CWE-862
Allowed-with-ReviewMissing Authorization
Abstraction: Class · Status: Incomplete
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
14558 vulnerabilities reference this CWE, most recent first.
GHSA-8G2J-5XH3-R35M
Vulnerability from github – Published: 2026-02-19 21:30 – Updated: 2026-02-20 18:31Missing Authorization vulnerability in SeedProd Coming Soon Page, Under Construction & Maintenance Mode by SeedProd coming-soon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Coming Soon Page, Under Construction & Maintenance Mode by SeedProd: from n/a through <= 6.19.7.
{
"affected": [],
"aliases": [
"CVE-2026-27368"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-19T21:18:33Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in SeedProd Coming Soon Page, Under Construction \u0026 Maintenance Mode by SeedProd coming-soon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Coming Soon Page, Under Construction \u0026 Maintenance Mode by SeedProd: from n/a through \u003c= 6.19.7.",
"id": "GHSA-8g2j-5xh3-r35m",
"modified": "2026-02-20T18:31:32Z",
"published": "2026-02-19T21:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27368"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/coming-soon/vulnerability/wordpress-coming-soon-page-under-construction-maintenance-mode-by-seedprod-plugin-6-19-7-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-8G2P-PQM3-FCFH
Vulnerability from github – Published: 2026-06-01 14:23 – Updated: 2026-06-01 14:23Summary
Type: Privilege escalation / cross-tenant member injection. The POST /workspaces/{workspace_id}/members endpoint is gated only by require_workspace_member(workspace_id) (default min_role="member") and forwards the request body's user_id and role straight into MemberService.add(workspace_id, user_id, role), which has no caller-permission check. A user with the lowest workspace privilege can add any user (including a new attacker-controlled second account, or an existing account they want to grief) as owner of the workspace.
File: src/praisonai-platform/praisonai_platform/api/routes/workspaces.py, lines 92-101; services/member_service.py, lines 26-38.
Root cause: MemberService.add validates only that role is in VALID_ROLES = {"owner", "admin", "member"} — the value, not the caller's right to assign it. The route's Depends(require_workspace_member) resolves to the default min_role="member". So a member-level token plus one POST gives the attacker an alternate identity with owner role inside the same workspace, bypassing every owner-only operation that would otherwise gate them.
Affected Code
File 1: src/praisonai-platform/praisonai_platform/api/routes/workspaces.py, lines 92-101.
@router.post("/{workspace_id}/members", response_model=MemberResponse, status_code=status.HTTP_201_CREATED)
async def add_member(
workspace_id: str,
body: MemberAdd,
user: AuthIdentity = Depends(require_workspace_member), # <-- BUG: defaults to min_role="member"
session: AsyncSession = Depends(get_db),
):
member_svc = MemberService(session)
member = await member_svc.add(workspace_id, body.user_id, body.role) # <-- writes any (user, role)
return MemberResponse.model_validate(member)
File 2: src/praisonai-platform/praisonai_platform/services/member_service.py, lines 26-38.
async def add(
self,
workspace_id: str,
user_id: str,
role: str = "member",
) -> Member:
"""Add a user to a workspace."""
if role not in VALID_ROLES: # only validates the value
raise ValueError(f"Invalid role: {role}. Must be one of {VALID_ROLES}")
member = Member(workspace_id=workspace_id, user_id=user_id, role=role)
self._session.add(member) # <-- BUG: no caller-permission check
await self._session.flush()
return member
Why it's wrong: workspace member management is the textbook capability that must be gated on owner role. The role hierarchy is implemented (MemberService.has_role, member_service.py:80-96), the dependency-tunable min_role parameter exists (require_workspace_member(min_role), deps.py:58), but the POST .../members route uses neither. The VALID_ROLES enum check is purely cosmetic — it accepts "owner" from any caller because the route never asked whether the caller has the right to assign that role.
Exploit Chain
- Attacker registers two accounts (or recruits a member account on the target workspace
W). Account A is an existing member ofW; Account B is a fresh signup the attacker controls (any account on the platform —auth/registeris open by default). State: attacker holds tokens for both A and B. - Attacker authenticates as Account A and POSTs
Authorization: Bearer <A_jwt>toPOST /workspaces/W/memberswith body{"user_id": "<B_user_id>", "role": "owner"}. State: control flow entersadd_member. require_workspace_member(W, A)passes (A is a member).MemberService.add(W, B, "owner")writes a new rowMember(workspace_id=W, user_id=B, role="owner"). State: Account B is now a workspace-W owner.- Attacker switches to Account B and acts as workspace owner — change settings, add/remove members, delete the workspace, or pivot to the companion advisories' primitives. State: attacker holds owner of any workspace they had member access to, via a fresh attacker-controlled identity that the original workspace's audit logs cannot easily attribute to A.
- Final state: with one member-level token plus one POST, the attacker plants an owner-role identity on any workspace they can reach. The same primitive lets the attacker invite a competitor or external-vendor account into the workspace as owner, exfiltrating the workspace's content under that competitor's name.
Security Impact
Severity: sec-critical. CVSS 9.1: network attack, low complexity, low privileges (member tier), no user interaction, scope changed (the new owner is a different security principal), high confidentiality and integrity, no availability claim.
Attacker capability: with one workspace-member token plus one POST request, the attacker grants owner-tier access to any user_id on the platform. From there, full workspace control via the Account B token, plus indirect attribution: the original workspace's audit logs see "user A added user B as owner" but the audit trail cannot tell that B is attacker-controlled.
Preconditions: praisonai-platform is deployed multi-tenant; the attacker has any membership token in the target workspace; the attacker can register or knows any other user_id on the platform.
Differential: source-inspection-verified. The asymmetry between MemberService.has_role (clearly tiered) and add_member's default min_role="member" confirms the gap. With the suggested fix below, the gate refuses the member-tier token, the elevated POST returns 403, and the second-identity owner is never created.
Suggested Fix
--- a/src/praisonai-platform/praisonai_platform/api/routes/workspaces.py
+++ b/src/praisonai-platform/praisonai_platform/api/routes/workspaces.py
@@ -90,11 +90,15 @@
+def _require_workspace_owner(workspace_id: str, user, session):
+ return require_workspace_member(workspace_id, user, session, min_role="owner")
+
@router.post("/{workspace_id}/members", response_model=MemberResponse, status_code=status.HTTP_201_CREATED)
async def add_member(
workspace_id: str,
body: MemberAdd,
- user: AuthIdentity = Depends(require_workspace_member),
+ user: AuthIdentity = Depends(_require_workspace_owner),
session: AsyncSession = Depends(get_db),
):
member_svc = MemberService(session)
+ if body.role == "owner" and not await member_svc.has_role(workspace_id, user.id, "owner"):
+ raise HTTPException(status_code=403, detail="Only owners can add other owners")
member = await member_svc.add(workspace_id, body.user_id, body.role)
The four other workspace mutation endpoints (update_workspace, delete_workspace, update_member_role, remove_member) exhibit the same default-min-role gap and are filed as their own advisories.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "praisonai-platform"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47413"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-01T14:23:39Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "## Summary\n\n**Type:** Privilege escalation / cross-tenant member injection. The `POST /workspaces/{workspace_id}/members` endpoint is gated only by `require_workspace_member(workspace_id)` (default `min_role=\"member\"`) and forwards the request body\u0027s `user_id` and `role` straight into `MemberService.add(workspace_id, user_id, role)`, which has no caller-permission check. A user with the lowest workspace privilege can add any user (including a new attacker-controlled second account, or an existing account they want to grief) as owner of the workspace.\n**File:** `src/praisonai-platform/praisonai_platform/api/routes/workspaces.py`, lines 92-101; `services/member_service.py`, lines 26-38.\n**Root cause:** `MemberService.add` validates only that `role` is in `VALID_ROLES = {\"owner\", \"admin\", \"member\"}` \u2014 the value, not the caller\u0027s right to assign it. The route\u0027s `Depends(require_workspace_member)` resolves to the default `min_role=\"member\"`. So a member-level token plus one POST gives the attacker an alternate identity with owner role inside the same workspace, bypassing every owner-only operation that *would* otherwise gate them.\n\n## Affected Code\n\n**File 1:** `src/praisonai-platform/praisonai_platform/api/routes/workspaces.py`, lines 92-101.\n\n```python\n@router.post(\"/{workspace_id}/members\", response_model=MemberResponse, status_code=status.HTTP_201_CREATED)\nasync def add_member(\n workspace_id: str,\n body: MemberAdd,\n user: AuthIdentity = Depends(require_workspace_member), # \u003c-- BUG: defaults to min_role=\"member\"\n session: AsyncSession = Depends(get_db),\n):\n member_svc = MemberService(session)\n member = await member_svc.add(workspace_id, body.user_id, body.role) # \u003c-- writes any (user, role)\n return MemberResponse.model_validate(member)\n```\n\n**File 2:** `src/praisonai-platform/praisonai_platform/services/member_service.py`, lines 26-38.\n\n```python\nasync def add(\n self,\n workspace_id: str,\n user_id: str,\n role: str = \"member\",\n) -\u003e Member:\n \"\"\"Add a user to a workspace.\"\"\"\n if role not in VALID_ROLES: # only validates the value\n raise ValueError(f\"Invalid role: {role}. Must be one of {VALID_ROLES}\")\n member = Member(workspace_id=workspace_id, user_id=user_id, role=role)\n self._session.add(member) # \u003c-- BUG: no caller-permission check\n await self._session.flush()\n return member\n```\n\n**Why it\u0027s wrong:** workspace member management is the textbook capability that must be gated on owner role. The role hierarchy is implemented (`MemberService.has_role`, member_service.py:80-96), the dependency-tunable `min_role` parameter exists (`require_workspace_member(min_role)`, deps.py:58), but the `POST .../members` route uses neither. The `VALID_ROLES` enum check is purely cosmetic \u2014 it accepts `\"owner\"` from any caller because the route never asked whether the caller has the right to assign that role.\n\n## Exploit Chain\n\n1. Attacker registers two accounts (or recruits a member account on the target workspace `W`). Account A is an existing member of `W`; Account B is a fresh signup the attacker controls (any account on the platform \u2014 `auth/register` is open by default). State: attacker holds tokens for both A and B.\n2. Attacker authenticates as Account A and POSTs `Authorization: Bearer \u003cA_jwt\u003e` to `POST /workspaces/W/members` with body `{\"user_id\": \"\u003cB_user_id\u003e\", \"role\": \"owner\"}`. State: control flow enters `add_member`.\n3. `require_workspace_member(W, A)` passes (A is a member). `MemberService.add(W, B, \"owner\")` writes a new row `Member(workspace_id=W, user_id=B, role=\"owner\")`. State: Account B is now a workspace-W owner.\n4. Attacker switches to Account B and acts as workspace owner \u2014 change settings, add/remove members, delete the workspace, or pivot to the companion advisories\u0027 primitives. State: attacker holds owner of any workspace they had member access to, via a fresh attacker-controlled identity that the original workspace\u0027s audit logs cannot easily attribute to A.\n5. Final state: with one member-level token plus one POST, the attacker plants an owner-role identity on any workspace they can reach. The same primitive lets the attacker invite a competitor or external-vendor account into the workspace as owner, exfiltrating the workspace\u0027s content under that competitor\u0027s name.\n\n## Security Impact\n\n**Severity:** sec-critical. CVSS 9.1: network attack, low complexity, low privileges (member tier), no user interaction, scope changed (the new owner is a different security principal), high confidentiality and integrity, no availability claim.\n**Attacker capability:** with one workspace-member token plus one POST request, the attacker grants owner-tier access to any user_id on the platform. From there, full workspace control via the Account B token, plus indirect attribution: the original workspace\u0027s audit logs see \"user A added user B as owner\" but the audit trail cannot tell that B is attacker-controlled.\n**Preconditions:** `praisonai-platform` is deployed multi-tenant; the attacker has any membership token in the target workspace; the attacker can register or knows any other user_id on the platform.\n**Differential:** source-inspection-verified. The asymmetry between `MemberService.has_role` (clearly tiered) and `add_member`\u0027s default `min_role=\"member\"` confirms the gap. With the suggested fix below, the gate refuses the member-tier token, the elevated POST returns 403, and the second-identity owner is never created.\n\n## Suggested Fix\n\n```diff\n--- a/src/praisonai-platform/praisonai_platform/api/routes/workspaces.py\n+++ b/src/praisonai-platform/praisonai_platform/api/routes/workspaces.py\n@@ -90,11 +90,15 @@\n+def _require_workspace_owner(workspace_id: str, user, session):\n+ return require_workspace_member(workspace_id, user, session, min_role=\"owner\")\n+\n @router.post(\"/{workspace_id}/members\", response_model=MemberResponse, status_code=status.HTTP_201_CREATED)\n async def add_member(\n workspace_id: str,\n body: MemberAdd,\n- user: AuthIdentity = Depends(require_workspace_member),\n+ user: AuthIdentity = Depends(_require_workspace_owner),\n session: AsyncSession = Depends(get_db),\n ):\n member_svc = MemberService(session)\n+ if body.role == \"owner\" and not await member_svc.has_role(workspace_id, user.id, \"owner\"):\n+ raise HTTPException(status_code=403, detail=\"Only owners can add other owners\")\n member = await member_svc.add(workspace_id, body.user_id, body.role)\n```\n\nThe four other workspace mutation endpoints (`update_workspace`, `delete_workspace`, `update_member_role`, `remove_member`) exhibit the same default-min-role gap and are filed as their own advisories.",
"id": "GHSA-8g2p-pqm3-fcfh",
"modified": "2026-06-01T14:23:39Z",
"published": "2026-06-01T14:23:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-8g2p-pqm3-fcfh"
},
{
"type": "PACKAGE",
"url": "https://github.com/MervinPraison/PraisonAI"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "praisonai-platform: Any workspace member can add arbitrary user as owner via POST /workspaces/{id}/members"
}
GHSA-8G3G-H53Q-CF7J
Vulnerability from github – Published: 2024-09-26 03:30 – Updated: 2024-09-26 03:30The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the enable_shop() function in all versions up to, and including, 5.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable shop functionality.
{
"affected": [],
"aliases": [
"CVE-2024-8552"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-26T03:15:03Z",
"severity": "MODERATE"
},
"details": "The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the enable_shop() function in all versions up to, and including, 5.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable shop functionality.",
"id": "GHSA-8g3g-h53q-cf7j",
"modified": "2024-09-26T03:30:40Z",
"published": "2024-09-26T03:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8552"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/download-monitor/tags/5.0.8/src/AjaxHandler.php#L317"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3157424/#file17"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3acaedff-f616-4b66-9208-f7e6a4df920d?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8G56-R329-Q772
Vulnerability from github – Published: 2024-07-09 09:30 – Updated: 2026-04-08 18:33The Cliengo – Chatbot plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_session' function in all versions up to, and including, 3.0.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the session token of the chatbot.
{
"affected": [],
"aliases": [
"CVE-2024-5993"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-09T09:15:08Z",
"severity": "MODERATE"
},
"details": "The Cliengo \u2013 Chatbot plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the \u0027update_session\u0027 function in all versions up to, and including, 3.0.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the session token of the chatbot.",
"id": "GHSA-8g56-r329-q772",
"modified": "2026-04-08T18:33:32Z",
"published": "2024-07-09T09:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5993"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/cliengo/trunk/admin/class-cliengo-form.php#L109"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3118688"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0a13e87d-51cd-43b0-a658-900a174738fc?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-8G65-3569-FX34
Vulnerability from github – Published: 2024-01-03 00:30 – Updated: 2024-01-09 18:30There is a possible information disclosure due to a missing permission check. This could lead to local information disclosure of health data with no additional execution privileges needed.
{
"affected": [],
"aliases": [
"CVE-2023-4164"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-02T22:15:08Z",
"severity": "HIGH"
},
"details": "There is a possible information\u00a0disclosure due to a missing permission check. This could lead to local\u00a0information disclosure of health data with no additional execution\u00a0privileges needed.\n",
"id": "GHSA-8g65-3569-fx34",
"modified": "2024-01-09T18:30:26Z",
"published": "2024-01-03T00:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4164"
},
{
"type": "WEB",
"url": "https://source.android.com/docs/security/bulletin/pixel-watch/2023/2023-12-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8G69-6RGJ-V638
Vulnerability from github – Published: 2024-03-08 03:31 – Updated: 2026-04-02 21:31This issue was addressed with improved file handling. This issue is fixed in macOS Sonoma 14.4, macOS Monterey 12.7.4, macOS Ventura 13.6.5. An app may be able to access sensitive user data.
{
"affected": [],
"aliases": [
"CVE-2024-23230"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-08T02:15:47Z",
"severity": "MODERATE"
},
"details": "This issue was addressed with improved file handling. This issue is fixed in macOS Sonoma 14.4, macOS Monterey 12.7.4, macOS Ventura 13.6.5. An app may be able to access sensitive user data.",
"id": "GHSA-8g69-6rgj-v638",
"modified": "2026-04-02T21:31:36Z",
"published": "2024-03-08T03:31:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23230"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120884"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120886"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120895"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214083"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214084"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214085"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214083"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214084"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214085"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Mar/21"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Mar/22"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Mar/23"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8G77-X747-FHRQ
Vulnerability from github – Published: 2023-04-11 03:31 – Updated: 2023-04-14 21:30SAP HCM Fiori App My Forms (Fiori 2.0) - version 605, does not perform necessary authorization checks for an authenticated user exposing the restricted header data.
{
"affected": [],
"aliases": [
"CVE-2023-1903"
],
"database_specific": {
"cwe_ids": [
"CWE-427",
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-11T03:15:00Z",
"severity": "MODERATE"
},
"details": "SAP HCM Fiori App My Forms (Fiori 2.0) - version 605, does not perform necessary authorization checks for an authenticated user exposing the restricted header data.\n\n",
"id": "GHSA-8g77-x747-fhrq",
"modified": "2023-04-14T21:30:25Z",
"published": "2023-04-11T03:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1903"
},
{
"type": "WEB",
"url": "https://launchpad.support.sap.com/#/notes/3301457"
},
{
"type": "WEB",
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8G8C-J78F-P955
Vulnerability from github – Published: 2026-02-03 15:30 – Updated: 2026-02-03 18:30Missing Authorization vulnerability in ameliabooking Amelia ameliabooking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Amelia: from n/a through <= 1.2.38.
{
"affected": [],
"aliases": [
"CVE-2026-24967"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-03T15:16:17Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in ameliabooking Amelia ameliabooking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Amelia: from n/a through \u003c= 1.2.38.",
"id": "GHSA-8g8c-j78f-p955",
"modified": "2026-02-03T18:30:42Z",
"published": "2026-02-03T15:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24967"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/ameliabooking/vulnerability/wordpress-amelia-plugin-1-2-38-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8G9R-287C-MCW4
Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-05-27 15:33Missing Authorization vulnerability in WP Media Adminimize allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects Adminimize: from n/a through 1.11.11.
{
"affected": [],
"aliases": [
"CVE-2026-49045"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-27T15:16:32Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in WP Media Adminimize allows Exploiting Incorrectly Configured Access Control Security Levels.\n\nThis issue affects Adminimize: from n/a through 1.11.11.",
"id": "GHSA-8g9r-287c-mcw4",
"modified": "2026-05-27T15:33:28Z",
"published": "2026-05-27T15:33:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49045"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/adminimize/vulnerability/wordpress-adminimize-plugin-1-11-11-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8GC6-9VPR-VW7H
Vulnerability from github – Published: 2025-06-20 15:30 – Updated: 2026-04-01 18:35Missing Authorization vulnerability in aThemeArt Translations eDS Responsive Menu allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects eDS Responsive Menu: from n/a through 1.2.
{
"affected": [],
"aliases": [
"CVE-2025-49971"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-20T15:15:22Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in aThemeArt Translations eDS Responsive Menu allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects eDS Responsive Menu: from n/a through 1.2.",
"id": "GHSA-8gc6-9vpr-vw7h",
"modified": "2026-04-01T18:35:30Z",
"published": "2025-06-20T15:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49971"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/eds-responsive-menu/vulnerability/wordpress-eds-responsive-menu-plugin-1-2-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.