CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5548 vulnerabilities reference this CWE, most recent first.
GHSA-386G-PGM8-CFCR
Vulnerability from github – Published: 2022-05-12 00:01 – Updated: 2022-05-21 00:01An improper authorization vulnerability in Palo Alto Network Cortex XSOAR software enables authenticated users in non-Read-Only groups to generate an email report that contains summary information about all incidents in the Cortex XSOAR instance, including incidents to which the user does not have access. This issue impacts: All versions of Cortex XSOAR 6.1; All versions of Cortex XSOAR 6.2; All versions of Cortex XSOAR 6.5; Cortex XSOAR 6.6 versions earlier than Cortex XSOAR 6.6.0 build 6.6.0.2585049.
{
"affected": [],
"aliases": [
"CVE-2022-0027"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-11T17:15:00Z",
"severity": "MODERATE"
},
"details": "An improper authorization vulnerability in Palo Alto Network Cortex XSOAR software enables authenticated users in non-Read-Only groups to generate an email report that contains summary information about all incidents in the Cortex XSOAR instance, including incidents to which the user does not have access. This issue impacts: All versions of Cortex XSOAR 6.1; All versions of Cortex XSOAR 6.2; All versions of Cortex XSOAR 6.5; Cortex XSOAR 6.6 versions earlier than Cortex XSOAR 6.6.0 build 6.6.0.2585049.",
"id": "GHSA-386g-pgm8-cfcr",
"modified": "2022-05-21T00:01:06Z",
"published": "2022-05-12T00:01:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0027"
},
{
"type": "WEB",
"url": "https://security.paloaltonetworks.com/CVE-2022-0027"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3887-7VPG-G78M
Vulnerability from github – Published: 2023-03-21 18:30 – Updated: 2023-03-24 21:30IBM Security Guardium Key Lifecycle Manager 3.0, 3.0.1, 4.0, 4.1, and 4.1.1 could allow an attacker to upload files that could be used in a denial of service attack due to incorrect authorization. IBM X-Force ID: 247629.
{
"affected": [],
"aliases": [
"CVE-2023-25923"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-21T16:15:00Z",
"severity": "HIGH"
},
"details": "IBM Security Guardium Key Lifecycle Manager 3.0, 3.0.1, 4.0, 4.1, and 4.1.1 could allow an attacker to upload files that could be used in a denial of service attack due to incorrect authorization. IBM X-Force ID: 247629.",
"id": "GHSA-3887-7vpg-g78m",
"modified": "2023-03-24T21:30:53Z",
"published": "2023-03-21T18:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25923"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/247629"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6962729"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-38F7-VV5R-859M
Vulnerability from github – Published: 2023-07-26 03:30 – Updated: 2024-04-04 06:21On Ubuntu kernels carrying both c914c0e27eb0 and "UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs", an unprivileged user may set privileged extended attributes on the mounted files, leading them to be set on the upper files without the appropriate security checks.
{
"affected": [],
"aliases": [
"CVE-2023-2640"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-26T02:15:09Z",
"severity": "HIGH"
},
"details": "On Ubuntu kernels carrying both c914c0e27eb0 and \"UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs\", an unprivileged user may set privileged extended attributes on the mounted files, leading them to be set on the upper files without the appropriate security checks.",
"id": "GHSA-38f7-vv5r-859m",
"modified": "2024-04-04T06:21:33Z",
"published": "2023-07-26T03:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2640"
},
{
"type": "WEB",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2640"
},
{
"type": "WEB",
"url": "https://lists.ubuntu.com/archives/kernel-team/2023-July/140923.html"
},
{
"type": "WEB",
"url": "https://ubuntu.com/security/notices/USN-6250-1"
},
{
"type": "WEB",
"url": "https://wiz.io/blog/ubuntu-overlayfs-vulnerability"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-38GX-PGPJ-9CW5
Vulnerability from github – Published: 2022-03-11 00:02 – Updated: 2022-03-18 00:01Luocms v2.0 is affected by an incorrect access control vulnerability. Through /admin/templates/template_manage.php, an attacker can write an arbitrary shell file.
{
"affected": [],
"aliases": [
"CVE-2022-24609"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-10T17:46:00Z",
"severity": "CRITICAL"
},
"details": "Luocms v2.0 is affected by an incorrect access control vulnerability. Through /admin/templates/template_manage.php, an attacker can write an arbitrary shell file.",
"id": "GHSA-38gx-pgpj-9cw5",
"modified": "2022-03-18T00:01:21Z",
"published": "2022-03-11T00:02:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24609"
},
{
"type": "WEB",
"url": "https://github.com/jsjbcyber/bug_report/blob/main/bug_p"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-38HG-WW64-RRWC
Vulnerability from github – Published: 2026-04-04 06:13 – Updated: 2026-04-07 14:20Summary
Aggregate functions (min, max) applied to fields with the conceal special type incorrectly return raw database values instead of the masked placeholder. When combined with groupBy, any authenticated user with read access to the affected collection can extract concealed field values, including static API tokens and two-factor authentication secrets from directus_users.
Details
Fields marked with conceal are protected by payload processing logic that replaces real values with a masked placeholder on read. This protection works correctly for standard item queries, but aggregate query results are structured differently, operations are nested under their function name rather than appearing as flat field keys. The masking logic does not account for this nested structure, causing it to silently skip concealed fields in aggregate responses and return their raw values to the client.
Impact
-
Account Takeover An authenticated attacker can harvest static API tokens for all users, including administrators, enabling immediate authentication as any account without credentials.
-
2FA Bypass TOTP seeds stored in directus_users can similarly be extracted, allowing an attacker to bypass two-factor authentication for any account.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "directus"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "11.17.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-35442"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-04T06:13:57Z",
"nvd_published_at": "2026-04-06T22:16:22Z",
"severity": "HIGH"
},
"details": "### Summary\n\nAggregate functions (`min`, `max`) applied to fields with the `conceal` special type incorrectly return raw database values instead of the masked placeholder. When combined with `groupBy`, any authenticated user with read access to the affected collection can extract concealed field values, including static API tokens and two-factor authentication secrets from `directus_users`.\n\n### Details\n\nFields marked with `conceal` are protected by payload processing logic that replaces real values with a masked placeholder on read. This protection works correctly for standard item queries, but aggregate query results are structured differently, operations are nested under their function name rather than appearing as flat field keys. The masking logic does not account for this nested structure, causing it to silently skip concealed fields in aggregate responses and return their raw values to the client.\n\n### Impact\n\n- **Account Takeover** An authenticated attacker can harvest static API tokens for all users, including administrators, enabling immediate authentication as any account without credentials.\n\n- **2FA Bypass** TOTP seeds stored in directus_users can similarly be extracted, allowing an attacker to bypass two-factor authentication for any account.",
"id": "GHSA-38hg-ww64-rrwc",
"modified": "2026-04-07T14:20:19Z",
"published": "2026-04-04T06:13:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/directus/directus/security/advisories/GHSA-38hg-ww64-rrwc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35442"
},
{
"type": "PACKAGE",
"url": "https://github.com/directus/directus"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Directus: Authenticated Users Can Extract Concealed Fields via Aggregate Queries"
}
GHSA-38RQ-33WV-8XMV
Vulnerability from github – Published: 2022-05-24 17:28 – Updated: 2022-05-24 17:28An issue was discovered on LG mobile devices with Android OS 8.0, 8.1, 9.0, and 10 software. BT manager allows attackers to bypass intended access restrictions on a certain mode. The LG ID is LVE-SMP-200021 (September 2020).
{
"affected": [],
"aliases": [
"CVE-2020-25283"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-11T22:15:00Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered on LG mobile devices with Android OS 8.0, 8.1, 9.0, and 10 software. BT manager allows attackers to bypass intended access restrictions on a certain mode. The LG ID is LVE-SMP-200021 (September 2020).",
"id": "GHSA-38rq-33wv-8xmv",
"modified": "2022-05-24T17:28:10Z",
"published": "2022-05-24T17:28:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25283"
},
{
"type": "WEB",
"url": "https://lgsecurity.lge.com"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-38X8-4FFV-QWW9
Vulnerability from github – Published: 2022-05-24 16:47 – Updated: 2024-04-04 00:53Gallagher Command Centre before 7.80.939, 7.90.x before 7.90.961, and 8.x before 8.00.1128 allows arbitrary event creation and information disclosure via the FT Command Centre Service and FT Controller Service services.
{
"affected": [],
"aliases": [
"CVE-2019-12492"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-06-06T20:29:00Z",
"severity": "MODERATE"
},
"details": "Gallagher Command Centre before 7.80.939, 7.90.x before 7.90.961, and 8.x before 8.00.1128 allows arbitrary event creation and information disclosure via the FT Command Centre Service and FT Controller Service services.",
"id": "GHSA-38x8-4ffv-qww9",
"modified": "2024-04-04T00:53:26Z",
"published": "2022-05-24T16:47:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12492"
},
{
"type": "WEB",
"url": "https://security.gallagher.com/CVE-2019-12492"
},
{
"type": "WEB",
"url": "https://security.gallagher.com/security-advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-392C-VJFV-H7WR
Vulnerability from github – Published: 2023-11-27 12:30 – Updated: 2025-02-13 19:25Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-f678-j579-4xf5. This link is maintained to preserve external references.
Original Description
Improper authorization check and possible privilege escalation on Apache Superset up to but excluding 2.1.2. Using the default examples database connection that allows access to both the examples schema and Apache Superset's metadata database, an attacker using a specially crafted CTE SQL statement could change data on the metadata database. This weakness could result on tampering with the authentication/authorization data.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "apache-superset"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2023-11-28T18:57:14Z",
"nvd_published_at": "2023-11-27T11:15:07Z",
"severity": "MODERATE"
},
"details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-f678-j579-4xf5. This link is maintained to preserve external references.\n\n### Original Description\n\nImproper authorization check and possible privilege escalation on Apache Superset\u00a0up to but excluding 2.1.2. Using the default examples database connection that allows access to both the examples schema and Apache Superset\u0027s metadata database, an attacker using a specially crafted CTE SQL statement could change data on the metadata database. This weakness could result on tampering with the authentication/authorization data.",
"id": "GHSA-392c-vjfv-h7wr",
"modified": "2025-02-13T19:25:31Z",
"published": "2023-11-27T12:30:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/orangecertcc/security-research/security/advisories/GHSA-f678-j579-4xf5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40610"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/superset"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/11/27/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Duplicate Advisory: Apache Superset - Elevation of Privilege",
"withdrawn": "2024-01-10T19:16:30Z"
}
GHSA-3936-PPM9-G3C2
Vulnerability from github – Published: 2025-06-26 21:31 – Updated: 2025-06-26 21:31Successful exploitation of the vulnerability could allow an unauthenticated, remote attacker to send Modbus TCP packets to manipulate Digital Outputs, potentially allowing remote control of relay channel which may lead to operational or safety risks.
{
"affected": [],
"aliases": [
"CVE-2025-48466"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-24T03:15:34Z",
"severity": "HIGH"
},
"details": "Successful exploitation of the vulnerability could allow an unauthenticated, remote attacker to send Modbus TCP packets to manipulate Digital Outputs, potentially allowing remote control of relay channel which may lead to operational or safety risks.",
"id": "GHSA-3936-ppm9-g3c2",
"modified": "2025-06-26T21:31:04Z",
"published": "2025-06-26T21:31:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48466"
},
{
"type": "WEB",
"url": "https://github.com/shipcod3/CVE-2025-48466"
},
{
"type": "WEB",
"url": "https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-061"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-394R-Q6WG-V263
Vulnerability from github – Published: 2026-06-25 06:30 – Updated: 2026-06-25 06:30GitLab has remediated an issue in GitLab EE affecting all versions from 17.9 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with custom role permissions to view, create, or delete protected environment configurations despite CI/CD visibility being disabled for the project.
{
"affected": [],
"aliases": [
"CVE-2026-0934"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-25T05:16:50Z",
"severity": "LOW"
},
"details": "GitLab has remediated an issue in GitLab EE affecting all versions from 17.9 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with custom role permissions to view, create, or delete protected environment configurations despite CI/CD visibility being disabled for the project.",
"id": "GHSA-394r-q6wg-v263",
"modified": "2026-06-25T06:30:42Z",
"published": "2026-06-25T06:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0934"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/3508760"
},
{
"type": "WEB",
"url": "https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-1-1-released"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/585961"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.