CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5548 vulnerabilities reference this CWE, most recent first.
GHSA-2V93-VP82-CJV8
Vulnerability from github – Published: 2026-05-06 18:30 – Updated: 2026-05-11 14:58Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET that can read any files from other orgs - even if they have no explicit permissions in the target org.
However, the problem does not occur in reverse - a user with read access to a sub org is unable to read from other org or the root org.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "www.velocidex.com/golang/velociraptor"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.76.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-6863"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-11T14:58:15Z",
"nvd_published_at": "2026-05-06T16:16:12Z",
"severity": "MODERATE"
},
"details": "Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET that can read any files from other orgs - even if they have no explicit permissions in the target org.\n\n\n\nHowever, the problem does not occur in reverse - a user with read access to a sub org is unable to read from other org or the root org.",
"id": "GHSA-2v93-vp82-cjv8",
"modified": "2026-05-11T14:58:15Z",
"published": "2026-05-06T18:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6863"
},
{
"type": "WEB",
"url": "https://docs.velociraptor.app/announcements/advisories/cve-2026-6863"
},
{
"type": "PACKAGE",
"url": "https://github.com/Velocidex/velociraptor"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Velocidex Velociraptor has an Incorrect Authorization issue"
}
GHSA-2VJC-6F7C-9P77
Vulnerability from github – Published: 2024-04-17 00:30 – Updated: 2024-04-17 00:30Vulnerability in the Oracle BI Publisher product of Oracle Analytics (component: Script Engine). Supported versions that are affected are 7.0.0.0.0 and 12.2.1.4.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle BI Publisher. Successful attacks of this vulnerability can result in takeover of Oracle BI Publisher. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
{
"affected": [],
"aliases": [
"CVE-2024-21083"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-16T22:15:27Z",
"severity": "HIGH"
},
"details": "Vulnerability in the Oracle BI Publisher product of Oracle Analytics (component: Script Engine). Supported versions that are affected are 7.0.0.0.0 and 12.2.1.4.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle BI Publisher. Successful attacks of this vulnerability can result in takeover of Oracle BI Publisher. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).",
"id": "GHSA-2vjc-6f7c-9p77",
"modified": "2024-04-17T00:30:56Z",
"published": "2024-04-17T00:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21083"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2024.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2VP4-2RGC-WF9W
Vulnerability from github – Published: 2024-06-05 09:30 – Updated: 2024-06-05 09:30An improper authorization in Fortinet FortiWebManager version 7.2.0 and 7.0.0 through 7.0.4 and 6.3.0 and 6.2.3 through 6.2.4 and 6.0.2 allows attacker to execute unauthorized code or commands via HTTP requests or CLI.
{
"affected": [],
"aliases": [
"CVE-2024-23669"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-05T08:15:09Z",
"severity": "MODERATE"
},
"details": "An improper authorization in Fortinet FortiWebManager version 7.2.0 and 7.0.0 through 7.0.4 and 6.3.0 and 6.2.3 through 6.2.4 and 6.0.2 allows attacker to execute unauthorized code or commands via HTTP requests or CLI.",
"id": "GHSA-2vp4-2rgc-wf9w",
"modified": "2024-06-05T09:30:37Z",
"published": "2024-06-05T09:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23669"
},
{
"type": "WEB",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-23-222"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2VX2-PV2M-VWRQ
Vulnerability from github – Published: 2025-05-30 15:30 – Updated: 2025-05-30 15:30An incorrect authorization vulnerability exists in multiple WSO2 products due to a flaw in the SOAP admin service, which allows user account creation regardless of the self-registration configuration settings. This vulnerability enables malicious actors to create new user accounts without proper authorization.
Exploitation of this flaw could allow an attacker to create multiple low-privileged user accounts, gaining unauthorized access to the system. Additionally, continuous exploitation could lead to system resource exhaustion through mass user creation.
{
"affected": [],
"aliases": [
"CVE-2024-7097"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-30T15:15:40Z",
"severity": "MODERATE"
},
"details": "An incorrect authorization vulnerability exists in multiple WSO2 products due to a flaw in the SOAP admin service, which allows user account creation regardless of the self-registration configuration settings. This vulnerability enables malicious actors to create new user accounts without proper authorization.\n\nExploitation of this flaw could allow an attacker to create multiple low-privileged user accounts, gaining unauthorized access to the system. Additionally, continuous exploitation could lead to system resource exhaustion through mass user creation.",
"id": "GHSA-2vx2-pv2m-vwrq",
"modified": "2025-05-30T15:30:31Z",
"published": "2025-05-30T15:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7097"
},
{
"type": "WEB",
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3574"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2VXC-VWWX-RXPX
Vulnerability from github – Published: 2022-05-24 17:38 – Updated: 2022-07-13 00:01NVIDIA GPU Display Driver for Windows, all versions, contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape in which improper access control may lead to denial of service and information disclosure.
{
"affected": [],
"aliases": [
"CVE-2021-1055"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-08T01:15:00Z",
"severity": "MODERATE"
},
"details": "NVIDIA GPU Display Driver for Windows, all versions, contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape in which improper access control may lead to denial of service and information disclosure.",
"id": "GHSA-2vxc-vwwx-rxpx",
"modified": "2022-07-13T00:01:00Z",
"published": "2022-05-24T17:38:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1055"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5142"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-2W3M-74V7-48PP
Vulnerability from github – Published: 2024-05-23 15:30 – Updated: 2026-04-08 18:33The EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to unauthorized access of functionality due to insufficient authorization validation on the PDF embed block in all versions up to, and including, 3.9.12. This makes it possible for authenticated attackers, with contributor-level access and above, to embed PDF blocks.
{
"affected": [],
"aliases": [
"CVE-2024-1803"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-23T13:15:08Z",
"severity": "MODERATE"
},
"details": "The EmbedPress \u2013 Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps \u0026 Embed Any Documents in Gutenberg \u0026 Elementor plugin for WordPress is vulnerable to unauthorized access of functionality due to insufficient authorization validation on the PDF embed block in all versions up to, and including, 3.9.12. This makes it possible for authenticated attackers, with contributor-level access and above, to embed PDF blocks.",
"id": "GHSA-2w3m-74v7-48pp",
"modified": "2026-04-08T18:33:14Z",
"published": "2024-05-23T15:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1803"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3055856"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/175e08ce-aec2-427a-90e0-f955711d58b2?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2W4P-2HF7-GH8X
Vulnerability from github – Published: 2024-08-05 21:18 – Updated: 2024-08-05 21:18Alpine is a scaffolding library in Java. Alpine prior to version 1.10.4 allows URL access filter bypass. This issue has been fixed in version 1.10.4. There are no known workarounds.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "us.springett:alpine"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.10.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-23553"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2024-08-05T21:18:58Z",
"nvd_published_at": "2022-12-28T19:15:09Z",
"severity": "HIGH"
},
"details": "Alpine is a scaffolding library in Java. Alpine prior to version 1.10.4 allows URL access filter bypass. This issue has been fixed in version 1.10.4. There are no known workarounds.",
"id": "GHSA-2w4p-2hf7-gh8x",
"modified": "2024-08-05T21:18:58Z",
"published": "2024-08-05T21:18:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23553"
},
{
"type": "WEB",
"url": "https://github.com/stevespringett/Alpine/commit/a7432184b9137ea095799a77f9ced370553acbd7"
},
{
"type": "PACKAGE",
"url": "https://github.com/stevespringett/Alpine"
},
{
"type": "WEB",
"url": "https://github.com/stevespringett/Alpine/blob/alpine-parent-1.10.2/alpine/src/main/java/alpine/filters/BlacklistUrlFilter.java#L107-L121"
},
{
"type": "WEB",
"url": "https://github.com/stevespringett/Alpine/blob/alpine-parent-1.10.2/alpine/src/main/java/alpine/filters/WhitelistUrlFilter.java#L115-L127"
},
{
"type": "WEB",
"url": "https://github.com/stevespringett/Alpine/releases/tag/alpine-parent-1.10.4"
},
{
"type": "WEB",
"url": "https://securitylab.github.com/advisories"
},
{
"type": "ADVISORY",
"url": "https://securitylab.github.com/advisories/GHSL-2021-1009-Alpine"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Alpine allows URL access filter bypass"
}
GHSA-2W5V-X29G-JW7J
Vulnerability from github – Published: 2024-11-07 21:31 – Updated: 2024-11-08 18:56Nomad Community and Nomad Enterprise ("Nomad") volume specification is vulnerable to arbitrary cross-namespace volume creation through unauthorized Container Storage Interface (CSI) volume writes. This vulnerability, identified as CVE-2024-10975, is fixed in Nomad Community Edition 1.9.2 and Nomad Enterprise 1.9.2, 1.8.7, and 1.7.15.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/hashicorp/nomad"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.9.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-10975"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2024-11-07T22:05:51Z",
"nvd_published_at": "2024-11-07T21:15:06Z",
"severity": "MODERATE"
},
"details": "Nomad Community and Nomad Enterprise (\"Nomad\") volume specification is vulnerable to arbitrary cross-namespace volume creation through unauthorized Container Storage Interface (CSI) volume writes. This vulnerability, identified as CVE-2024-10975, is fixed in Nomad Community Edition 1.9.2 and Nomad Enterprise 1.9.2, 1.8.7, and 1.7.15.",
"id": "GHSA-2w5v-x29g-jw7j",
"modified": "2024-11-08T18:56:03Z",
"published": "2024-11-07T21:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10975"
},
{
"type": "WEB",
"url": "https://github.com/hashicorp/nomad/commit/30849c518e16647a4f698e5f5cc82bef2bf40e4d"
},
{
"type": "WEB",
"url": "https://discuss.hashicorp.com/t/hcsec-2024-27-nomad-vulnerable-to-cross-namespace-volume-creation-abusing-csi-write-permission"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-2w5v-x29g-jw7j"
},
{
"type": "PACKAGE",
"url": "https://github.com/hashicorp/nomad"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Hashicorp Nomad Incorrect Authorization vulnerability"
}
GHSA-2W7Q-MJ4W-9CM2
Vulnerability from github – Published: 2024-01-12 15:30 – Updated: 2024-01-12 15:30An improper access control vulnerability exists in GitLab Remote Development affecting all versions prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2. This condition allows an attacker to create a workspace in one group that is associated with an agent from another group.
{
"affected": [],
"aliases": [
"CVE-2023-6955"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-668",
"CWE-862",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-12T14:15:49Z",
"severity": "MODERATE"
},
"details": "An improper access control vulnerability exists in GitLab Remote Development affecting all versions prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2. This condition allows an attacker to create a workspace in one group that is associated with an agent from another group. ",
"id": "GHSA-2w7q-mj4w-9cm2",
"modified": "2024-01-12T15:30:32Z",
"published": "2024-01-12T15:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6955"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/432188"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2W93-QWPP-VGVJ
Vulnerability from github – Published: 2025-11-30 03:30 – Updated: 2025-12-02 00:30Tryton trytond 6.0 before 7.6.11 does not enforce access rights for data export. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "trytond"
},
"ranges": [
{
"events": [
{
"introduced": "7.5.0"
},
{
"fixed": "7.6.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "trytond"
},
"ranges": [
{
"events": [
{
"introduced": "7.1.0"
},
{
"fixed": "7.4.21"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "trytond"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.0.40"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "trytond"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.0.70"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-66424"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-02T00:30:48Z",
"nvd_published_at": "2025-11-30T03:15:48Z",
"severity": "MODERATE"
},
"details": "Tryton trytond 6.0 before 7.6.11 does not enforce access rights for data export. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70.",
"id": "GHSA-2w93-qwpp-vgvj",
"modified": "2025-12-02T00:30:49Z",
"published": "2025-11-30T03:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66424"
},
{
"type": "WEB",
"url": "https://discuss.tryton.org/t/security-release-for-issue-14366/8953"
},
{
"type": "WEB",
"url": "https://foss.heptapod.net/tryton/tryton/-/issues/14366"
},
{
"type": "PACKAGE",
"url": "https://github.com/tryton/trytond"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "trytond does not enforce access rights for data export"
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.