CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5561 vulnerabilities reference this CWE, most recent first.
GHSA-27H4-9W4J-CP97
Vulnerability from github – Published: 2024-03-07 03:30 – Updated: 2024-03-07 03:30A privilege escalation vulnerability was discovered in GitLab affecting versions 16.8 prior to 16.8.4 and 16.9 prior to 16.9.2. It was possible for a user with custom role of manage_group_access_tokens to rotate group access tokens with owner privileges.
{
"affected": [],
"aliases": [
"CVE-2024-1299"
],
"database_specific": {
"cwe_ids": [
"CWE-268",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-07T01:15:52Z",
"severity": "MODERATE"
},
"details": "A privilege escalation vulnerability was discovered in GitLab affecting versions 16.8 prior to 16.8.4 and 16.9 prior to 16.9.2. It was possible for a user with custom role of `manage_group_access_tokens` to rotate group access tokens with owner privileges.",
"id": "GHSA-27h4-9w4j-cp97",
"modified": "2024-03-07T03:30:40Z",
"published": "2024-03-07T03:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1299"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/2356976"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/releases/2024/03/06/security-release-gitlab-16-9-2-released"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/440745"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-27MX-5G65-22G6
Vulnerability from github – Published: 2024-11-25 18:33 – Updated: 2024-11-25 18:33Incorrect authorization in the permission validation component of Devolutions Remote Desktop Manager 2024.2.21 and earlier on Windows allows a malicious authenticated user to bypass the "View Password" permission via specific actions.
{
"affected": [],
"aliases": [
"CVE-2024-11670"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-25T15:15:05Z",
"severity": "MODERATE"
},
"details": "Incorrect authorization in the permission validation component of Devolutions Remote Desktop Manager 2024.2.21 and earlier on Windows allows a malicious authenticated user to bypass the \"View Password\" permission via specific actions.",
"id": "GHSA-27mx-5g65-22g6",
"modified": "2024-11-25T18:33:26Z",
"published": "2024-11-25T18:33:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11670"
},
{
"type": "WEB",
"url": "https://devolutions.net/security/advisories/DEVO-2024-0015"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-27PR-R7HM-C2RC
Vulnerability from github – Published: 2023-07-19 18:30 – Updated: 2024-10-29 21:49Dimensions Plugin 0.9.3 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.
An enumeration of credentials IDs in Dimensions Plugin 0.9.3.1 requires the appropriate permissions.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.9.3"
},
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:dimensionsscm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-32261"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-30T23:03:10Z",
"nvd_published_at": "2023-07-19T16:15:09Z",
"severity": "MODERATE"
},
"details": "Dimensions Plugin 0.9.3 and earlier does not perform a permission check in an HTTP endpoint.\n\nThis allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.\n\nAn enumeration of credentials IDs in Dimensions Plugin 0.9.3.1 requires the appropriate permissions.",
"id": "GHSA-27pr-r7hm-c2rc",
"modified": "2024-10-29T21:49:01Z",
"published": "2023-07-19T18:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32261"
},
{
"type": "WEB",
"url": "https://plugins.jenkins.io/dimensionsscm"
},
{
"type": "WEB",
"url": "https://portal.microfocus.com/s/article/KM000019297"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2023-06-14"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2023-06-14/#SECURITY-3138"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Missing permission check in Jenkins Dimensions Plugin allows enumerating credentials IDs"
}
GHSA-27VP-2MMC-VMH3
Vulnerability from github – Published: 2026-05-28 19:55 – Updated: 2026-05-28 19:55Summary
The nono Landlock/seccomp policies allow access to local Unix domain sockets (concrete and abstract). This allows an easy sandbox escape by talking to the per-user systemd dbus socket.
Threat scenario: Running Aider, Claude Code, OpenCode or similar tools with "allow bash" policy so that it can invoke arbitrary host tools like make, gcc, etc. to write code.
Reproducer
Here, instead of running a tool like opencode or claude one can just invoke systemd-run, but this is something an agent could be tricked into doing:
$ cd ~/src/myproject
$ nono run -s --allow-cwd --profile claude-code -- \
systemd-run --user -q --wait --collect \
/bin/sh -c "echo oops > ~/Documents/escaped.txt"
$ cat /var/home/test/Documents/escaped.txt
oops
$
Impact
Complete sandbox escape. The unsandboxed sibling process can write anywhere the user can write, spawn arbitrary processes with network access, etc.
Maintainer Context
This issue allows a process running inside the sandbox to escape confinement by interacting with local user-scoped IPC mechanisms and regain the authority already held by the invoking user or service account.
The issue impacts the sandbox’s confinement and blast-radius reduction guarantees for agents and sandboxed tooling. However, exploitation does not provide privilege escalation, cross-user access, or host compromise beyond the permissions already available to the launcher outside the sandbox.
This issue affects the CLI policy layer and bundled sandbox profiles. The underlying core library nono does not ship with policy definitions or agent-facing confinement profiles by default, nor do the language SDKs.
This is considered a serious issue because an AI agent or untrusted command stream operating within the sandbox could abuse the bypass to perform unauthorized or destructive actions using the delegated authority of the launching user.
The root cause was incomplete mediation of local Unix domain socket access within affected sandbox policies. Support for restricting this behavior has since been added and the fix is available in the repository pending release.
CVSS rationale: exploitation requires execution within a locally launched sandboxed process using the authority already delegated by the invoking user or service account (AV:L/PR:L). The issue allows reliable bypass of sandbox confinement and policy guarantees, resulting in high integrity impact (I:H) and limited availability impact (A:L) through destructive actions within the launcher’s existing permissions. However, the issue does not provide privilege escalation, cross-user access, or a change in security scope (S:U).
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "nono-cli"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.55.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47128"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-28T19:55:40Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n\nThe nono Landlock/seccomp policies allow access to local Unix domain sockets (concrete and abstract). This allows an easy sandbox escape by talking to the per-user systemd dbus socket.\n\nThreat scenario: Running Aider, Claude Code, OpenCode or similar tools with \"allow bash\" policy so that it can invoke arbitrary host tools like `make`, `gcc`, etc. to write code.\n\n### Reproducer\n\nHere, instead of running a tool like `opencode` or `claude` one can just invoke `systemd-run`, but this is something an agent could be tricked into doing:\n\n```bash\n$ cd ~/src/myproject\n$ nono run -s --allow-cwd --profile claude-code -- \\\n systemd-run --user -q --wait --collect \\\n /bin/sh -c \"echo oops \u003e ~/Documents/escaped.txt\"\n$ cat /var/home/test/Documents/escaped.txt\noops\n$\n```\n\n### Impact\n\nComplete sandbox escape. The unsandboxed sibling process can write anywhere the user can write, spawn arbitrary processes with network access, etc.\n\n### Maintainer Context\n\nThis issue allows a process running inside the sandbox to escape confinement by interacting with local user-scoped IPC mechanisms and regain the authority already held by the invoking user or service account.\n\nThe issue impacts the sandbox\u2019s confinement and blast-radius reduction guarantees for agents and sandboxed tooling. However, exploitation does not provide privilege escalation, cross-user access, or host compromise beyond the permissions already available to the launcher outside the sandbox.\n\nThis issue affects the CLI policy layer and bundled sandbox profiles. The underlying core library `nono` does not ship with policy definitions or agent-facing confinement profiles by default, nor do the language SDKs.\n\nThis is considered a serious issue because an AI agent or untrusted command stream operating within the sandbox could abuse the bypass to perform unauthorized or destructive actions using the delegated authority of the launching user.\n\nThe root cause was incomplete mediation of local Unix domain socket access within affected sandbox policies. Support for restricting this behavior has since been added and the fix is available in the repository pending release.\n\nCVSS rationale: exploitation requires execution within a locally launched sandboxed process using the authority already delegated by the invoking user or service account (`AV:L/PR:L`). The issue allows reliable bypass of sandbox confinement and policy guarantees, resulting in high integrity impact (`I:H`) and limited availability impact (`A:L`) through destructive actions within the launcher\u2019s existing permissions. However, the issue does not provide privilege escalation, cross-user access, or a change in security scope (`S:U`).",
"id": "GHSA-27vp-2mmc-vmh3",
"modified": "2026-05-28T19:55:40Z",
"published": "2026-05-28T19:55:40Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/always-further/nono/security/advisories/GHSA-27vp-2mmc-vmh3"
},
{
"type": "PACKAGE",
"url": "https://github.com/always-further/nono"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "nono: Sandbox escape on Linux via D-Bus: `systemd-run --user`"
}
GHSA-27WX-PVWM-CFH2
Vulnerability from github – Published: 2026-06-13 00:34 – Updated: 2026-06-13 00:34An authorization flaw in MISP’s object add/edit handling allowed an authenticated user with object editing permissions to assign a MISP object, or attributes contained within an object, to a sharing group that the user was not authorized to use or view. When editing objects, the sharing group validation was performed against the wrong request data structure after object fields had been merged to the top level, causing the check to be bypassed. In addition, attributes embedded in objects were not individually validated for authorized sharing group use.
An attacker could craft a request with distribution set to 4 and an arbitrary sharing_group_id, potentially disclosing the existence or name of otherwise non-visible sharing groups and improperly modifying the distribution metadata of objects or contained attributes.
{
"affected": [],
"aliases": [
"CVE-2026-54398"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-12T22:16:56Z",
"severity": "MODERATE"
},
"details": "An authorization flaw in MISP\u2019s object add/edit handling allowed an authenticated user with object editing permissions to assign a MISP object, or attributes contained within an object, to a sharing group that the user was not authorized to use or view. When editing objects, the sharing group validation was performed against the wrong request data structure after object fields had been merged to the top level, causing the check to be bypassed. In addition, attributes embedded in objects were not individually validated for authorized sharing group use.\n\nAn attacker could craft a request with distribution set to 4 and an arbitrary sharing_group_id, potentially disclosing the existence or name of otherwise non-visible sharing groups and improperly modifying the distribution metadata of objects or contained attributes.",
"id": "GHSA-27wx-pvwm-cfh2",
"modified": "2026-06-13T00:34:33Z",
"published": "2026-06-13T00:34:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54398"
},
{
"type": "WEB",
"url": "https://github.com/MISP/MISP/commit/4fe48c523e66999d65f99fdec9508adb3aa1c0f3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-2854-JQ38-8GRQ
Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-07-13 00:01Incorrect Access Control in Tranquil WAPT Enterprise - before 1.8.2.7373 and before 2.0.0.9450 allows guest OS users to escalate privileges via WAPT Agent.
{
"affected": [],
"aliases": [
"CVE-2021-38608"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-16T20:15:00Z",
"severity": "HIGH"
},
"details": "Incorrect Access Control in Tranquil WAPT Enterprise - before 1.8.2.7373 and before 2.0.0.9450 allows guest OS users to escalate privileges via WAPT Agent.",
"id": "GHSA-2854-jq38-8grq",
"modified": "2022-07-13T00:01:35Z",
"published": "2022-05-24T19:11:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38608"
},
{
"type": "WEB",
"url": "https://www.tranquil.it/en/manage-it-equipment/discover-wapt"
},
{
"type": "WEB",
"url": "https://www.wapt.fr/fr/doc/wapt-security-bulletin.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2865-989Q-255F
Vulnerability from github – Published: 2022-03-31 00:00 – Updated: 2022-04-08 00:00A flaw was found in the Linux kernels implementation of audit rules, where a syscall can unexpectedly not be correctly not be logged by the audit subsystem
{
"affected": [],
"aliases": [
"CVE-2020-35501"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-30T16:15:00Z",
"severity": "LOW"
},
"details": "A flaw was found in the Linux kernels implementation of audit rules, where a syscall can unexpectedly not be correctly not be logged by the audit subsystem",
"id": "GHSA-2865-989q-255f",
"modified": "2022-04-08T00:00:31Z",
"published": "2022-03-31T00:00:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35501"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1908577"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2866-FXPG-497J
Vulnerability from github – Published: 2022-05-24 17:37 – Updated: 2022-05-24 17:37An issue was discovered in Viki Vera 4.9.1.26180. A user without access to a project could download or upload project files by opening the Project URL directly in the browser after logging in.
{
"affected": [],
"aliases": [
"CVE-2019-20484"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-05T22:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Viki Vera 4.9.1.26180. A user without access to a project could download or upload project files by opening the Project URL directly in the browser after logging in.",
"id": "GHSA-2866-fxpg-497j",
"modified": "2022-05-24T17:37:58Z",
"published": "2022-05-24T17:37:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20484"
},
{
"type": "WEB",
"url": "https://www.gosecure.net/blog/2020/12/15/vera-stored-xss-improper-access-control"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-286R-9GCV-CP56
Vulnerability from github – Published: 2022-01-25 00:01 – Updated: 2022-01-29 00:01The WP Post Page Clone WordPress plugin before 1.2 allows users with a role as low as Contributor to clone and view other users' draft and password-protected posts which they cannot view normally.
{
"affected": [],
"aliases": [
"CVE-2021-24733"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-24T08:15:00Z",
"severity": "MODERATE"
},
"details": "The WP Post Page Clone WordPress plugin before 1.2 allows users with a role as low as Contributor to clone and view other users\u0027 draft and password-protected posts which they cannot view normally.",
"id": "GHSA-286r-9gcv-cp56",
"modified": "2022-01-29T00:01:07Z",
"published": "2022-01-25T00:01:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24733"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/a7fa5896-5a1d-44c6-985c-e4abcc53da0e"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-28G5-FVW4-57W5
Vulnerability from github – Published: 2023-02-07 00:30 – Updated: 2023-02-15 18:30In Boa, there is a possible escalation of privilege due to a missing permission check. This could lead to remote escalation of privilege from a proximal attacker with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: A20210008; Issue ID: OSBNB00123241.
{
"affected": [],
"aliases": [
"CVE-2021-31577"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-06T22:15:00Z",
"severity": "CRITICAL"
},
"details": "In Boa, there is a possible escalation of privilege due to a missing permission check. This could lead to remote escalation of privilege from a proximal attacker with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: A20210008; Issue ID: OSBNB00123241.",
"id": "GHSA-28g5-fvw4-57w5",
"modified": "2023-02-15T18:30:21Z",
"published": "2023-02-07T00:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31577"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-acknowledgements"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.