CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5550 vulnerabilities reference this CWE, most recent first.
GHSA-2PCC-VJ7H-7FRV
Vulnerability from github – Published: 2022-04-03 00:01 – Updated: 2022-04-13 00:00On Arista Strata family products which have “TCAM profile” feature enabled when Port IPv4 access-list has a rule which matches on “vxlan” as protocol then that rule and subsequent rules ( rules declared after it in ACL ) do not match on IP protocol field as expected.
{
"affected": [],
"aliases": [
"CVE-2021-28504"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-01T23:15:00Z",
"severity": "HIGH"
},
"details": "On Arista Strata family products which have \u201cTCAM profile\u201d feature enabled when Port IPv4 access-list has a rule which matches on \u201cvxlan\u201d as protocol then that rule and subsequent rules ( rules declared after it in ACL ) do not match on IP protocol field as expected.",
"id": "GHSA-2pcc-vj7h-7frv",
"modified": "2022-04-13T00:00:53Z",
"published": "2022-04-03T00:01:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28504"
},
{
"type": "WEB",
"url": "https://www.arista.com/en/support/advisories-notices/security-advisories/15267-security-advisory-0073"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2PG6-WJCP-MMCQ
Vulnerability from github – Published: 2023-07-06 19:24 – Updated: 2026-04-08 21:31The Profile Builder – User Profile & User Registration Forms plugin for WordPress is vulnerable to sensitive information disclosure via the [user_meta] shortcode in versions up to, and including 3.9.0. This is due to insufficient restriction on sensitive user meta values that can be called via that shortcode. This makes it possible for authenticated attackers, with subscriber-level permissions, and above to retrieve sensitive user meta that can be used to gain access to a high privileged user account. This does require the Usermeta shortcode be enabled to be exploited.
{
"affected": [],
"aliases": [
"CVE-2023-0814"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-14T02:15:00Z",
"severity": "MODERATE"
},
"details": "The Profile Builder \u2013 User Profile \u0026 User Registration Forms plugin for WordPress is vulnerable to sensitive information disclosure via the [user_meta] shortcode in versions up to, and including 3.9.0. This is due to insufficient restriction on sensitive user meta values that can be called via that shortcode. This makes it possible for authenticated attackers, with subscriber-level permissions, and above to retrieve sensitive user meta that can be used to gain access to a high privileged user account. This does require the Usermeta shortcode be enabled to be exploited.",
"id": "GHSA-2pg6-wjcp-mmcq",
"modified": "2026-04-08T21:31:48Z",
"published": "2023-07-06T19:24:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0814"
},
{
"type": "WEB",
"url": "https://lana.codes/lanavdb/512e7307-04a5-4d8b-8f79-f75f37784a9f"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2864329%40profile-builder\u0026new=2864329%40profile-builder\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/blog/2023/03/vulnerability-patched-in-cozmolabs-profile-builder-plugin-information-disclosure-leads-to-account-takeover"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bbedad66-a5a6-4fb5-b03e-0ecf9fbef19a"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bbedad66-a5a6-4fb5-b03e-0ecf9fbef19a?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2PHX-FRHF-XR55
Vulnerability from github – Published: 2026-02-16 12:30 – Updated: 2026-02-19 19:34Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 and Mattermost Plugin Zoom versions <=1.11.0 fail to validate the authenticated user when processing {{/plugins/zoom/api/v1/channel-preference}}, which allows any logged-in user to change Zoom meeting restrictions for arbitrary channels via crafted API requests.. Mattermost Advisory ID: MMSA-2025-00558
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-plugin-zoom"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.11.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-0997"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-19T19:34:32Z",
"nvd_published_at": "2026-02-16T10:16:07Z",
"severity": "MODERATE"
},
"details": "Mattermost versions 11.1.x \u003c= 11.1.2, 10.11.x \u003c= 10.11.9, 11.2.x \u003c= 11.2.1 and Mattermost Plugin Zoom versions \u003c=1.11.0 fail to validate the authenticated user when processing {{/plugins/zoom/api/v1/channel-preference}}, which allows any logged-in user to change Zoom meeting restrictions for arbitrary channels via crafted API requests.. Mattermost Advisory ID: MMSA-2025-00558",
"id": "GHSA-2phx-frhf-xr55",
"modified": "2026-02-19T19:34:32Z",
"published": "2026-02-16T12:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0997"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost-plugin-zoom/commit/a8b58c43625ab25746e451acc4f71515d52c8122"
},
{
"type": "PACKAGE",
"url": "https://github.com/mattermost/mattermost-plugin-zoom"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Mattermost Plugin Zoom allows any logged-in user to change Zoom meeting restrictions for arbitrary channels"
}
GHSA-2PPX-66JV-WPW5
Vulnerability from github – Published: 2026-07-10 19:28 – Updated: 2026-07-10 19:28Summary
A resource-scoped API token can read script contents outside its allowed path scope via GET /api/w/{workspace}/scripts/list_search.
This appears to be a remaining variant of the scoped-token authorization class previously addressed for other endpoints. The route-level scope middleware validates the token domain/action, but does not enforce the resource/path segment of a scope. scripts/list_search then returns script path and content for scripts in the workspace without applying per-row path filtering against the token scopes.
Affected endpoint
GET /api/w/{workspace}/scripts/list_search
Affected versions
Confirmed in the current public repository code and believed to affect the latest published release at the time of review:
<= 1.714.1
Patched version: unknown.
Details
Windmill supports scoped API tokens with scopes in the format:
{domain}:{action}[:{resource}]
The parser supports resource-scoped values such as:
scripts:read:f/allowed/*
and the codebase contains helpers for resource matching, including wildcard matching.
However, the route-level scope check used for requests with scoped API tokens only validates the route domain and action. It does not compare the token's resource/path restriction against the requested route or against the rows returned by list endpoints.
For scripts/list_search, the handler returns path and content for scripts in the workspace:
SELECT path, content from script WHERE workspace_id = $1 AND archived = false LIMIT $2
There is no additional check_scopes(...) call in the handler and no per-row filtering based on the token's resource/path scope.
As a result, a token intended to read only scripts under one path prefix may be able to read script contents from unrelated paths in the same workspace.
Source-level reproduction
-
Create or use a workspace containing at least two scripts:
-
f/allowed/script_a -
f/private/script_b -
Create a scoped API token intended to read only the allowed path:
scripts:read:f/allowed/*
- Use that token to call:
GET /api/w/{workspace}/scripts/list_search
- Expected behavior:
The response should include only scripts matching the token's resource scope, e.g. only scripts under:
f/allowed/*
- Actual behavior from source review:
The route-level scope check accepts the request as scripts:read, and the handler returns script path and content for scripts in the workspace without filtering the rows by the token's resource scope.
This can expose script source code from paths outside the token's intended scope.
Impact
A user or integration holding a path-restricted scripts:read:{resource} token may be able to read script contents from unrelated scripts in the same workspace.
Depending on how scripts are used, this may disclose:
- internal automation logic,
- integration details,
- business logic,
- inline configuration,
- accidentally hardcoded secrets or credentials.
This does not require admin privileges. It requires possession of a valid scoped API token for the workspace.
Related context
This appears related to the broader class of issues where route-level token scope enforcement validates domain/action but not the resource/path portion of the scope. Similar scoped-token issues appear to have been fixed for other endpoints, such as resources/variables listing and job preview/run paths, but I did not find an equivalent fix for scripts/list_search.
Suggested fix
Apply resource/path scope enforcement to scripts/list_search.
Possible approaches:
- Add explicit handler-level authorization similar to per-resource endpoints.
- Filter returned rows so that a scoped token only receives scripts whose
pathis included by at least onescripts:read:{resource}scope. - Add regression tests for:
scripts:read:f/allowed/*cannot seef/private/script_b,- broad
scripts:readstill sees all accessible scripts, - unscoped tokens preserve current behavior,
- filter-tag-only tokens preserve current compatibility behavior.
A more defensive long-term fix would be to make route-level scope enforcement aware of resource/path restrictions where the route contains a concrete resource path, while list endpoints should apply per-row filtering.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.714.1"
},
"package": {
"ecosystem": "crates.io",
"name": "windmill-api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.715.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-54136"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-10T19:28:06Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n\nA resource-scoped API token can read script contents outside its allowed path scope via `GET /api/w/{workspace}/scripts/list_search`.\n\nThis appears to be a remaining variant of the scoped-token authorization class previously addressed for other endpoints. The route-level scope middleware validates the token domain/action, but does not enforce the resource/path segment of a scope. `scripts/list_search` then returns script `path` and `content` for scripts in the workspace without applying per-row path filtering against the token scopes.\n\n### Affected endpoint\n\n`GET /api/w/{workspace}/scripts/list_search`\n\n### Affected versions\n\nConfirmed in the current public repository code and believed to affect the latest published release at the time of review:\n\n`\u003c= 1.714.1`\n\nPatched version: unknown.\n\n### Details\n\nWindmill supports scoped API tokens with scopes in the format:\n\n`{domain}:{action}[:{resource}]`\n\nThe parser supports resource-scoped values such as:\n\n`scripts:read:f/allowed/*`\n\nand the codebase contains helpers for resource matching, including wildcard matching.\n\nHowever, the route-level scope check used for requests with scoped API tokens only validates the route domain and action. It does not compare the token\u0027s resource/path restriction against the requested route or against the rows returned by list endpoints.\n\nFor `scripts/list_search`, the handler returns `path` and `content` for scripts in the workspace:\n\n`SELECT path, content from script WHERE workspace_id = $1 AND archived = false LIMIT $2`\n\nThere is no additional `check_scopes(...)` call in the handler and no per-row filtering based on the token\u0027s resource/path scope.\n\nAs a result, a token intended to read only scripts under one path prefix may be able to read script contents from unrelated paths in the same workspace.\n\n### Source-level reproduction\n\n1. Create or use a workspace containing at least two scripts:\n\n- `f/allowed/script_a`\n- `f/private/script_b`\n\n2. Create a scoped API token intended to read only the allowed path:\n\n`scripts:read:f/allowed/*`\n\n3. Use that token to call:\n\n`GET /api/w/{workspace}/scripts/list_search`\n\n4. Expected behavior:\n\nThe response should include only scripts matching the token\u0027s resource scope, e.g. only scripts under:\n\n`f/allowed/*`\n\n5. Actual behavior from source review:\n\nThe route-level scope check accepts the request as `scripts:read`, and the handler returns script `path` and `content` for scripts in the workspace without filtering the rows by the token\u0027s resource scope.\n\nThis can expose script source code from paths outside the token\u0027s intended scope.\n\n### Impact\n\nA user or integration holding a path-restricted `scripts:read:{resource}` token may be able to read script contents from unrelated scripts in the same workspace.\n\nDepending on how scripts are used, this may disclose:\n\n- internal automation logic,\n- integration details,\n- business logic,\n- inline configuration,\n- accidentally hardcoded secrets or credentials.\n\nThis does not require admin privileges. It requires possession of a valid scoped API token for the workspace.\n\n### Related context\n\nThis appears related to the broader class of issues where route-level token scope enforcement validates domain/action but not the resource/path portion of the scope. Similar scoped-token issues appear to have been fixed for other endpoints, such as resources/variables listing and job preview/run paths, but I did not find an equivalent fix for `scripts/list_search`.\n\n### Suggested fix\n\nApply resource/path scope enforcement to `scripts/list_search`.\n\nPossible approaches:\n\n1. Add explicit handler-level authorization similar to per-resource endpoints.\n2. Filter returned rows so that a scoped token only receives scripts whose `path` is included by at least one `scripts:read:{resource}` scope.\n3. Add regression tests for:\n - `scripts:read:f/allowed/*` cannot see `f/private/script_b`,\n - broad `scripts:read` still sees all accessible scripts,\n - unscoped tokens preserve current behavior,\n - filter-tag-only tokens preserve current compatibility behavior.\n\nA more defensive long-term fix would be to make route-level scope enforcement aware of resource/path restrictions where the route contains a concrete resource path, while list endpoints should apply per-row filtering.",
"id": "GHSA-2ppx-66jv-wpw5",
"modified": "2026-07-10T19:28:06Z",
"published": "2026-07-10T19:28:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/windmill-labs/windmill/security/advisories/GHSA-2ppx-66jv-wpw5"
},
{
"type": "PACKAGE",
"url": "https://github.com/windmill-labs/windmill"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Windmill: Resource-scoped API tokens can read script contents outside their allowed path via scripts/list_search"
}
GHSA-2PR9-W7JF-V4V7
Vulnerability from github – Published: 2022-05-24 17:26 – Updated: 2025-06-05 00:31Philips SureSigns VS4, A.07.107 and prior. The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
{
"affected": [],
"aliases": [
"CVE-2020-16241"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-08-21T13:15:00Z",
"severity": "LOW"
},
"details": "Philips SureSigns VS4, A.07.107 and prior. The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.",
"id": "GHSA-2pr9-w7jf-v4v7",
"modified": "2025-06-05T00:31:18Z",
"published": "2022-05-24T17:26:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16241"
},
{
"type": "WEB",
"url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-233-01"
},
{
"type": "WEB",
"url": "https://www.philips.com/a-w/security/security-advisories/product-security-2020.html#2020_archive"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-2PVG-PMC4-VR2X
Vulnerability from github – Published: 2024-06-13 12:30 – Updated: 2024-06-13 12:30Acrobat Mobile Sign Android versions 24.4.2.33155 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could exploit this vulnerability to access confidential information. Exploitation of this issue does not require user interaction.
{
"affected": [],
"aliases": [
"CVE-2024-34130"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-13T12:15:12Z",
"severity": "MODERATE"
},
"details": "Acrobat Mobile Sign Android versions 24.4.2.33155 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could exploit this vulnerability to access confidential information. Exploitation of this issue does not require user interaction.",
"id": "GHSA-2pvg-pmc4-vr2x",
"modified": "2024-06-13T12:30:34Z",
"published": "2024-06-13T12:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34130"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat-android/apsb24-50.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2PXH-883J-PQVH
Vulnerability from github – Published: 2022-05-24 17:29 – Updated: 2022-05-24 17:29An issue was discovered in the FileImporter extension for MediaWiki before 1.34.4. An attacker can import a file even when the target page is protected against "page creation" and the attacker should not be able to create it. This occurs because of a mishandled distinction between an upload restriction and a create restriction. An attacker cannot leverage this to overwrite anything, but can leverage this to force a wiki to have a page with a disallowed title.
{
"affected": [],
"aliases": [
"CVE-2020-26121"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-27T21:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in the FileImporter extension for MediaWiki before 1.34.4. An attacker can import a file even when the target page is protected against \"page creation\" and the attacker should not be able to create it. This occurs because of a mishandled distinction between an upload restriction and a create restriction. An attacker cannot leverage this to overwrite anything, but can leverage this to force a wiki to have a page with a disallowed title.",
"id": "GHSA-2pxh-883j-pqvh",
"modified": "2022-05-24T17:29:43Z",
"published": "2022-05-24T17:29:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26121"
},
{
"type": "WEB",
"url": "https://commons.wikimedia.org/w/index.php?oldid=454609892#File:Wiki.png"
},
{
"type": "WEB",
"url": "https://gerrit.wikimedia.org/r/q/Ib852a96afc4dca10516d0510e69c10f9892b351b"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RTTPZ7XMDS66I442OLLHXBDNP2LCBJU6"
},
{
"type": "WEB",
"url": "https://phabricator.wikimedia.org/T262628"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-2PXW-QGWM-32JG
Vulnerability from github – Published: 2022-07-22 00:00 – Updated: 2022-07-27 00:00Unauthenticated Arbitrary Option Update vulnerability in biplob018's Shortcode Addons plugin <= 3.0.2 at WordPress.
{
"affected": [],
"aliases": [
"CVE-2022-34487"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-21T18:15:00Z",
"severity": "MODERATE"
},
"details": "Unauthenticated Arbitrary Option Update vulnerability in biplob018\u0027s Shortcode Addons plugin \u003c= 3.0.2 at WordPress.",
"id": "GHSA-2pxw-qgwm-32jg",
"modified": "2022-07-27T00:00:44Z",
"published": "2022-07-22T00:00:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34487"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/shortcode-addons/wordpress-shortcode-addons-plugin-3-0-3-unauthenticated-arbitrary-option-update-vulnerability"
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/shortcode-addons/#developers"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2Q3Q-WGVC-2M5P
Vulnerability from github – Published: 2023-05-16 00:30 – Updated: 2024-04-04 04:11In registerReceiverWithFeature of ActivityManagerService.java, there is a possible way for isolated processes to register a broadcast receiver due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-263358101
{
"affected": [],
"aliases": [
"CVE-2023-21117"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-15T22:15:12Z",
"severity": "HIGH"
},
"details": "In registerReceiverWithFeature of ActivityManagerService.java, there is a possible way for isolated processes to register a broadcast receiver due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-263358101",
"id": "GHSA-2q3q-wgvc-2m5p",
"modified": "2024-04-04T04:11:44Z",
"published": "2023-05-16T00:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21117"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2023-05-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2Q62-XM7G-H9GH
Vulnerability from github – Published: 2026-07-11 00:31 – Updated: 2026-07-13 18:30Incorrect Authorization vulnerability in Drupal Commerce Realex / Global Payments allows Forceful Browsing. This issue affects Commerce Realex / Global Payments versions: from 0.0.0 to 3.0.2.
{
"affected": [],
"aliases": [
"CVE-2026-13238"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-10T22:16:39Z",
"severity": "CRITICAL"
},
"details": "Incorrect Authorization vulnerability in Drupal Commerce Realex / Global Payments allows Forceful Browsing. This issue affects Commerce Realex / Global Payments versions: from 0.0.0 to 3.0.2.",
"id": "GHSA-2q62-xm7g-h9gh",
"modified": "2026-07-13T18:30:33Z",
"published": "2026-07-11T00:31:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-13238"
},
{
"type": "WEB",
"url": "https://www.drupal.org/sa-contrib-2026-058"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.