CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5489 vulnerabilities reference this CWE, most recent first.
CVE-2026-41049 (GCVE-0-2026-41049)
Vulnerability from cvelistv5 – Published: 2026-06-22 15:32 – Updated: 2026-07-08 05:55- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://security.opensuse.org/2026/05/26/qsnapper… | third-party-advisory |
| https://github.com/presire/qSnapper/releases/tag/v1.3.3 | vendor-advisory |
| https://bugzilla.suse.com/show_bug.cgi?id=1262218 | issue-tracking |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41049",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T16:25:21.586546Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T16:25:30.308Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "qsnapper",
"product": "qSnapper",
"repo": "https://github.com/presire/qSnapper",
"vendor": "presire",
"versions": [
{
"lessThan": "1.3.3",
"status": "affected",
"version": "1.2.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Matthias Gerstner of SUSE"
}
],
"datePublic": "2026-05-26T15:09:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect caching of authentication between different users of the\u0026nbsp; qSnapper dbus service before version 1.3.3 allowed any local attacker to use dbus functions after a privileged users has authenticated for them."
}
],
"value": "Incorrect caching of authentication between different users of the\u00a0 qSnapper dbus service before version 1.3.3 allowed any local attacker to use dbus functions after a privileged users has authenticated for them."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T05:55:01.962Z",
"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"shortName": "suse"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://security.opensuse.org/2026/05/26/qsnapper-dbus-issues.html#issue-auth-caching"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/presire/qSnapper/releases/tag/v1.3.3"
},
{
"tags": [
"issue-tracking"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1262218"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Caching of Authentication allows Authentication Bypass between users in qSnapper",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"assignerShortName": "suse",
"cveId": "CVE-2026-41049",
"datePublished": "2026-06-22T15:32:59.192Z",
"dateReserved": "2026-04-16T13:37:50.679Z",
"dateUpdated": "2026-07-08T05:55:01.962Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41048 (GCVE-0-2026-41048)
Vulnerability from cvelistv5 – Published: 2026-06-22 15:31 – Updated: 2026-07-07 09:31- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://security.opensuse.org/2026/05/26/qsnapper… | third-party-advisory |
| https://github.com/presire/qSnapper/releases/tag/v1.3.3 | vendor-advisory |
| https://bugzilla.suse.com/show_bug.cgi?id=1262218 | issue-tracking |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41048",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T16:24:42.461147Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T16:24:59.414Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "qsnapper",
"product": "qSnapper",
"repo": "https://github.com/presire/qSnapper",
"vendor": "presire",
"versions": [
{
"lessThan": "1.3.3",
"status": "affected",
"version": "1.2.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Matthias Gerstner of SUSE"
}
],
"datePublic": "2026-05-26T15:09:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect caching of authentication between different polkit methods in qSnapper before version 1.3.3 allowed a local attacker to use functions like \"restore from snapshot\" even if only allowed to do \"delete snapshot\"."
}
],
"value": "Incorrect caching of authentication between different polkit methods in qSnapper before version 1.3.3 allowed a local attacker to use functions like \"restore from snapshot\" even if only allowed to do \"delete snapshot\"."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T09:31:37.959Z",
"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"shortName": "suse"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://security.opensuse.org/2026/05/26/qsnapper-dbus-issues.html#issue-auth-caching"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/presire/qSnapper/releases/tag/v1.3.3"
},
{
"tags": [
"issue-tracking"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1262218"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Caching of Authentication allows Authentication Bypass in qSnapper",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"assignerShortName": "suse",
"cveId": "CVE-2026-41048",
"datePublished": "2026-06-22T15:31:14.606Z",
"dateReserved": "2026-04-16T13:37:50.679Z",
"dateUpdated": "2026-07-07T09:31:37.959Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40914 (GCVE-0-2026-40914)
Vulnerability from cvelistv5 – Published: 2026-05-28 12:28 – Updated: 2026-05-29 18:55- CWE-863 - Incorrect Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Artemis Stomp Protocol |
Affected:
2.50.0 , ≤ 2.53.0
(semver)
|
|
| Apache Software Foundation | Apache ActiveMQ Artemis Stomp Protocol |
Affected:
2.0.0 , ≤ 2.44.0
(semver)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-28T13:15:25.457Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/27/8"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-40914",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T18:55:38.431379Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T18:55:50.602Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.artemis:artemis-stomp-protocol",
"product": "Apache Artemis Stomp Protocol",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.53.0",
"status": "affected",
"version": "2.50.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.artemis:artemis-stomp-protocol",
"product": "Apache ActiveMQ Artemis Stomp Protocol",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.44.0",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "tool",
"value": "bugbunny.ai"
},
{
"lang": "en",
"type": "reporter",
"value": "Isaac David \u003cisaac@bugbunny.ai\u003e"
},
{
"lang": "en",
"type": "reporter",
"value": "Arthur Gervais \u003carthur@bugbunny.ai\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\u003cp\u003eA vulnerability exists in Apache Artemis whereby an application using the STOMP protocol with security credentials that grant either the consume or send permission on an address can augment the routing-type supported by that address even if said user doesn\u0027t have the createAddress permission for that particular address. A user could successfully send a message to an address or consume a message from a queue with a routing-type not supported by the corresponding address when that operation should actually be rejected on the basis that the user doesn\u0027t have permission to change the routing-type of the address. Even though the user was already granted permission to send and/or consume messages, they should not be able to augment the routing-type of the address without the createAddress permission.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eThis issue affects Apache Artemis: from 2.50.0 through 2.53.0; Apache ActiveMQ Artemis: from 2.0.0 through 2.44.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.54.0, which fixes the issue.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "A vulnerability exists in Apache Artemis whereby an application using the STOMP protocol with security credentials that grant either the consume or send permission on an address can augment the routing-type supported by that address even if said user doesn\u0027t have the createAddress permission for that particular address. A user could successfully send a message to an address or consume a message from a queue with a routing-type not supported by the corresponding address when that operation should actually be rejected on the basis that the user doesn\u0027t have permission to change the routing-type of the address. Even though the user was already granted permission to send and/or consume messages, they should not be able to augment the routing-type of the address without the createAddress permission.\n\n\n\nThis issue affects Apache Artemis: from 2.50.0 through 2.53.0; Apache ActiveMQ Artemis: from 2.0.0 through 2.44.0.\n\nUsers are recommended to upgrade to version 2.54.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T12:28:25.972Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/6q3st8dlorz2q05svqn11k1xl7jkmm4c"
}
],
"source": {
"advisory": "ARTEMIS-5996",
"defect": [
"ARTEMIS-5996"
],
"discovery": "EXTERNAL"
},
"title": "Apache Artemis Stomp Protocol, Apache ActiveMQ Artemis Stomp Protocol: Address routing-type can be updated by STOMP protocol user without the createAddress permission",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-40914",
"datePublished": "2026-05-28T12:28:25.972Z",
"dateReserved": "2026-04-15T17:18:02.939Z",
"dateUpdated": "2026-05-29T18:55:50.602Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40599 (GCVE-0-2026-40599)
Vulnerability from cvelistv5 – Published: 2026-04-21 17:37 – Updated: 2026-04-21 18:35- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/craigjbass/clearancekit/securi… | x_refsource_CONFIRM |
| Vendor | Product | Version | |
|---|---|---|---|
| craigjbass | clearancekit |
Affected:
< 5.0.5
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40599",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-21T18:35:00.486516Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T18:35:04.258Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/craigjbass/clearancekit/security/advisories/GHSA-w253-42qp-5f2x"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "clearancekit",
"vendor": "craigjbass",
"versions": [
{
"status": "affected",
"version": "\u003c 5.0.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to 5.0.5, ClearanceKit incorrectly treats a process with an empty Team ID and a non-empty Signing ID as an Apple platform binary. This bug allows a malicious software to impersonate an apple process in the global allowlist, and access all protected files. This vulnerability is fixed in 5.0.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T17:37:05.064Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craigjbass/clearancekit/security/advisories/GHSA-w253-42qp-5f2x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craigjbass/clearancekit/security/advisories/GHSA-w253-42qp-5f2x"
}
],
"source": {
"advisory": "GHSA-w253-42qp-5f2x",
"discovery": "UNKNOWN"
},
"title": "ClearanceKit: Ad-hoc signed binaries can spoof Apple process identities in the global allowlist"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40599",
"datePublished": "2026-04-21T17:37:05.064Z",
"dateReserved": "2026-04-14T14:07:59.641Z",
"dateUpdated": "2026-04-21T18:35:04.258Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40574 (GCVE-0-2026-40574)
Vulnerability from cvelistv5 – Published: 2026-04-21 16:32 – Updated: 2026-04-21 20:37- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/oauth2-proxy/oauth2-proxy/secu… | x_refsource_CONFIRM |
| Vendor | Product | Version | |
|---|---|---|---|
| oauth2-proxy | oauth2-proxy |
Affected:
< 7.15.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40574",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-21T20:18:57.843784Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T20:37:28.072Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "oauth2-proxy",
"vendor": "oauth2-proxy",
"versions": [
{
"status": "affected",
"version": "\u003c 7.15.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Prior to 7.15.2, an authorization bypass exists in OAuth2 Proxy as part of the email_domain enforcement option. An attacker may be able to authenticate with an email claim such as attacker@evil.com@company.com and satisfy an allowed domain check for company.com, even though the claim is not a valid email address. The issue ONLY affects deployments that rely on email_domain restrictions and accept email claim values from identity providers or claim mappings that do not strictly enforce normal email syntax. This vulnerability is fixed in 7.15.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T16:32:34.537Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-c5c4-8r6x-56w3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-c5c4-8r6x-56w3"
}
],
"source": {
"advisory": "GHSA-c5c4-8r6x-56w3",
"discovery": "UNKNOWN"
},
"title": "OAuth2 Proxy has an Authorization Bypass in Email Domain Validation via Malformed Multi-@ Email Claims"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40574",
"datePublished": "2026-04-21T16:32:34.537Z",
"dateReserved": "2026-04-14T13:24:29.474Z",
"dateUpdated": "2026-04-21T20:37:28.072Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40515 (GCVE-0-2026-40515)
Vulnerability from cvelistv5 – Published: 2026-04-17 16:00 – Updated: 2026-07-14 20:00- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/HKUDS/OpenHarness/pull/92 | issue-tracking |
| https://github.com/HKUDS/OpenHarness/commit/bd4df… | patch |
| https://www.vulncheck.com/advisories/openharness-… | third-party-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| HKUDS | OpenHarness |
Affected:
0 , < bd4df81f634f8c7cddcc3fdf7f561a13dcbf03ae
(git)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40515",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-17T16:33:48.805185Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T14:58:22.999Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:github/HKUDS/OpenHarness",
"product": "OpenHarness",
"repo": "https://github.com/HKUDS/OpenHarness",
"vendor": "HKUDS",
"versions": [
{
"lessThan": "bd4df81f634f8c7cddcc3fdf7f561a13dcbf03ae",
"status": "affected",
"version": "0",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hkuds:openharness:*:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Chia Min Jun Lennon"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "OpenHarness before commit\u0026nbsp;bd4df81 contains a permission bypass vulnerability that allows attackers to read sensitive files by exploiting incomplete path normalization in the permission checker. Attackers can invoke the built-in grep and glob tools with sensitive root directories that are not properly evaluated against configured path rules, allowing disclosure of sensitive local file content, key material, configuration files, or directory contents despite configured path restrictions.\u003cbr\u003e"
}
],
"value": "OpenHarness before commit\u00a0bd4df81 contains a permission bypass vulnerability that allows attackers to read sensitive files by exploiting incomplete path normalization in the permission checker. Attackers can invoke the built-in grep and glob tools with sensitive root directories that are not properly evaluated against configured path rules, allowing disclosure of sensitive local file content, key material, configuration files, or directory contents despite configured path restrictions."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T20:00:29.877Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/HKUDS/OpenHarness/pull/92"
},
{
"tags": [
"patch"
],
"url": "https://github.com/HKUDS/OpenHarness/commit/bd4df81f634f8c7cddcc3fdf7f561a13dcbf03ae"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/openharness-permission-bypass-via-grep-and-glob-root-argument"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "OpenHarness Permission Bypass via grep and glob root argument",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-40515",
"datePublished": "2026-04-17T16:00:07.116Z",
"dateReserved": "2026-04-13T20:29:02.809Z",
"dateUpdated": "2026-07-14T20:00:29.877Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40452 (GCVE-0-2026-40452)
Vulnerability from cvelistv5 – Published: 2026-07-10 07:16 – Updated: 2026-07-10 17:55| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache IoTDB |
Affected:
1.3.5 , < 1.3.8
(semver)
Affected: 2.0.5 , < 2.0.10 (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-07-10T14:54:59.344Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/07/10/7"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-40452",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-10T17:55:16.780217Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T17:55:35.036Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache IoTDB",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.3.8",
"status": "affected",
"version": "1.3.5",
"versionType": "semver"
},
{
"lessThan": "2.0.10",
"status": "affected",
"version": "2.0.5",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "bugbunny.ai"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIncorrect Authorization, Improper Access Control vulnerability in Apache IoTDB.\u003cbr\u003eAuthorization bypass in /rest/v2/fastLastQuery exposes last-value data to unauthorized authenticated users.\u003cbr\u003e\u003c/p\u003e\u003cp\u003eThis issue affects Apache IoTDB: from 1.3.5 before 1.3.8, from 2.0.5 before 2.0.10.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.0.10, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Incorrect Authorization, Improper Access Control vulnerability in Apache IoTDB.\nAuthorization bypass in /rest/v2/fastLastQuery exposes last-value data to unauthorized authenticated users.\n\n\nThis issue affects Apache IoTDB: from 1.3.5 before 1.3.8, from 2.0.5 before 2.0.10.\n\nUsers are recommended to upgrade to version 2.0.10, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T07:16:05.992Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/04j2l6dosyboor4o2gvrzbrcrpllmh95"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache IoTDB: Authorization bypass in /rest/v2/fastLastQuery exposes last-value data to unauthorized authenticated users",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-40452",
"datePublished": "2026-07-10T07:16:05.992Z",
"dateReserved": "2026-04-13T07:33:02.319Z",
"dateUpdated": "2026-07-10T17:55:35.036Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40350 (GCVE-0-2026-40350)
Vulnerability from cvelistv5 – Published: 2026-04-18 00:07 – Updated: 2026-04-20 16:15- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/leepeuker/movary/security/advi… | x_refsource_CONFIRM |
| https://github.com/leepeuker/movary/pull/749 | x_refsource_MISC |
| https://github.com/leepeuker/movary/commit/92c740… | x_refsource_MISC |
| https://github.com/leepeuker/movary/releases/tag/0.71.1 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40350",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-20T16:10:39.326362Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T16:15:39.915Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "movary",
"vendor": "leepeuker",
"versions": [
{
"status": "affected",
"version": "\u003c 0.71.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Movary is a self hosted web app to track and rate a user\u0027s watched movies. Prior to version 0.71.1, an ordinary authenticated user can access the user-management endpoints `/settings/users` and use them to enumerate all users and create a new administrator account. This happens because the route definitions do not enforce admin-only middleware, and the controller-level authorization check uses a broken boolean condition. As a result, any user with a valid web session cookie can reach functionality that should be restricted to administrators. Version 0.71.1 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T00:07:33.324Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/leepeuker/movary/security/advisories/GHSA-7r3f-9fwv-p43w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/leepeuker/movary/security/advisories/GHSA-7r3f-9fwv-p43w"
},
{
"name": "https://github.com/leepeuker/movary/pull/749",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/leepeuker/movary/pull/749"
},
{
"name": "https://github.com/leepeuker/movary/commit/92c7400486f5fe9f350046e04e45a8502778bf39",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/leepeuker/movary/commit/92c7400486f5fe9f350046e04e45a8502778bf39"
},
{
"name": "https://github.com/leepeuker/movary/releases/tag/0.71.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/leepeuker/movary/releases/tag/0.71.1"
}
],
"source": {
"advisory": "GHSA-7r3f-9fwv-p43w",
"discovery": "UNKNOWN"
},
"title": "Movary User Management (/settings/users) has Authorization Bypass that Allows Low-Privileged Users to Enumerate All Users and Create Administrator Accounts"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40350",
"datePublished": "2026-04-18T00:07:33.324Z",
"dateReserved": "2026-04-10T22:50:01.359Z",
"dateUpdated": "2026-04-20T16:15:39.915Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40304 (GCVE-0-2026-40304)
Vulnerability from cvelistv5 – Published: 2026-04-17 21:04 – Updated: 2026-04-20 14:57| URL | Tags |
|---|---|
| https://github.com/openziti/zrok/security/advisor… | x_refsource_CONFIRM |
| https://github.com/openziti/zrok/releases/tag/v2.0.1 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40304",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-20T14:51:35.879686Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T14:57:24.486Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zrok",
"vendor": "openziti",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the unaccess handler (controller/unaccess.go) contains a logical error in its ownership guard: when a frontend record has environment_id = NULL (the marker for admin-created global frontends), the condition short-circuits to false and allows the deletion to proceed without any ownership verification. A non-admin user who knows a global frontend token can call DELETE /api/v2/unaccess with any of their own environment IDs and permanently delete the global frontend, taking down all public shares routed through it. Version 2.0.1 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T21:04:23.648Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/openziti/zrok/security/advisories/GHSA-3jpj-v3xr-5h6g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/openziti/zrok/security/advisories/GHSA-3jpj-v3xr-5h6g"
},
{
"name": "https://github.com/openziti/zrok/releases/tag/v2.0.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openziti/zrok/releases/tag/v2.0.1"
}
],
"source": {
"advisory": "GHSA-3jpj-v3xr-5h6g",
"discovery": "UNKNOWN"
},
"title": "zrok\u0027s broken ownership check in DELETE /api/v2/unaccess allows non-admin to delete global frontend records"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40304",
"datePublished": "2026-04-17T21:04:23.648Z",
"dateReserved": "2026-04-10T21:41:54.504Z",
"dateUpdated": "2026-04-20T14:57:24.486Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40291 (GCVE-0-2026-40291)
Vulnerability from cvelistv5 – Published: 2026-04-14 21:37 – Updated: 2026-04-15 14:24| URL | Tags |
|---|---|
| https://github.com/chamilo/chamilo-lms/security/a… | x_refsource_CONFIRM |
| https://github.com/chamilo/chamilo-lms/releases/t… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| chamilo | chamilo-lms |
Affected:
< 2.0-RC.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40291",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-15T14:24:20.523815Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T14:24:29.902Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "chamilo-lms",
"vendor": "chamilo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0-RC.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an insecure direct object modification vulnerability in the PUT /api/users/{id} endpoint allows any authenticated user with ROLE_STUDENT to escalate their privileges to ROLE_ADMIN by modifying the roles field on their own user record. The API Platform security expression is_granted(\u0027EDIT\u0027, object) only verifies record ownership, and the roles field is included in the writable serialization group, enabling any user to set arbitrary roles such as ROLE_ADMIN. Successful exploitation grants full administrative control of the platform, including access to all courses, user data, grades, and administrative settings. This issue has been fixed in version 2.0.0-RC.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T21:37:55.490Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-7phx-w897-4c9x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-7phx-w897-4c9x"
},
{
"name": "https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3"
}
],
"source": {
"advisory": "GHSA-7phx-w897-4c9x",
"discovery": "UNKNOWN"
},
"title": "Chamilo LMS has Privilege Escalation via API User Role Modification"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40291",
"datePublished": "2026-04-14T21:37:55.490Z",
"dateReserved": "2026-04-10T20:22:44.035Z",
"dateUpdated": "2026-04-15T14:24:29.902Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.