Common Weakness Enumeration

CWE-862

Allowed-with-Review

Missing Authorization

Abstraction: Class · Status: Incomplete

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

14556 vulnerabilities reference this CWE, most recent first.

GHSA-8CH6-WP35-JV3J

Vulnerability from github – Published: 2025-02-12 15:32 – Updated: 2025-02-12 15:32
VLAI
Details

A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to add privileges to user groups via crafted HTTP requests.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-26369"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-12T14:15:37Z",
    "severity": "HIGH"
  },
  "details": "A CWE-862 \"Missing Authorization\" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to add privileges to user groups via crafted HTTP requests.",
  "id": "GHSA-8ch6-wp35-jv3j",
  "modified": "2025-02-12T15:32:01Z",
  "published": "2025-02-12T15:32:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26369"
    },
    {
      "type": "WEB",
      "url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26369"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8CHJ-QW3C-W355

Vulnerability from github – Published: 2024-02-09 06:32 – Updated: 2026-04-08 18:32
VLAI
Details

The Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_data() function in all versions up to, and including, 3.3.50. This makes it possible for unauthenticated attackers to export event data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-1122"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-09T05:15:08Z",
    "severity": "MODERATE"
  },
  "details": "The Event Manager, Events Calendar, Events Tickets for WooCommerce \u2013 Eventin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_data() function in all versions up to, and including, 3.3.50. This makes it possible for unauthenticated attackers to export event data.",
  "id": "GHSA-8chj-qw3c-w355",
  "modified": "2026-04-08T18:32:35Z",
  "published": "2024-02-09T06:32:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1122"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3033231/wp-event-solution/tags/3.3.51/core/admin/hooks.php"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0cbdf679-1657-4249-a433-8fe0cddd94be?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8CM3-4QFX-PWVC

Vulnerability from github – Published: 2024-10-11 15:30 – Updated: 2024-10-11 15:30
VLAI
Details

The Hunk Companion plugin for WordPress is vulnerable to unauthorized plugin installation/activation due to a missing capability check on the /wp-json/hc/v1/themehunk-import REST API endpoint in all versions up to, and including, 1.8.4. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-9707"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-11T13:15:21Z",
    "severity": "CRITICAL"
  },
  "details": "The Hunk Companion plugin for WordPress is vulnerable to unauthorized plugin installation/activation due to a missing capability check on the /wp-json/hc/v1/themehunk-import REST API endpoint in all versions up to, and including, 1.8.4. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated.",
  "id": "GHSA-8cm3-4qfx-pwvc",
  "modified": "2024-10-11T15:30:33Z",
  "published": "2024-10-11T15:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9707"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WordPressBugBounty/plugins-hunk-companion/blob/5a3cedc7b3d35d407b210e691c53c6cb400e4051/hunk-companion/import/app/app.php#L46"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3166501%40hunk-companion\u0026new=3166501%40hunk-companion\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/hunk-companion"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9c101fca-037c-4bed-9dc7-baa021a8b59c?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8CMP-8CWC-QCV3

Vulnerability from github – Published: 2025-08-15 03:30 – Updated: 2025-08-15 03:30
VLAI
Details

The WooCommerce OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass due to insufficient empty value checking in the lwp_ajax_register function in all versions up to, and including, 1.8.47. This makes it possible for unauthenticated attackers to bypass OTP verification and gain administrative access to any user account with a configured phone number by exploiting improper Firebase API error handling when the Firebase API key is not configured.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-8342"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-15T03:15:36Z",
    "severity": "HIGH"
  },
  "details": "The WooCommerce OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass due to insufficient empty value checking in the lwp_ajax_register function in all versions up to, and including, 1.8.47. This makes it possible for unauthenticated attackers to bypass OTP verification and gain administrative access to any user account with a configured phone number by exploiting improper Firebase API error handling when the Firebase API key is not configured.",
  "id": "GHSA-8cmp-8cwc-qcv3",
  "modified": "2025-08-15T03:30:31Z",
  "published": "2025-08-15T03:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8342"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.8.47/login-with-phonenumber.php#L4358"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.8.47/login-with-phonenumber.php#L4373"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3338150%40login-with-phone-number\u0026new=3338150%40login-with-phone-number\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6e74582f-8e94-4cba-a3eb-0a823a5235ad?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8CMQ-FRJC-CJC8

Vulnerability from github – Published: 2024-06-14 06:34 – Updated: 2024-06-14 06:34
VLAI
Details

Missing Authorization vulnerability in WPEverest Everest Forms.This issue affects Everest Forms: from n/a through 2.0.3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-51377"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-14T06:15:09Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in WPEverest Everest Forms.This issue affects Everest Forms: from n/a through 2.0.3.",
  "id": "GHSA-8cmq-frjc-cjc8",
  "modified": "2024-06-14T06:34:48Z",
  "published": "2024-06-14T06:34:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51377"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/everest-forms/wordpress-everest-forms-plugin-2-0-3-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8CP8-922F-XC53

Vulnerability from github – Published: 2024-11-19 18:31 – Updated: 2026-04-01 18:32
VLAI
Details

Missing Authorization vulnerability in QunatumCloud Floating Buttons for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Floating Buttons for WooCommerce: from n/a through 2.8.8.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-52395"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-19T17:15:54Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in QunatumCloud Floating Buttons for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Floating Buttons for WooCommerce: from n/a through 2.8.8.",
  "id": "GHSA-8cp8-922f-xc53",
  "modified": "2026-04-01T18:32:34Z",
  "published": "2024-11-19T18:31:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52395"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/shop-assistant-for-woocommerce-jarvis/vulnerability/wordpress-floating-buttons-for-woocommerce-plugin-2-8-8-broken-access-control-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/shop-assistant-for-woocommerce-jarvis/wordpress-floating-buttons-for-woocommerce-plugin-2-8-8-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8CQ7-M6J9-QW55

Vulnerability from github – Published: 2025-04-01 15:31 – Updated: 2026-04-01 18:34
VLAI
Details

Missing Authorization vulnerability in Sharaz Shahid Simple Sticky Add To Cart For WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Simple Sticky Add To Cart For WooCommerce: from n/a through 1.4.5.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-31854"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-01T15:16:26Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in Sharaz Shahid Simple Sticky Add To Cart For WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Simple Sticky Add To Cart For WooCommerce: from n/a through 1.4.5.",
  "id": "GHSA-8cq7-m6j9-qw55",
  "modified": "2026-04-01T18:34:22Z",
  "published": "2025-04-01T15:31:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31854"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/sticky-add-to-cart-woo/vulnerability/wordpress-simple-sticky-add-to-cart-for-woocommerce-plugin-1-4-5-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8CW5-2QQR-3XVC

Vulnerability from github – Published: 2025-01-22 15:32 – Updated: 2026-04-01 18:33
VLAI
Details

Missing Authorization vulnerability in Eugen Bobrowski Debug Tool allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Debug Tool: from n/a through 2.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-23684"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-22T15:15:21Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in Eugen Bobrowski Debug Tool allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Debug Tool: from n/a through 2.2.",
  "id": "GHSA-8cw5-2qqr-3xvc",
  "modified": "2026-04-01T18:33:21Z",
  "published": "2025-01-22T15:32:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23684"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/debug-tool/vulnerability/wordpress-debug-tool-plugin-2-2-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8CW5-9CWW-C669

Vulnerability from github – Published: 2024-06-09 09:30 – Updated: 2024-06-09 09:30
VLAI
Details

Missing Authorization vulnerability in Pluggabl LLC Booster Plus for WooCommerce.This issue affects Booster Plus for WooCommerce: from n/a before 7.1.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-52232"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-09T09:15:09Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in Pluggabl LLC Booster Plus for WooCommerce.This issue affects Booster Plus for WooCommerce: from n/a before 7.1.2.",
  "id": "GHSA-8cw5-9cww-c669",
  "modified": "2024-06-09T09:30:34Z",
  "published": "2024-06-09T09:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52232"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/booster-plus-for-woocommerce/wordpress-booster-plus-for-woocommerce-plugin-7-1-2-authenticated-arbitrary-post-page-deletion-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8CW6-53M5-4932

Vulnerability from github – Published: 2026-01-27 22:13 – Updated: 2026-01-29 03:43
VLAI
Summary
StudioCMS has Authorization Bypass Through User-Controlled Key
Details

Summary

StudioCMS contains a Broken Object Level Authorization (BOLA) vulnerability in the Content Management feature that allows users with the "Visitor" role to access draft content created by Editor/Admin/Owner users.

Details

The Issue: The endpoint /dashboard/content-management/edit?edit={UUID} validates user authentication but does NOT validate: 1. User role (should require Editor/Admin/Owner) 2. Content ownership (should verify the draft belongs to the user)

This allows users with "Visitor" role (lowest privilege) to access draft content created by Editor/Admin/Owner users by directly accessing the edit URL with the content UUID.

PoC

  • User A: Editor role (example username: dummy04)
  • User B: Visitor role (example username: dummy01)

Reproduction Steps:

Step 1 - Create draft as Editor:

  1. Login as User A (Editor role)
  2. Navigate to: http://localhost:4321/dashboard/content-management
  3. Create new content (it will stay as draft)
  4. After saving, note the UUID in the URL:
   http://localhost:4321/dashboard/content-management/edit?edit=bad87630-69a4-4cd6-bcb2-6965839dc148

Copy this UUID: bad87630-69a4-4cd6-bcb2-6965839dc148

Step 2 - Access draft as Visitor:

  1. Login as Visitor and get auth_session cookie
curl -X POST "http://127.0.0.1:4321/studiocms_api/auth/login" -F 'username=dummy01' -F 'password=dummy01pass$'

01

  1. Proof of Visitor permission 02

  2. Access Editor's draft using the UUID

curl "http://127.0.0.1:4321/dashboard/content-management/edit?edit=bad87630-69a4-4cd6-bcb2-6965839dc148" -H "Cookie: auth_session=qvawh6zv23hc2spu6xx7pzgrnn4rpd3q" -v

Result: Returns full HTML page with draft content (200 OK)

Impact

Impact Scenarios:

  1. Information Disclosure:
  2. Visitor users can read unpublished drafts containing sensitive information
  3. Drafts may contain confidential business information, unreleased announcements, or proprietary content
  4. Competitive intelligence could be gathered from draft content

  5. Privacy Violation:

  6. Personal notes, work-in-progress content, or internal communications in drafts exposed
  7. Violation of content creator privacy expectations

  8. Business Impact:

  9. Premature disclosure of marketing campaigns, product launches, or announcements
  10. Loss of competitive advantage if draft strategies are exposed
  11. Potential compliance issues if drafts contain regulated information

  12. Complete RBAC Bypass:

  13. The entire role-based access control system for draft content is bypassed
  14. "Visitor" role becomes equivalent to "Editor" for read access to drafts
  15. Undermines the trust model of multi-user content management
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "studiocms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-24134"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-27T22:13:52Z",
    "nvd_published_at": "2026-01-28T00:15:50Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nStudioCMS contains a Broken Object Level Authorization (BOLA) vulnerability in the Content Management feature that allows users with the \"Visitor\" role to access draft content created by Editor/Admin/Owner users.\n\n### Details\n**The Issue:**\nThe endpoint `/dashboard/content-management/edit?edit={UUID}` validates user authentication but does NOT validate:\n1. User role (should require Editor/Admin/Owner)\n2. Content ownership (should verify the draft belongs to the user)\n\nThis allows users with \"Visitor\" role (lowest privilege) to access draft content created by Editor/Admin/Owner users by directly accessing the edit URL with the content UUID.\n\n### PoC\n   - **User A:** Editor role (example username: `dummy04`)\n   - **User B:** Visitor role (example username: `dummy01`)\n\n**Reproduction Steps:**\n\n**Step 1 - Create draft as Editor:**\n\n1. Login as User A (Editor role)\n2. Navigate to: `http://localhost:4321/dashboard/content-management`\n3. Create new content (it will stay as draft)\n4. After saving, note the UUID in the URL:\n````\n   http://localhost:4321/dashboard/content-management/edit?edit=bad87630-69a4-4cd6-bcb2-6965839dc148\n````\n   Copy this UUID: `bad87630-69a4-4cd6-bcb2-6965839dc148`\n\n**Step 2 - Access draft as Visitor:**\n\n1. Login as Visitor and get auth_session cookie\n```\ncurl -X POST \"http://127.0.0.1:4321/studiocms_api/auth/login\" -F \u0027username=dummy01\u0027 -F \u0027password=dummy01pass$\u0027\n```\n\u003cimg width=\"1128\" height=\"376\" alt=\"01\" src=\"https://github.com/user-attachments/assets/86c5290e-e7a2-470e-bbf5-5f5247eddec1\" /\u003e\n\n2. Proof of Visitor permission\n\u003cimg width=\"1899\" height=\"450\" alt=\"02\" src=\"https://github.com/user-attachments/assets/aabd47d3-163f-4a56-8296-08bd40c5ccdc\" /\u003e\n\n3. Access Editor\u0027s draft using the UUID\n```\ncurl \"http://127.0.0.1:4321/dashboard/content-management/edit?edit=bad87630-69a4-4cd6-bcb2-6965839dc148\" -H \"Cookie: auth_session=qvawh6zv23hc2spu6xx7pzgrnn4rpd3q\" -v\n```\n\n**Result:** Returns full HTML page with draft content (200 OK)\n\n### Impact\n**Impact Scenarios:**\n\n1. **Information Disclosure:**\n   - Visitor users can read unpublished drafts containing sensitive information\n   - Drafts may contain confidential business information, unreleased announcements, or proprietary content\n   - Competitive intelligence could be gathered from draft content\n\n2. **Privacy Violation:**\n   - Personal notes, work-in-progress content, or internal communications in drafts exposed\n   - Violation of content creator privacy expectations\n\n3. **Business Impact:**\n   - Premature disclosure of marketing campaigns, product launches, or announcements\n   - Loss of competitive advantage if draft strategies are exposed\n   - Potential compliance issues if drafts contain regulated information\n\n4. **Complete RBAC Bypass:**\n   - The entire role-based access control system for draft content is bypassed\n   - \"Visitor\" role becomes equivalent to \"Editor\" for read access to drafts\n   - Undermines the trust model of multi-user content management",
  "id": "GHSA-8cw6-53m5-4932",
  "modified": "2026-01-29T03:43:54Z",
  "published": "2026-01-27T22:13:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/withstudiocms/studiocms/security/advisories/GHSA-8cw6-53m5-4932"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24134"
    },
    {
      "type": "WEB",
      "url": "https://github.com/withstudiocms/studiocms/commit/efc10bee20db090fdd75463622c30dda390c50ad"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/withstudiocms/studiocms"
    },
    {
      "type": "WEB",
      "url": "https://github.com/withstudiocms/studiocms/releases/tag/studiocms%400.2.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "StudioCMS has Authorization Bypass Through User-Controlled Key"
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

CAPEC-665: Exploitation of Thunderbolt Protection Flaws

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.