Common Weakness Enumeration

CWE-863

Allowed-with-Review

Incorrect Authorization

Abstraction: Class · Status: Incomplete

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

5548 vulnerabilities reference this CWE, most recent first.

GHSA-36M5-2RW3-HR39

Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-08-02 00:00
VLAI
Details

An improper caller check logic of SMC call in TEEGRIS secure OS prior to SMR Oct-2021 Release 1 can be used to compromise TEE.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-25470"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-06T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "An improper caller check logic of SMC call in TEEGRIS secure OS prior to SMR Oct-2021 Release 1 can be used to compromise TEE.",
  "id": "GHSA-36m5-2rw3-hr39",
  "modified": "2022-08-02T00:00:33Z",
  "published": "2022-05-24T19:16:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25470"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2021\u0026month=10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-36PG-Q9F9-M4XV

Vulnerability from github – Published: 2022-05-24 19:07 – Updated: 2022-07-15 00:00
VLAI
Details

Improper access control vulnerability in Tizen FOTA service prior to Firmware update JUL-2021 Release allows attackers to arbitrary code execution by replacing FOTA update file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-25437"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-08T14:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Improper access control vulnerability in Tizen FOTA service prior to Firmware update JUL-2021 Release allows attackers to arbitrary code execution by replacing FOTA update file.",
  "id": "GHSA-36pg-q9f9-m4xv",
  "modified": "2022-07-15T00:00:17Z",
  "published": "2022-05-24T19:07:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25437"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2021\u0026month=7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-36QX-FR4F-26G5

Vulnerability from github – Published: 2026-05-11 15:53 – Updated: 2026-05-14 20:37
VLAI
Summary
Next.js has a Middleware / Proxy bypass in Pages Router applications using i18n
Details

Impact

Applications using the Pages Router with i18n configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less /_next/data/<buildId>/<page>.json requests. In affected configurations, middleware does not run for the unprefixed data route, allowing an attacker to retrieve SSR JSON for protected pages without passing the intended authorization checks.

Fix

The matcher logic was updated to perform the same match as it would on a non-i18n data route.

Workarounds

If you cannot upgrade immediately, enforce authorization in the page's server-side data path instead of relying solely on middleware.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "12.2.0"
            },
            {
              "fixed": "15.5.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "16.0.0"
            },
            {
              "fixed": "16.2.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44573"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T15:53:51Z",
    "nvd_published_at": "2026-05-13T17:16:22Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nApplications using the Pages Router with `i18n` configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less `/_next/data/\u003cbuildId\u003e/\u003cpage\u003e.json` requests. In affected configurations, middleware does not run for the unprefixed data route, allowing an attacker to retrieve SSR JSON for protected pages without passing the intended authorization checks.\n\n### Fix\nThe matcher logic was updated to perform the same match as it would on a non-i18n data route.\n\n### Workarounds\n\nIf you cannot upgrade immediately, enforce authorization in the page\u0027s server-side data path instead of relying solely on middleware.",
  "id": "GHSA-36qx-fr4f-26g5",
  "modified": "2026-05-14T20:37:59Z",
  "published": "2026-05-11T15:53:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/security/advisories/GHSA-36qx-fr4f-26g5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44573"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vercel/next.js"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/releases/tag/v15.5.16"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/releases/tag/v16.2.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Next.js has a Middleware / Proxy bypass in Pages Router applications using i18n"
}

GHSA-36W2-2WV6-X9J2

Vulnerability from github – Published: 2023-12-12 00:30 – Updated: 2023-12-13 21:30
VLAI
Details

Incorrect user role checking in multiple REST API endpoints in ProLion CryptoSpike 3.0.15P2 allows a remote attacker with low privileges to execute privileged functions and achieve privilege escalation via REST API endpoint invocation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-36646"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-12T00:15:28Z",
    "severity": "HIGH"
  },
  "details": "Incorrect user role checking in multiple REST API endpoints in ProLion CryptoSpike 3.0.15P2 allows a remote attacker with low privileges to execute privileged functions and achieve privilege escalation via REST API endpoint invocation.",
  "id": "GHSA-36w2-2wv6-x9j2",
  "modified": "2023-12-13T21:30:28Z",
  "published": "2023-12-12T00:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36646"
    },
    {
      "type": "WEB",
      "url": "https://www.cvcn.gov.it/cvcn/cve/CVE-2023-36646"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3723-F7XR-2XGJ

Vulnerability from github – Published: 2025-01-17 21:31 – Updated: 2025-01-21 18:31
VLAI
Details

WeGIA < 3.2.0 is vulnerable to Incorrect Access Control in controle/control.php. The application does not validate the value of the old password, so it is possible to change the password by placing any value in the senha_antiga field.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-57032"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276",
      "CWE-284",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-17T20:15:28Z",
    "severity": "CRITICAL"
  },
  "details": "WeGIA \u003c 3.2.0 is vulnerable to Incorrect Access Control in controle/control.php. The application does not validate the value of the old password, so it is possible to change the password by placing any value in the senha_antiga field.",
  "id": "GHSA-3723-f7xr-2xgj",
  "modified": "2025-01-21T18:31:06Z",
  "published": "2025-01-17T21:31:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57032"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nmmorette/vulnerability-research/blob/main/CVE-2024-57032"
    },
    {
      "type": "WEB",
      "url": "https://www.wegia.org"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3737-XM99-HQ62

Vulnerability from github – Published: 2026-01-30 12:31 – Updated: 2026-01-30 12:31
VLAI
Details

Due to inadequate access control, authenticated users of certain HIKSEMI NAS products can manipulate other users' file resources without proper authorization.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-22624"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-30T11:15:55Z",
    "severity": "MODERATE"
  },
  "details": "Due to inadequate access control, authenticated users of certain HIKSEMI NAS products can manipulate other users\u0027 file resources without proper authorization.",
  "id": "GHSA-3737-xm99-hq62",
  "modified": "2026-01-30T12:31:20Z",
  "published": "2026-01-30T12:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22624"
    },
    {
      "type": "WEB",
      "url": "https://www.hiksemitech.com/en/hiksemi/support/security-advisory.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-373M-8W83-9JWP

Vulnerability from github – Published: 2022-06-14 00:00 – Updated: 2022-06-23 00:00
VLAI
Details

Improper access control vulnerability in Rakuten Casa version AP_F_V1_4_1 or AP_F_V2_0_0 allows a remote attacker to log in with the root privilege and perform an arbitrary operation if the product is in its default settings in which is set to accept SSH connections from the WAN side, and is also connected to the Internet with the authentication information unchanged from the default settings.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-28704"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-13T05:15:00Z",
    "severity": "HIGH"
  },
  "details": "Improper access control vulnerability in Rakuten Casa version AP_F_V1_4_1 or AP_F_V2_0_0 allows a remote attacker to log in with the root privilege and perform an arbitrary operation if the product is in its default settings in which is set to accept SSH connections from the WAN side, and is also connected to the Internet with the authentication information unchanged from the default settings.",
  "id": "GHSA-373m-8w83-9jwp",
  "modified": "2022-06-23T00:00:34Z",
  "published": "2022-06-14T00:00:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28704"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN46892984/index.html"
    },
    {
      "type": "WEB",
      "url": "https://network.mobile.rakuten.co.jp/information/news/product/1033"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3754-735C-C4RM

Vulnerability from github – Published: 2022-06-21 00:00 – Updated: 2022-06-29 00:00
VLAI
Details

A vulnerability has been found in Adminer Login 1.4.4 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to improper access controls. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-20066"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-20T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability has been found in Adminer Login 1.4.4 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to improper access controls. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used.",
  "id": "GHSA-3754-735c-c4rm",
  "modified": "2022-06-29T00:00:25Z",
  "published": "2022-06-21T00:00:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-20066"
    },
    {
      "type": "WEB",
      "url": "https://sumofpwn.nl/advisory/2016/wordpress_adminer_plugin_allows_public__local__database_login.html"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.97384"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2017/Feb/96"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3759-QV8M-9CV6

Vulnerability from github – Published: 2025-12-09 18:30 – Updated: 2025-12-09 18:30
VLAI
Details

An Incorrect Authorization vulnerability [CWE-863] in FortiPortal 7.4.0 through 7.4.5 may allow an authenticated attacker to reboot a shared FortiGate device via crafted HTTP requests.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-54838"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-09T18:15:54Z",
    "severity": "MODERATE"
  },
  "details": "An Incorrect Authorization vulnerability [CWE-863] in FortiPortal 7.4.0 through 7.4.5 may allow an authenticated attacker to reboot a shared FortiGate device via crafted HTTP requests.",
  "id": "GHSA-3759-qv8m-9cv6",
  "modified": "2025-12-09T18:30:45Z",
  "published": "2025-12-09T18:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54838"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.fortinet.com/psirt/FG-IR-25-032"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3769-FJ8M-CRFP

Vulnerability from github – Published: 2024-12-02 15:31 – Updated: 2024-12-03 18:31
VLAI
Details

Incorrect access control in wms-Warehouse management system-zeqp v2.20.9.1 due to the token value of the zeqp system being reused.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-52732"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-02T15:15:12Z",
    "severity": "CRITICAL"
  },
  "details": "Incorrect access control in wms-Warehouse management system-zeqp v2.20.9.1 due to the token value of the zeqp system being reused.",
  "id": "GHSA-3769-fj8m-crfp",
  "modified": "2024-12-03T18:31:03Z",
  "published": "2024-12-02T15:31:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52732"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/LINF2009/fe2f0681389d4521d236a34ec2109a24"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dotNetTreasury/WMS/blob/master/README.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dotNetTreasury/WMS/tree/master/src"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

No CAPEC attack patterns related to this CWE.