CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5496 vulnerabilities reference this CWE, most recent first.
GHSA-XMRJ-C495-VFVX
Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-10-22 12:00A vulnerability in the fabric infrastructure file system access control of Cisco Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode could allow an authenticated, local attacker to read arbitrary files on an affected system. This vulnerability is due to improper access control. An attacker with Administrator privileges could exploit this vulnerability by executing a specific vulnerable command on an affected device. A successful exploit could allow the attacker to read arbitrary files on the file system of the affected device.
{
"affected": [],
"aliases": [
"CVE-2021-1583"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-25T20:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the fabric infrastructure file system access control of Cisco Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode could allow an authenticated, local attacker to read arbitrary files on an affected system. This vulnerability is due to improper access control. An attacker with Administrator privileges could exploit this vulnerability by executing a specific vulnerable command on an affected device. A successful exploit could allow the attacker to read arbitrary files on the file system of the affected device.",
"id": "GHSA-xmrj-c495-vfvx",
"modified": "2022-10-22T12:00:30Z",
"published": "2022-05-24T19:12:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1583"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-naci-afr-UtjfO2D7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XP38-X25M-8FPQ
Vulnerability from github – Published: 2025-07-05 00:30 – Updated: 2025-07-05 00:30The agent in Quest KACE Systems Management Appliance (SMA) before 14.0.97 and 14.1.x before 14.1.19 potentially allows privilege escalation on managed systems.
{
"affected": [],
"aliases": [
"CVE-2025-26850"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-05T00:15:22Z",
"severity": "CRITICAL"
},
"details": "The agent in Quest KACE Systems Management Appliance (SMA) before 14.0.97 and 14.1.x before 14.1.19 potentially allows privilege escalation on managed systems.",
"id": "GHSA-xp38-x25m-8fpq",
"modified": "2025-07-05T00:30:23Z",
"published": "2025-07-05T00:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26850"
},
{
"type": "WEB",
"url": "https://support.quest.com/kb/4378559/quest-response-to-kace-sma-agent-vulnerability-cve-2025-26850"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XP42-838X-6M32
Vulnerability from github – Published: 2025-03-04 06:30 – Updated: 2025-03-04 06:30During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the VAPIX Device Configuration framework that could lead to an incorrect user privilege level in the VAPIX service account D-Bus API.
{
"affected": [],
"aliases": [
"CVE-2025-0360"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-04T06:15:30Z",
"severity": "HIGH"
},
"details": "During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the VAPIX Device Configuration framework that could lead to an incorrect user privilege level in the VAPIX service account D-Bus API.",
"id": "GHSA-xp42-838x-6m32",
"modified": "2025-03-04T06:30:34Z",
"published": "2025-03-04T06:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0360"
},
{
"type": "WEB",
"url": "https://www.axis.com/dam/public/b1/fe/46/cve-2025-0360pdf-en-US-466887.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XP4Q-QHV3-758Q
Vulnerability from github – Published: 2022-05-13 01:44 – Updated: 2022-05-13 01:44An Improper Authorization issue was discovered in PHOENIX CONTACT FL SWITCH 3xxx, 4xxx, and 48xxx Series products running firmware Version 1.0 to 1.32. A remote unauthenticated attacker may be able to craft special HTTP requests allowing an attacker to bypass web-service authentication allowing the attacker to obtain administrative privileges on the device.
{
"affected": [],
"aliases": [
"CVE-2017-16743"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-01-12T20:29:00Z",
"severity": "CRITICAL"
},
"details": "An Improper Authorization issue was discovered in PHOENIX CONTACT FL SWITCH 3xxx, 4xxx, and 48xxx Series products running firmware Version 1.0 to 1.32. A remote unauthenticated attacker may be able to craft special HTTP requests allowing an attacker to bypass web-service authentication allowing the attacker to obtain administrative privileges on the device.",
"id": "GHSA-xp4q-qhv3-758q",
"modified": "2022-05-13T01:44:11Z",
"published": "2022-05-13T01:44:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16743"
},
{
"type": "WEB",
"url": "https://cert.vde.com/en-us/advisories/vde-2017-006"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-011-03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XP9R-PRPG-373R
Vulnerability from github – Published: 2026-03-30 19:05 – Updated: 2026-04-10 17:24Fixed in OpenClaw 2026.3.24, the current shipping release.
Title
browser.request still allows POST /reset-profile through the operator.write surface in OpenClaw v2026.3.22 after GHSA-vmhq-cqm9-6p7q
Severity Assessment
High
CWE:
CWE-863: Incorrect Authorization
Proposed CVSS v3.1:
8.1(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H)
An authenticated caller who only has access to the scoped Gateway method browser.request on the operator.write surface can still reach a destructive persistent-profile management route.
Likely related advisory family:
GHSA-vmhq-cqm9-6p7q
This should be treated as a later-version residual or incomplete fix. The earlier fix blocked POST /profiles/create and profile deletion, but the latest released v2026.3.22 code still omits POST /reset-profile from the same mutation gate.
Impact
A caller with operator.write access to browser.request can still trigger persistent profile reset via POST /reset-profile.
This crosses the intended privilege boundary for browser profile management because the release already attempts to block adjacent persistent profile mutations on this same surface.
In practice, the allowed route reaches destructive behavior that can:
- stop the running browser for that profile
- close the Playwright browser connection for that profile
- move the profile's local
userDataDirto Trash when it exists
This is a real integrity and availability impact on persistent browser state, not a route-classification mismatch with no side effects.
Affected Component
Product:
openclaw
Tested latest released version:
- release tag:
v2026.3.22 - release tag target commit (peeled tag):
e7d11f6c33e223a0dd8a21cfe01076bd76cef87a
Published artifact for that release:
- package:
openclaw-2026.3.22.tgz - package build-info commit:
4dcc39c25c6cc63fedfd004f52d173716576fcf0 - package build-info timestamp:
2026-03-23T10:56:05.946Z
Exact vulnerable paths on the shipped tag:
src/gateway/method-scopes.ts:114browser.requestis placed on theoperator.writesurfacesrc/gateway/server-methods/browser.ts:155-165- requests are only denied when
isPersistentBrowserProfileMutation(method, path)returns true src/browser/request-policy.ts:19-25- the mutation classifier recognizes
POST /profiles/createandDELETE /profiles/:name, but notPOST /reset-profile src/browser/routes/basic.ts:161-170- the browser server exposes
POST /reset-profile src/browser/server-context.reset.ts:37-63resetProfile()stops the browser, closes the connection, and moves the local profile directory to Trash when presentsrc/node-host/invoke-browser.ts:240-243- the same route-classification helper is reused in the browser proxy path when profile restrictions are active
Relevant regression coverage gap on the shipped tag:
src/gateway/server-methods/browser.profile-from-body.test.ts:104-140- tests only block
POST /profiles/createandDELETE /profiles/:name - there is no equivalent deny case for
POST /reset-profile
Published artifact evidence for the exact released package:
openclaw-2026.3.22.tgz::package/dist/build-info.jsonopenclaw-2026.3.22.tgz::package/dist/gateway-cli-Cxz4pSoJ.js:11469-11525openclaw-2026.3.22.tgz::package/dist/gateway-cli-Cxz4pSoJ.js:11484-11485openclaw-2026.3.22.tgz::package/dist/request-policy-nIRryZwZ.js:9-12openclaw-2026.3.22.tgz::package/dist/routes-CdaHRCET.js:6874-6889
Important release note:
- the published package build-info commit differs from the release tag target commit
- for this issue, the relevant authorization and route behavior was cross-checked in both the shipped tag source and the published package bundle, and it matches semantically on the vulnerable path
Technical Reproduction
A direct control/exploit pair can be reproduced against the latest released version.
Preconditions:
- use
openclaw@2026.3.22 - authenticate as a caller that has access to the scoped Gateway method
browser.request - keep that caller on
operator.write, notoperator.admin - ensure the target local browser profile exists
Reproduction steps:
- Call
browser.requestwith: method: "POST"path: "/profiles/create"body: { "name": "poc-profile" }- Observe the control case is rejected with:
browser.request cannot create or delete persistent browser profiles- Call
browser.requestagain with: method: "POST"path: "/reset-profile"body: { "profile": "poc-profile", "name": "poc-profile" }- Observe that the exploit case is not rejected by the same handler.
- Observe that the request is forwarded to the browser route/dispatcher, rather than being denied by the mutation classifier.
- Observe that the reset route succeeds and applies profile reset behavior.
Why this happens in the released code:
- the release tries to gate persistent profile mutation using
isPersistentBrowserProfileMutation(...) - that helper does not classify
POST /reset-profileas a protected mutation - the exposed browser server route still maps
/reset-profiletoprofileCtx.resetProfile() resetProfile()performs state-changing behavior on the selected local profile
Demonstrated Impact
The shipped release shows the following behavior difference:
Control case:
POST /profiles/create- rejected before the request is dispatched to the browser control path
Exploit case:
POST /reset-profile- not classified as a blocked mutation
- remains reachable through the
browser.requestsurface - reaches
resetProfile(), which performs destructive profile-management operations
The reached route has concrete side effects:
- stops the running browser if active
- closes the Playwright browser connection
- moves the profile's local
userDataDirto Trash if it exists
This is therefore a concrete authorization and policy gap on a real destructive profile-management route. It is not a complaint about the existence of browser.request by itself.
Environment
Environment used for validation:
- product:
openclaw - latest released version:
2026.3.22 - release tag:
v2026.3.22 - release tag target commit (peeled tag):
e7d11f6c33e223a0dd8a21cfe01076bd76cef87a - published package:
openclaw-2026.3.22.tgz - published package build-info commit:
4dcc39c25c6cc63fedfd004f52d173716576fcf0
Explicit trust-model statement:
- this report does not rely on adversarial or mutually untrusted operators sharing one gateway host or config
Scope check:
- this is not a complaint about the existence of the explicit
browser.requestsurface by itself - this is not a prompt-injection-only report
- this is not a multi-tenant shared-gateway claim
- this is not an attack on the unscoped HTTP compatibility endpoints
- this is a concrete missed route inside an intended privilege gate on a real scoped Gateway method
- the control case proves the policy is intended to exist on this surface, and the exploit case proves
POST /reset-profileremains outside that gate in the shipped release
Remediation Advice
Recommended fix:
- Extend the persistent-profile mutation classifier to include
POST /reset-profile. - Reuse the same centralized route classification everywhere the release currently relies on
isPersistentBrowserProfileMutation(...), including: src/gateway/server-methods/browser.tssrc/node-host/invoke-browser.ts- Add regression coverage with both:
- a deny control for
POST /reset-profileon the lower-privilegebrowser.requestsurface - an allow control for non-mutating browser profile reads
- Review nearby profile-management routes for any other state-changing endpoints that are still omitted from the mutation classifier.
- Treat
GHSA-vmhq-cqm9-6p7qas the prior family and close the remaining residual route in the same policy surface.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.24"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-35653"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-30T19:05:11Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "\u003e Fixed in OpenClaw 2026.3.24, the current shipping release.\n\n# Title\n\n`browser.request` still allows `POST /reset-profile` through the `operator.write` surface in OpenClaw `v2026.3.22` after `GHSA-vmhq-cqm9-6p7q`\n\n## Severity Assessment\n\nHigh\n\nCWE:\n\n- `CWE-863: Incorrect Authorization`\n\nProposed CVSS v3.1:\n\n- `8.1` (`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H`)\n\nAn authenticated caller who only has access to the scoped Gateway method `browser.request` on the `operator.write` surface can still reach a destructive persistent-profile management route.\n\nLikely related advisory family:\n\n- `GHSA-vmhq-cqm9-6p7q`\n\nThis should be treated as a later-version residual or incomplete fix. The earlier fix blocked `POST /profiles/create` and profile deletion, but the latest released `v2026.3.22` code still omits `POST /reset-profile` from the same mutation gate.\n\n## Impact\n\nA caller with `operator.write` access to `browser.request` can still trigger persistent profile reset via `POST /reset-profile`.\n\nThis crosses the intended privilege boundary for browser profile management because the release already attempts to block adjacent persistent profile mutations on this same surface.\n\nIn practice, the allowed route reaches destructive behavior that can:\n\n- stop the running browser for that profile\n- close the Playwright browser connection for that profile\n- move the profile\u0027s local `userDataDir` to Trash when it exists\n\nThis is a real integrity and availability impact on persistent browser state, not a route-classification mismatch with no side effects.\n\n## Affected Component\n\nProduct:\n\n- `openclaw`\n\nTested latest released version:\n\n- release tag: `v2026.3.22`\n- release tag target commit (peeled tag): `e7d11f6c33e223a0dd8a21cfe01076bd76cef87a`\n\nPublished artifact for that release:\n\n- package: `openclaw-2026.3.22.tgz`\n- package build-info commit: `4dcc39c25c6cc63fedfd004f52d173716576fcf0`\n- package build-info timestamp: `2026-03-23T10:56:05.946Z`\n\nExact vulnerable paths on the shipped tag:\n\n- `src/gateway/method-scopes.ts:114`\n - `browser.request` is placed on the `operator.write` surface\n- `src/gateway/server-methods/browser.ts:155-165`\n - requests are only denied when `isPersistentBrowserProfileMutation(method, path)` returns true\n- `src/browser/request-policy.ts:19-25`\n - the mutation classifier recognizes `POST /profiles/create` and `DELETE /profiles/:name`, but not `POST /reset-profile`\n- `src/browser/routes/basic.ts:161-170`\n - the browser server exposes `POST /reset-profile`\n- `src/browser/server-context.reset.ts:37-63`\n - `resetProfile()` stops the browser, closes the connection, and moves the local profile directory to Trash when present\n- `src/node-host/invoke-browser.ts:240-243`\n - the same route-classification helper is reused in the browser proxy path when profile restrictions are active\n\nRelevant regression coverage gap on the shipped tag:\n\n- `src/gateway/server-methods/browser.profile-from-body.test.ts:104-140`\n - tests only block `POST /profiles/create` and `DELETE /profiles/:name`\n - there is no equivalent deny case for `POST /reset-profile`\n\nPublished artifact evidence for the exact released package:\n\n- `openclaw-2026.3.22.tgz::package/dist/build-info.json`\n- `openclaw-2026.3.22.tgz::package/dist/gateway-cli-Cxz4pSoJ.js:11469-11525`\n- `openclaw-2026.3.22.tgz::package/dist/gateway-cli-Cxz4pSoJ.js:11484-11485`\n- `openclaw-2026.3.22.tgz::package/dist/request-policy-nIRryZwZ.js:9-12`\n- `openclaw-2026.3.22.tgz::package/dist/routes-CdaHRCET.js:6874-6889`\n\nImportant release note:\n\n- the published package build-info commit differs from the release tag target commit\n- for this issue, the relevant authorization and route behavior was cross-checked in both the shipped tag source and the published package bundle, and it matches semantically on the vulnerable path\n\n## Technical Reproduction\n\nA direct control/exploit pair can be reproduced against the latest released version.\n\nPreconditions:\n\n- use `openclaw@2026.3.22`\n- authenticate as a caller that has access to the scoped Gateway method `browser.request`\n- keep that caller on `operator.write`, not `operator.admin`\n- ensure the target local browser profile exists\n\nReproduction steps:\n\n1. Call `browser.request` with:\n - `method: \"POST\"`\n - `path: \"/profiles/create\"`\n - `body: { \"name\": \"poc-profile\" }`\n2. Observe the control case is rejected with:\n - `browser.request cannot create or delete persistent browser profiles`\n3. Call `browser.request` again with:\n - `method: \"POST\"`\n - `path: \"/reset-profile\"`\n - `body: { \"profile\": \"poc-profile\", \"name\": \"poc-profile\" }`\n4. Observe that the exploit case is not rejected by the same handler.\n5. Observe that the request is forwarded to the browser route/dispatcher, rather than being denied by the mutation classifier.\n6. Observe that the reset route succeeds and applies profile reset behavior.\n\nWhy this happens in the released code:\n\n- the release tries to gate persistent profile mutation using `isPersistentBrowserProfileMutation(...)`\n- that helper does not classify `POST /reset-profile` as a protected mutation\n- the exposed browser server route still maps `/reset-profile` to `profileCtx.resetProfile()`\n- `resetProfile()` performs state-changing behavior on the selected local profile\n\n## Demonstrated Impact\n\nThe shipped release shows the following behavior difference:\n\nControl case:\n\n- `POST /profiles/create`\n- rejected before the request is dispatched to the browser control path\n\nExploit case:\n\n- `POST /reset-profile`\n- not classified as a blocked mutation\n- remains reachable through the `browser.request` surface\n- reaches `resetProfile()`, which performs destructive profile-management operations\n\nThe reached route has concrete side effects:\n\n- stops the running browser if active\n- closes the Playwright browser connection\n- moves the profile\u0027s local `userDataDir` to Trash if it exists\n\nThis is therefore a concrete authorization and policy gap on a real destructive profile-management route. It is not a complaint about the existence of `browser.request` by itself.\n\n## Environment\n\nEnvironment used for validation:\n\n- product: `openclaw`\n- latest released version: `2026.3.22`\n- release tag: `v2026.3.22`\n- release tag target commit (peeled tag): `e7d11f6c33e223a0dd8a21cfe01076bd76cef87a`\n- published package: `openclaw-2026.3.22.tgz`\n- published package build-info commit: `4dcc39c25c6cc63fedfd004f52d173716576fcf0`\n\nExplicit trust-model statement:\n\n- this report does **not** rely on adversarial or mutually untrusted operators sharing one gateway host or config\n\nScope check:\n\n- this is **not** a complaint about the existence of the explicit `browser.request` surface by itself\n- this is **not** a prompt-injection-only report\n- this is **not** a multi-tenant shared-gateway claim\n- this is **not** an attack on the unscoped HTTP compatibility endpoints\n- this is a concrete missed route inside an intended privilege gate on a real scoped Gateway method\n- the control case proves the policy is intended to exist on this surface, and the exploit case proves `POST /reset-profile` remains outside that gate in the shipped release\n\n## Remediation Advice\n\nRecommended fix:\n\n1. Extend the persistent-profile mutation classifier to include `POST /reset-profile`.\n2. Reuse the same centralized route classification everywhere the release currently relies on `isPersistentBrowserProfileMutation(...)`, including:\n - `src/gateway/server-methods/browser.ts`\n - `src/node-host/invoke-browser.ts`\n3. Add regression coverage with both:\n - a deny control for `POST /reset-profile` on the lower-privilege `browser.request` surface\n - an allow control for non-mutating browser profile reads\n4. Review nearby profile-management routes for any other state-changing endpoints that are still omitted from the mutation classifier.\n5. Treat `GHSA-vmhq-cqm9-6p7q` as the prior family and close the remaining residual route in the same policy surface.",
"id": "GHSA-xp9r-prpg-373r",
"modified": "2026-04-10T17:24:50Z",
"published": "2026-03-30T19:05:11Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xp9r-prpg-373r"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "OpenClaw: `browser.request` still allows `POST /reset-profile` through the `operator.write` surface"
}
GHSA-XPH7-9RJV-W5FR
Vulnerability from github – Published: 2026-06-12 18:31 – Updated: 2026-06-16 15:33The SimpleRBACAuthorizationProvider authorization provider in versions 0.5.0 or later of the ChromaDB Python project evaluates whether a user holds a given permission but never checks which tenant, database, or collection that permission applies to allowing users to perform cross tenant actions.
{
"affected": [],
"aliases": [
"CVE-2026-45831"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-12T16:16:28Z",
"severity": "HIGH"
},
"details": "The SimpleRBACAuthorizationProvider authorization provider in versions 0.5.0 or later of the ChromaDB Python project evaluates whether a user holds a given permission but never checks which tenant, database, or collection that permission applies to allowing users to perform cross tenant actions.",
"id": "GHSA-xph7-9rjv-w5fr",
"modified": "2026-06-16T15:33:43Z",
"published": "2026-06-12T18:31:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45831"
},
{
"type": "WEB",
"url": "https://www.hiddenlayer.com/sai-security-advisory/2026-06-chromadb-3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-XPJH-VMFM-8QMF
Vulnerability from github – Published: 2025-01-28 00:32 – Updated: 2025-01-28 15:31An authentication issue was addressed with improved state management. This issue is fixed in Safari 18.2, macOS Sequoia 15.2, watchOS 11.2, iOS 18.2 and iPadOS 18.2. Private Browsing tabs may be accessed without authentication.
{
"affected": [],
"aliases": [
"CVE-2024-54542"
],
"database_specific": {
"cwe_ids": [
"CWE-862",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-27T22:15:14Z",
"severity": "HIGH"
},
"details": "An authentication issue was addressed with improved state management. This issue is fixed in Safari 18.2, macOS Sequoia 15.2, watchOS 11.2, iOS 18.2 and iPadOS 18.2. Private Browsing tabs may be accessed without authentication.",
"id": "GHSA-xpjh-vmfm-8qmf",
"modified": "2025-01-28T15:31:56Z",
"published": "2025-01-28T00:32:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54542"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121837"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121839"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121843"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121846"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XPPG-XX55-6RW5
Vulnerability from github – Published: 2025-08-12 12:30 – Updated: 2025-08-12 12:30A vulnerability has been identified in SmartClient modules Opcenter QL Home (SC) (All versions >= V13.2 < V2506), SOA Audit (All versions >= V13.2 < V2506), SOA Cockpit (All versions >= V13.2 < V2506). The affected application does not enforce mandatory authorization on some functionality level at server side. This could allow an authenticated attacker to gain complete access of the application.
{
"affected": [],
"aliases": [
"CVE-2024-41979"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-12T12:15:31Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in SmartClient modules Opcenter QL Home (SC) (All versions \u003e= V13.2 \u003c V2506), SOA Audit (All versions \u003e= V13.2 \u003c V2506), SOA Cockpit (All versions \u003e= V13.2 \u003c V2506). The affected application does not enforce mandatory authorization on some functionality level at server side. This could allow an authenticated attacker to gain complete access of the application.",
"id": "GHSA-xppg-xx55-6rw5",
"modified": "2025-08-12T12:30:33Z",
"published": "2025-08-12T12:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41979"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-382999.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-XPPM-FXHJ-X8P3
Vulnerability from github – Published: 2026-03-11 03:31 – Updated: 2026-03-11 03:31Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized access to a feature. Exploitation of this issue does not require user interaction.
{
"affected": [],
"aliases": [
"CVE-2026-21285"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-11T03:15:53Z",
"severity": "MODERATE"
},
"details": "Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized access to a feature. Exploitation of this issue does not require user interaction.",
"id": "GHSA-xppm-fxhj-x8p3",
"modified": "2026-03-11T03:31:27Z",
"published": "2026-03-11T03:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21285"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/magento/apsb26-05.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XPVF-6QCC-9JQC
Vulnerability from github – Published: 2026-03-16 15:30 – Updated: 2026-03-18 16:09Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to validate team-specific upload_file permissions which allows a guest user to post files in channels where they lack upload_file permission via uploading files in a team where they have permission and reusing the file metadata in a POST request to a different team. Mattermost Advisory ID: MMSA-2025-00553
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.0-20260107144005-c7f6efdfb035"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.3.2-0.20260107144005-c7f6efdfb035"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "10.11.0-rc1"
},
{
"fixed": "10.11.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "11.2.0-rc1"
},
{
"fixed": "11.2.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "11.3.0-rc1"
},
{
"fixed": "11.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-4265"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-18T16:09:03Z",
"nvd_published_at": "2026-03-16T14:20:19Z",
"severity": "MODERATE"
},
"details": "Mattermost versions 11.3.x \u003c= 11.3.0, 11.2.x \u003c= 11.2.2, 10.11.x \u003c= 10.11.10 fail to validate team-specific upload_file permissions which allows a guest user to post files in channels where they lack upload_file permission via uploading files in a team where they have permission and reusing the file metadata in a POST request to a different team. Mattermost Advisory ID: MMSA-2025-00553",
"id": "GHSA-xpvf-6qcc-9jqc",
"modified": "2026-03-18T16:09:03Z",
"published": "2026-03-16T15:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4265"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost/commit/c7f6efdfb035490f494b3177996ee5f4b278c988"
},
{
"type": "PACKAGE",
"url": "https://github.com/mattermost/mattermost"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Mattermost fails to validate team-specific upload_file permissions"
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.