The remaining public schema mutators were left unchecked, so an authenticated identity (including a read-only API token) that lacks the UPDATE_SCHEMA permission could still mutate the database schema on its own database:
DROP PROPERTY <type>.<property>ALTER TYPE <name> SUPERTYPE +<other>/-<other>(change the inheritance hierarchy)ALTER TYPE <name> NAME <newName>(rename a type)- type alias and bucket changes
ALTER PROPERTY <type>.<property> ...(MANDATORY, READONLY, NOTNULL, MIN, MAX, REGEXP, DEFAULT, OF, CUSTOM) — theLocalPropertysetters had no check at all
This does not directly disclose or write record data, but it corrupts the meaning of every stored record and breaches the documented permission model, which advertises UPDATE_SCHEMA as the gating right for schema mutation.
Affected component
Engine schema layer: engine/src/main/java/com/arcadedb/schema/LocalDocumentType.java and engine/src/main/java/com/arcadedb/schema/LocalProperty.java, reachable via the SQL DROP PROPERTY, ALTER TYPE, and ALTER PROPERTY statements over the database command/query HTTP endpoints.
Patches
Every public schema-mutating method on LocalDocumentType and LocalProperty now enforces checkPermissionsOnDatabase(UPDATE_SCHEMA) via a shared helper. The check is a no-op in embedded mode and in system contexts with no bound user (schema load at startup, HA replication apply), so internal paths and administrators are unaffected.
Workarounds
Grant write access only to trusted users and API tokens; treat all schema DDL as administrator-only at the application layer until upgraded.
Resources
Incomplete-fix sibling of CVE-2026-44221 / GHSA-fxc7-fm93-6q77.
Credit
Reported by Kai Aizen (SnailSploit).
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.arcadedb:arcadedb-engine"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "26.6.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-54076"
],
"database_specific": {
"cwe_ids": [
"CWE-862",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-16T20:08:24Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\n\nThe fix for CVE-2026-44221 (GHSA-fxc7-fm93-6q77) added an `UPDATE_SCHEMA` authorization check to a single schema-mutating method (`LocalDocumentType.createProperty`). The remaining public schema mutators were left unchecked, so an authenticated identity (including a **read-only API token**) that lacks the `UPDATE_SCHEMA` permission could still mutate the database schema on its own database:\n\n- `DROP PROPERTY \u003ctype\u003e.\u003cproperty\u003e`\n- `ALTER TYPE \u003cname\u003e SUPERTYPE +\u003cother\u003e` / `-\u003cother\u003e` (change the inheritance hierarchy)\n- `ALTER TYPE \u003cname\u003e NAME \u003cnewName\u003e` (rename a type)\n- type alias and bucket changes\n- `ALTER PROPERTY \u003ctype\u003e.\u003cproperty\u003e ...` (MANDATORY, READONLY, NOTNULL, MIN, MAX, REGEXP, DEFAULT, OF, CUSTOM) \u2014 the `LocalProperty` setters had no check at all\n\nThis does not directly disclose or write record data, but it corrupts the meaning of every stored record and breaches the documented permission model, which advertises `UPDATE_SCHEMA` as the gating right for schema mutation.\n\n### Affected component\n\nEngine schema layer: `engine/src/main/java/com/arcadedb/schema/LocalDocumentType.java` and `engine/src/main/java/com/arcadedb/schema/LocalProperty.java`, reachable via the SQL `DROP PROPERTY`, `ALTER TYPE`, and `ALTER PROPERTY` statements over the database command/query HTTP endpoints.\n\n### Patches\n\nEvery public schema-mutating method on `LocalDocumentType` and `LocalProperty` now enforces `checkPermissionsOnDatabase(UPDATE_SCHEMA)` via a shared helper. The check is a no-op in embedded mode and in system contexts with no bound user (schema load at startup, HA replication apply), so internal paths and administrators are unaffected.\n\n### Workarounds\n\nGrant write access only to trusted users and API tokens; treat all schema DDL as administrator-only at the application layer until upgraded.\n\n### Resources\n\nIncomplete-fix sibling of CVE-2026-44221 / GHSA-fxc7-fm93-6q77.\n\n### Credit\n\nReported by Kai Aizen (SnailSploit).",
"id": "GHSA-vg6x-6pg9-6qwg",
"modified": "2026-07-16T20:08:24Z",
"published": "2026-07-16T20:08:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ArcadeData/arcadedb/security/advisories/GHSA-vg6x-6pg9-6qwg"
},
{
"type": "PACKAGE",
"url": "https://github.com/ArcadeData/arcadedb"
},
{
"type": "WEB",
"url": "https://github.com/ArcadeData/arcadedb/releases/tag/26.6.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "ArcadeDB: Read-only users can mutate database schema (incomplete fix of CVE-2026-44221)"
}
GHSA-VG73-QC4G-3QVJ
Vulnerability from github – Published: 2022-05-24 19:13 – Updated: 2022-05-24 19:13This issue was addressed with improved checks. This issue is fixed in iOS 14.5 and iPadOS 14.5. A person with physical access to an iOS device may be able to access notes from the lock screen.
{
"affected": [],
"aliases": [
"CVE-2021-1835"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-08T15:15:00Z",
"severity": "MODERATE"
},
"details": "This issue was addressed with improved checks. This issue is fixed in iOS 14.5 and iPadOS 14.5. A person with physical access to an iOS device may be able to access notes from the lock screen.",
"id": "GHSA-vg73-qc4g-3qvj",
"modified": "2022-05-24T19:13:36Z",
"published": "2022-05-24T19:13:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1835"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT212317"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.