Common Weakness Enumeration

CWE-863

Allowed-with-Review

Incorrect Authorization

Abstraction: Class · Status: Incomplete

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

5562 vulnerabilities reference this CWE, most recent first.

GHSA-RC95-PCM8-65V9

Vulnerability from github – Published: 2026-05-04 17:20 – Updated: 2026-05-08 15:31
VLAI
Summary
Quarkus has Authentication/Authorization bypasses
Details

Quarkus version 3.32.4 is vulnerable to an authorization bypass issue (GHSL-2026-099), in which semicolons (matrix parameters) in HTTP requests can be used to bypass security constraints, potentially allowing unauthorized access to protected resources.

Unauthenticated or lower-privileged users can bypass HTTP path-based authorization policies by appending a semicolon (;) and arbitrary text to the request URL. The vulnerability arises from a path-normalization inconsistency: Quarkus's security layer performs authorization checks on the raw URL path (which preserves matrix parameters), whereas RESTEasy Reactive's routing layer strips matrix parameters before matching endpoints. This allows requests like /api/admin;anything to bypass policies protecting /api/admin while still routing to the protected endpoint.

Impact

This issue may lead to Authentication/Authorization bypasses.

Credits

This issue was discovered with the GitHub Security Lab Taskflow Agent and manually verified by GHSL team members @p- (Peter Stöckli) and @m-y-mo (Man Yue Mo).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.quarkus:quarkus-vertx-http"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.20.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.quarkus:quarkus-vertx-http"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.21.0"
            },
            {
              "fixed": "3.27.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.quarkus:quarkus-vertx-http"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.30.0"
            },
            {
              "fixed": "3.33.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.quarkus:quarkus-vertx-http"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.34.0"
            },
            {
              "fixed": "3.35.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-39852"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-04T17:20:20Z",
    "nvd_published_at": "2026-05-05T21:16:22Z",
    "severity": "HIGH"
  },
  "details": "Quarkus version 3.32.4 is vulnerable to an authorization bypass issue (GHSL-2026-099), in which semicolons (matrix parameters) in HTTP requests can be used to bypass security constraints, potentially allowing unauthorized access to protected resources.\n\nUnauthenticated or lower-privileged users can bypass HTTP path-based authorization policies by appending a semicolon (`;`) and arbitrary text to the request URL. The vulnerability arises from a path-normalization inconsistency: Quarkus\u0027s [security layer](https://quarkus.io/guides/security-authorize-web-endpoints-reference) performs authorization checks on the raw URL path (which preserves matrix parameters), whereas RESTEasy Reactive\u0027s routing layer strips matrix parameters before matching endpoints. This allows requests like `/api/admin;anything` to bypass policies protecting `/api/admin` while still routing to the protected endpoint.\n\n\n### Impact\n\nThis issue may lead to Authentication/Authorization bypasses.\n\n### Credits\n\nThis issue was discovered with the [GitHub Security Lab Taskflow Agent](https://github.com/GitHubSecurityLab/seclab-taskflow-agent) and manually verified by GHSL team members [@p- (Peter St\u00f6ckli)](https://github.com/p-) and [@m-y-mo (Man Yue Mo)](https://github.com/m-y-mo).",
  "id": "GHSA-rc95-pcm8-65v9",
  "modified": "2026-05-08T15:31:20Z",
  "published": "2026-05-04T17:20:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/quarkusio/quarkus/security/advisories/GHSA-rc95-pcm8-65v9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39852"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/quarkusio/quarkus"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Quarkus has Authentication/Authorization bypasses"
}

GHSA-RCJR-G4H4-FPFV

Vulnerability from github – Published: 2022-05-27 00:00 – Updated: 2022-06-08 00:00
VLAI
Details

Dell OpenManage Enterprise Versions 3.8.3 and prior contain an improper authorization vulnerability. A remote authenticated malicious user with low privileges may potentially exploit this vulnerability to bypass blocked functionalities and perform unauthorized actions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-26857"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-26T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "Dell OpenManage Enterprise Versions 3.8.3 and prior contain an improper authorization vulnerability. A remote authenticated malicious user with low privileges may potentially exploit this vulnerability to bypass blocked functionalities and perform unauthorized actions.",
  "id": "GHSA-rcjr-g4h4-fpfv",
  "modified": "2022-06-08T00:00:37Z",
  "published": "2022-05-27T00:00:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26857"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000197800/dsa-2022-077"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RCQ8-9Q3J-98MW

Vulnerability from github – Published: 2024-12-03 12:31 – Updated: 2024-12-03 19:09
VLAI
Summary
Apache Ozone: Improper authentication when generating S3 secrets
Details

Improper authentication of an HTTP endpoint in the S3 Gateway of Apache Ozone 1.4.0 allows any authenticated Kerberos user to revoke and regenerate the S3 secrets of any other user. This is only possible if: * ozone.s3g.secret.http.enabled is set to true. The default value of this configuration is false. * The user configured in ozone.s3g.kerberos.principal is also configured in ozone.s3.administrators or ozone.administrators.

Users are recommended to upgrade to Apache Ozone version 1.4.1 which disables the affected endpoint.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.ozone:ozone"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.4.0"
            },
            {
              "fixed": "1.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.4.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2024-45106"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-03T19:09:07Z",
    "nvd_published_at": "2024-12-03T10:15:05Z",
    "severity": "HIGH"
  },
  "details": "Improper authentication of an HTTP endpoint in the S3 Gateway of Apache Ozone 1.4.0 allows any authenticated Kerberos user to revoke and regenerate the S3 secrets of any other user. This is only possible if:\n  *  ozone.s3g.secret.http.enabled is set to true. The default value of this configuration is false.\n  *  The user configured in ozone.s3g.kerberos.principal is also configured in ozone.s3.administrators or ozone.administrators.\n\n\nUsers are recommended to upgrade to Apache Ozone version 1.4.1 which disables the affected endpoint.",
  "id": "GHSA-rcq8-9q3j-98mw",
  "modified": "2024-12-03T19:09:07Z",
  "published": "2024-12-03T12:31:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45106"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/ozone/pull/5233"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/ozone"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/rylnxwttp004kvotpk9j158vb238pfkm"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/12/02/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Apache Ozone: Improper authentication when generating S3 secrets"
}

GHSA-RCQC-6CW3-H962

Vulnerability from github – Published: 2026-06-23 21:17 – Updated: 2026-06-23 21:17
VLAI
Summary
jackson-databind has a @JsonView bypass for unwrapped creator parameters
Details

Summary

UnwrappedPropertyHandler.processUnwrappedCreatorProperties() replays buffered JSON into creator parameters but never consults prop.visibleInView(activeView). The normal property-based creator path gates creator properties on the active view, but this unwrapped-creator replay path bypasses that check, so a constructor parameter annotated with both @JsonView(AdminView.class) and @JsonUnwrapped is populated from attacker JSON even when a more restrictive view is active.

Impact

View-restricted unwrapped creator parameters can be set from untrusted input where @JsonView is used as a write-side authorization boundary.

Affected / Patched (verified via git tag --contains)

  • 2.21 line: >= 2.21.0, < 2.21.4 -> fixed in 2.21.4 (backport 721fa07, #5973)
  • 3.x line: >= 3.0.0, < 3.1.4 -> fixed in 3.1.4 (#5971, d633bc0)

Severity / CWE

Maintainer: minor. Reporter: HIGH. CWE-863 (Incorrect Authorization); related CWE-284.

Credits

Omkhar Arasaratnam (@omkhar) - finder.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.fasterxml.jackson.core:jackson-databind"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.21.0"
            },
            {
              "fixed": "2.21.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "tools.jackson.core:jackson-databind"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-54518"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-23T21:17:02Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n`UnwrappedPropertyHandler.processUnwrappedCreatorProperties()` replays buffered JSON into creator parameters but never consults `prop.visibleInView(activeView)`. The normal property-based creator path gates creator properties on the active view, but this unwrapped-creator replay path bypasses that check, so a constructor parameter annotated with both `@JsonView(AdminView.class)` and `@JsonUnwrapped` is populated from attacker JSON even when a more restrictive view is active.\n\n## Impact\nView-restricted unwrapped creator parameters can be set from untrusted input where `@JsonView` is used as a write-side authorization boundary.\n\n## Affected / Patched (verified via `git tag --contains`)\n- 2.21 line: `\u003e= 2.21.0, \u003c 2.21.4` -\u003e fixed in **2.21.4** (backport `721fa07`, #5973)\n- 3.x line: `\u003e= 3.0.0, \u003c 3.1.4` -\u003e fixed in **3.1.4** (#5971, `d633bc0`)\n\n## Severity / CWE\nMaintainer: minor. Reporter: HIGH. CWE-863 (Incorrect Authorization); related CWE-284.\n\n## Credits\nOmkhar Arasaratnam (@omkhar) - finder.",
  "id": "GHSA-rcqc-6cw3-h962",
  "modified": "2026-06-23T21:17:02Z",
  "published": "2026-06-23T21:17:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-rcqc-6cw3-h962"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/pull/5971"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/pull/5973"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/commit/721fa07ebbd4aab4a659a1a68940878315c3e341"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/commit/d633bc038f200c1397c07f1a2b46f58e72c91eea"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FasterXML/jackson-databind"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "jackson-databind has a @JsonView bypass for unwrapped creator parameters"
}

GHSA-RCXC-2H62-VVH8

Vulnerability from github – Published: 2022-05-24 19:01 – Updated: 2022-07-13 00:01
VLAI
Details

An issue exists on NightOwl WDB-20-V2 WDB-20-V2_20190314 devices that allows an unauthenticated user to gain access to snapshots and video streams from the doorbell. The binary app offers a web server on port 80 that allows an unauthenticated user to take a snapshot from the doorbell camera via the /snapshot URI.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-31793"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-06T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue exists on NightOwl WDB-20-V2 WDB-20-V2_20190314 devices that allows an unauthenticated user to gain access to snapshots and video streams from the doorbell. The binary app offers a web server on port 80 that allows an unauthenticated user to take a snapshot from the doorbell camera via the /snapshot URI.",
  "id": "GHSA-rcxc-2h62-vvh8",
  "modified": "2022-07-13T00:01:25Z",
  "published": "2022-05-24T19:01:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31793"
    },
    {
      "type": "WEB",
      "url": "https://cloud.binary.ninja/embed/f4400a22-c438-403a-bf2a-939ca44a4f6b"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/tj-oconnor/16a4116050bbcb4717315f519b944f1f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RF22-G3MC-FGHJ

Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2022-05-13 01:14
VLAI
Details

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to escalate lower-level privileges to the administrator level. The vulnerability is due to insufficient authorization enforcement. An attacker could exploit this vulnerability by authenticating to the targeted device and executing commands that could lead to elevated privileges. A successful exploit could allow an attacker to make configuration changes to the system as administrator. Nexus 3000 Series Switches are affected in versions prior to 7.0(3)I7(4). Nexus 3500 Platform Switches are affected in versions prior to 7.0(3)I7(4). Nexus 3600 Platform Switches are affected in versions prior to 7.0(3)F3(5). Nexus 9000 Series Switches-Standalone are affected in versions prior to 7.0(3)I7(4). Nexus 9500 R-Series Line Cards and Fabric Modules are affected in versions prior to 7.0(3)F3(5).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-1603"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-03-08T19:29:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to escalate lower-level privileges to the administrator level. The vulnerability is due to insufficient authorization enforcement. An attacker could exploit this vulnerability by authenticating to the targeted device and executing commands that could lead to elevated privileges. A successful exploit could allow an attacker to make configuration changes to the system as administrator. Nexus 3000 Series Switches are affected in versions prior to 7.0(3)I7(4). Nexus 3500 Platform Switches are affected in versions prior to 7.0(3)I7(4). Nexus 3600 Platform Switches are affected in versions prior to 7.0(3)F3(5). Nexus 9000 Series Switches-Standalone are affected in versions prior to 7.0(3)I7(4). Nexus 9500 R-Series Line Cards and Fabric Modules are affected in versions prior to 7.0(3)F3(5).",
  "id": "GHSA-rf22-g3mc-fghj",
  "modified": "2022-05-13T01:14:48Z",
  "published": "2022-05-13T01:14:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1603"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-nxos-privesc"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/107328"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RF5M-H8Q9-9W6Q

Vulnerability from github – Published: 2024-10-08 14:37 – Updated: 2024-10-09 16:19
VLAI
Summary
Information Disclosure in TYPO3 Page Tree
Details

Problem

Backend users could see items in the backend page tree without having access if the mounts pointed to pages restricted for their user/group, or if no mounts were configured but the pages allowed access to "everybody." However, affected users could not manipulate these pages.

Solution

Update to TYPO3 versions 10.4.46 ELTS, 11.5.40 LTS, 12.4.21 LTS, 13.3.1 that fix the problem described.

Credits

Thanks to Peter Schuler who reported this issue and to TYPO3 core & security team member Oliver Hader who fixed the issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-backend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "13.0.0"
            },
            {
              "fixed": "13.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-backend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "12.0.0"
            },
            {
              "fixed": "12.4.21"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-backend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0"
            },
            {
              "fixed": "11.5.40"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-backend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.4.46"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-47780"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-08T14:37:08Z",
    "nvd_published_at": "2024-10-08T18:15:30Z",
    "severity": "LOW"
  },
  "details": "### Problem\nBackend users could see items in the backend page tree without having access if the mounts pointed to pages restricted for their user/group, or if no mounts were configured but the pages allowed access to \"everybody.\" However, affected users could not manipulate these pages.\n\n### Solution\nUpdate to TYPO3 versions 10.4.46 ELTS, 11.5.40 LTS, 12.4.21 LTS, 13.3.1 that fix the problem described.\n\n### Credits\nThanks to Peter Schuler who reported this issue and to TYPO3 core \u0026 security team member Oliver Hader who fixed the issue.",
  "id": "GHSA-rf5m-h8q9-9w6q",
  "modified": "2024-10-09T16:19:53Z",
  "published": "2024-10-08T14:37:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-rf5m-h8q9-9w6q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47780"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TYPO3-CMS/backend/commit/8b024b08a2c7071a2f2ff7c758766e4e9273f83c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TYPO3-CMS/backend/commit/9ae1ef969b63292a13f80955a95713cabd45cc22"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TYPO3-CMS/backend/commit/a7b3c924014ada61632cd5e3fb9825fcc86c5719"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/TYPO3-CMS/backend"
    },
    {
      "type": "WEB",
      "url": "https://typo3.org/security/advisory/typo3-core-sa-2024-012"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Information Disclosure in TYPO3 Page Tree"
}

GHSA-RF6H-5GPW-QRGQ

Vulnerability from github – Published: 2026-03-29 15:49 – Updated: 2026-04-10 17:25
VLAI
Summary
OpenClaw: MS Teams Feedback Invocation Bypasses Sender Allowlists and Records Unauthorized Session Feedback
Details

Summary

MS Teams Feedback Invoke Bypasses Sender Allowlists and Records Unauthorized Session Feedback

Affected Packages / Versions

  • Package: openclaw
  • Affected versions: <= 2026.3.24
  • First patched version: 2026.3.25
  • Latest published npm version at verification time: 2026.3.24

Details

Microsoft Teams feedback invokes previously bypassed sender authorization and could record feedback or trigger reflection for unauthorized senders. Commit c5415a474bb085404c20f8b312e436997977b1ea applies the same DM and group authorization checks to feedback invokes.

Verified vulnerable on tag v2026.3.24 and fixed on main by commit c5415a474bb085404c20f8b312e436997977b1ea.

Fix Commit(s)

  • c5415a474bb085404c20f8b312e436997977b1ea
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.3.24"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.28"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35654"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-29T15:49:50Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nMS Teams Feedback Invoke Bypasses Sender Allowlists and Records Unauthorized Session Feedback\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Affected versions: `\u003c= 2026.3.24`\n- First patched version: `2026.3.25`\n- Latest published npm version at verification time: `2026.3.24`\n\n## Details\n\nMicrosoft Teams feedback invokes previously bypassed sender authorization and could record feedback or trigger reflection for unauthorized senders. Commit `c5415a474bb085404c20f8b312e436997977b1ea` applies the same DM and group authorization checks to feedback invokes.\n\nVerified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `c5415a474bb085404c20f8b312e436997977b1ea`.\n\n## Fix Commit(s)\n\n- `c5415a474bb085404c20f8b312e436997977b1ea`",
  "id": "GHSA-rf6h-5gpw-qrgq",
  "modified": "2026-04-10T17:25:07Z",
  "published": "2026-03-29T15:49:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rf6h-5gpw-qrgq"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/c5415a474bb085404c20f8b312e436997977b1ea"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "OpenClaw: MS Teams Feedback Invocation Bypasses Sender Allowlists and Records Unauthorized Session Feedback"
}

GHSA-RF7G-F56C-V6W4

Vulnerability from github – Published: 2026-01-22 15:31 – Updated: 2026-01-22 15:31
VLAI
Details

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to cause a denial of service condition by exploiting incorrect authorization validation in API endpoints.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-13928"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-22T15:16:47Z",
    "severity": "HIGH"
  },
  "details": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to cause a denial of service condition by exploiting incorrect authorization validation in API endpoints.",
  "id": "GHSA-rf7g-f56c-v6w4",
  "modified": "2026-01-22T15:31:32Z",
  "published": "2026-01-22T15:31:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13928"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/3439441"
    },
    {
      "type": "WEB",
      "url": "https://about.gitlab.com/releases/2026/01/21/patch-release-gitlab-18-8-2-released"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/582736"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RF84-WR5G-M3RP

Vulnerability from github – Published: 2026-05-29 19:01 – Updated: 2026-05-29 19:01
VLAI
Summary
CAPM3 vulnerable to Cross-Namespace resource access
Details

Summary

CAPM3 is Metal3's Cluster API (CAPI) provider for baremetal provisioning in Kubernetes. Multiple cross-namespace access control vulnerabilities in Cluster API Provider Metal3 allow users with permissions to create or modify CAPM3 resources in one namespace to reference, read, or claim resources belonging to other namespaces.

Patched In

  • v1.13.0 (main branch — all fixes included)
  • v1.12.5 (all four fixes backported)
  • v1.11.8 (three of four fixes backported; Metal3DataClaim template restriction not applicable due to missing v1beta2 webhook infrastructure)

Description

Four related vulnerabilities were identified and fixed:

1. Cross-namespace Secret references in Metal3Machine

Metal3Machine resources accepted userData, metaData, and networkData secret references pointing to arbitrary namespaces. A user could configure a Metal3Machine to reference secrets in namespaces they do not have access to, and the controller would fetch and use those secrets.

2. Cross-namespace BareMetalHost lookups

The host annotation on Metal3Machine could include a namespace/name format, causing the controller to look up BareMetalHost resources in arbitrary namespaces. This allowed a user to claim or associate with BareMetalHosts belonging to other tenants.

3. Incorrect logical operator in ConsumerRef validation

The Metal3LabelSync controller used AND logic (&&) when validating BareMetalHost ConsumerRef Kind and Group, meaning it only rejected a ConsumerRef when both Kind and Group were wrong. If only one was incorrect (e.g., wrong Kind but correct Group), the validation passed, potentially allowing unauthorized resources to associate with a BareMetalHost.

4. Cross-namespace Metal3DataTemplate references

Metal3DataClaim resources could reference Metal3DataTemplate resources in other namespaces. The controller would reconcile using the referenced template regardless of namespace, allowing data leakage across namespace boundaries.

Impact

These vulnerabilities allow cross-namespace resource access within the CAPM3 management cluster. A user with permissions to create or modify Metal3Machine or Metal3DataClaim resources in one namespace could reference secrets, BareMetalHosts, or data templates in other namespaces.

Practical impact is limited because:

  • CAPM3 management clusters are typically single-tenant, operated by a single infrastructure/platform team. Namespace boundaries serve as organizational separation (e.g., per workload cluster), not as security isolation between mutually untrusted parties.
  • Exploiting these issues requires RBAC permissions to create or modify CAPM3 infrastructure resources (Metal3Machine, Metal3DataClaim), which are infrastructure-admin privileges not granted to application developers or end users.
  • The accessible resources are limited to Metal3 operational artifacts (bootstrap secrets, network metadata, BareMetalHost associations), not arbitrary cluster secrets.

Environments with elevated risk:

  • Management clusters where namespace-scoped RBAC is used to delegate infrastructure provisioning to separate teams with different trust levels.
  • Managed service providers using a shared management cluster across multiple customer namespaces.

In the common single-team deployment model, these issues represent a defense-in-depth gap rather than a directly exploitable privilege escalation.

Prerequisites for exploitation

  • Attacker must have RBAC permissions to create or modify Metal3Machine or Metal3DataClaim resources in at least one namespace.
  • Target resources (secrets, BareMetalHosts, templates) must exist in other namespaces on the same management cluster.

Workarounds

If upgrading is not immediately possible:

  1. Restrict RBAC: Limit who can create/modify Metal3Machine and Metal3DataClaim resources to trusted operators only.
  2. Admission policies: Deploy OPA/Gatekeeper or Kyverno policies that reject CAPM3 resources with cross-namespace references.
  3. Network policies: While not a direct mitigation, network policies can limit the blast radius of compromised credentials.

Resources

  • https://github.com/metal3-io/cluster-api-provider-metal3/pull/3288, https://github.com/metal3-io/cluster-api-provider-metal3/pull/3294
  • https://github.com/metal3-io/cluster-api-provider-metal3/pull/3317, https://github.com/metal3-io/cluster-api-provider-metal3/pull/3319, https://github.com/metal3-io/cluster-api-provider-metal3/pull/3323
  • https://github.com/metal3-io/cluster-api-provider-metal3/pull/3322, https://github.com/metal3-io/cluster-api-provider-metal3/pull/3325
  • https://github.com/metal3-io/cluster-api-provider-metal3/pull/3327, https://github.com/metal3-io/cluster-api-provider-metal3/pull/3343, https://github.com/metal3-io/cluster-api-provider-metal3/pull/3344
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.11.7"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/metal3-io/cluster-api-provider-metal3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.11.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.12.4"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/metal3-io/cluster-api-provider-metal3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.12.0"
            },
            {
              "fixed": "1.12.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-29T19:01:05Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nCAPM3 is Metal3\u0027s Cluster API (CAPI) provider for baremetal provisioning in Kubernetes. Multiple cross-namespace access control vulnerabilities in Cluster API Provider Metal3 allow users with permissions to create or modify CAPM3 resources in one namespace to reference, read, or claim resources belonging to other namespaces.\n\n## Patched In\n\n- **v1.13.0** (main branch \u2014 all fixes included)\n- **v1.12.5** (all four fixes backported)\n- **v1.11.8** (three of four fixes backported; Metal3DataClaim template restriction not applicable due to missing v1beta2 webhook infrastructure)\n\n## Description\n\nFour related vulnerabilities were identified and fixed:\n\n### 1. Cross-namespace Secret references in Metal3Machine\n\nMetal3Machine resources accepted userData, metaData, and networkData secret references pointing to arbitrary namespaces. A user could configure a Metal3Machine to  reference secrets in namespaces they do not have access to, and the controller would fetch and use those secrets.\n\n### 2. Cross-namespace BareMetalHost lookups\n\nThe host annotation on Metal3Machine could include a namespace/name format, causing the controller to look up BareMetalHost resources in arbitrary namespaces. This  allowed a user to claim or associate with BareMetalHosts belonging to other tenants.\n\n### 3. Incorrect logical operator in ConsumerRef validation\n\nThe Metal3LabelSync controller used AND logic (\u0026\u0026) when validating BareMetalHost ConsumerRef Kind and Group, meaning it only rejected a ConsumerRef when both Kind and Group were wrong. If only one was incorrect (e.g., wrong Kind but correct Group), the validation passed, potentially allowing unauthorized resources to associate with a BareMetalHost.\n\n### 4. Cross-namespace Metal3DataTemplate references\n\nMetal3DataClaim resources could reference Metal3DataTemplate resources in other namespaces. The controller would reconcile using the referenced template regardless of namespace, allowing data leakage across namespace boundaries.\n\n## Impact\n\nThese vulnerabilities allow cross-namespace resource access within the CAPM3 management cluster. A user with permissions to create or modify Metal3Machine or Metal3DataClaim resources in one namespace could reference secrets, BareMetalHosts, or data templates in other namespaces.\n\nPractical impact is limited because:\n\n- CAPM3 management clusters are typically single-tenant, operated by a single infrastructure/platform team. Namespace boundaries serve as organizational separation (e.g., per workload cluster), not as security isolation between mutually untrusted parties.\n- Exploiting these issues requires RBAC permissions to create or modify CAPM3 infrastructure resources (Metal3Machine, Metal3DataClaim), which are infrastructure-admin privileges not granted to application developers or end users.\n- The accessible resources are limited to Metal3 operational artifacts (bootstrap secrets, network metadata, BareMetalHost associations), not arbitrary cluster secrets.\n\nEnvironments with elevated risk:\n\n- Management clusters where namespace-scoped RBAC is used to delegate infrastructure provisioning to separate teams with different trust levels.\n- Managed service providers using a shared management cluster across multiple customer namespaces.\n\nIn the common single-team deployment model, these issues represent a defense-in-depth gap rather than a directly exploitable privilege escalation.\n\n### Prerequisites for exploitation\n\n- Attacker must have RBAC permissions to create or modify Metal3Machine or Metal3DataClaim resources in at least one namespace.\n- Target resources (secrets, BareMetalHosts, templates) must exist in other namespaces on the same management cluster.\n\n## Workarounds\n\nIf upgrading is not immediately possible:\n\n1. Restrict RBAC: Limit who can create/modify Metal3Machine and Metal3DataClaim resources to trusted operators only.\n2. Admission policies: Deploy OPA/Gatekeeper or Kyverno policies that reject CAPM3 resources with cross-namespace references.\n3. Network policies: While not a direct mitigation, network policies can limit the blast radius of compromised credentials.\n\n## Resources\n\n- https://github.com/metal3-io/cluster-api-provider-metal3/pull/3288, https://github.com/metal3-io/cluster-api-provider-metal3/pull/3294\n- https://github.com/metal3-io/cluster-api-provider-metal3/pull/3317, https://github.com/metal3-io/cluster-api-provider-metal3/pull/3319, https://github.com/metal3-io/cluster-api-provider-metal3/pull/3323\n- https://github.com/metal3-io/cluster-api-provider-metal3/pull/3322, https://github.com/metal3-io/cluster-api-provider-metal3/pull/3325\n- https://github.com/metal3-io/cluster-api-provider-metal3/pull/3327, https://github.com/metal3-io/cluster-api-provider-metal3/pull/3343, https://github.com/metal3-io/cluster-api-provider-metal3/pull/3344",
  "id": "GHSA-rf84-wr5g-m3rp",
  "modified": "2026-05-29T19:01:06Z",
  "published": "2026-05-29T19:01:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/metal3-io/cluster-api-provider-metal3/security/advisories/GHSA-rf84-wr5g-m3rp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/metal3-io/cluster-api-provider-metal3/pull/3288"
    },
    {
      "type": "WEB",
      "url": "https://github.com/metal3-io/cluster-api-provider-metal3/pull/3294"
    },
    {
      "type": "WEB",
      "url": "https://github.com/metal3-io/cluster-api-provider-metal3/pull/3317"
    },
    {
      "type": "WEB",
      "url": "https://github.com/metal3-io/cluster-api-provider-metal3/pull/3319"
    },
    {
      "type": "WEB",
      "url": "https://github.com/metal3-io/cluster-api-provider-metal3/pull/3322"
    },
    {
      "type": "WEB",
      "url": "https://github.com/metal3-io/cluster-api-provider-metal3/pull/3323"
    },
    {
      "type": "WEB",
      "url": "https://github.com/metal3-io/cluster-api-provider-metal3/pull/3325"
    },
    {
      "type": "WEB",
      "url": "https://github.com/metal3-io/cluster-api-provider-metal3/pull/3327"
    },
    {
      "type": "WEB",
      "url": "https://github.com/metal3-io/cluster-api-provider-metal3/pull/3343"
    },
    {
      "type": "WEB",
      "url": "https://github.com/metal3-io/cluster-api-provider-metal3/pull/3344"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/metal3-io/cluster-api-provider-metal3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "CAPM3 vulnerable to Cross-Namespace resource access"
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

No CAPEC attack patterns related to this CWE.