CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5497 vulnerabilities reference this CWE, most recent first.
CVE-2026-55873 (GCVE-0-2026-55873)
Vulnerability from cvelistv5 – Published: 2026-07-08 14:48 – Updated: 2026-07-08 15:33- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/seaweedfs/seaweedfs/security/a… | x_refsource_CONFIRM |
| https://github.com/seaweedfs/seaweedfs/pull/9961 | x_refsource_MISC |
| https://github.com/seaweedfs/seaweedfs/commit/b13… | x_refsource_MISC |
| https://github.com/seaweedfs/seaweedfs/releases/t… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55873",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-08T15:33:28.325392Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T15:33:34.018Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "seaweedfs",
"vendor": "seaweedfs",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.08, \u003c 4.34"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SeaweedFS is a distributed storage system. In versions 4.08 through 4.33, requests signed with SigV4 service s3tables are routed to the S3Tables management API where authorization collapses account-less S3 identities into the shared admin account and fails open, allowing an authenticated low-privileged S3 user to enumerate administrator-owned table bucket names and ARNs. This issue is fixed in version 4.34."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T14:48:37.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/seaweedfs/seaweedfs/security/advisories/GHSA-hgpf-8634-g44c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/seaweedfs/seaweedfs/security/advisories/GHSA-hgpf-8634-g44c"
},
{
"name": "https://github.com/seaweedfs/seaweedfs/pull/9961",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/seaweedfs/seaweedfs/pull/9961"
},
{
"name": "https://github.com/seaweedfs/seaweedfs/commit/b13463880c1fa62e255c058a9228b63cc95b4b36",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/seaweedfs/seaweedfs/commit/b13463880c1fa62e255c058a9228b63cc95b4b36"
},
{
"name": "https://github.com/seaweedfs/seaweedfs/releases/tag/4.34",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/seaweedfs/seaweedfs/releases/tag/4.34"
}
],
"source": {
"advisory": "GHSA-hgpf-8634-g44c",
"discovery": "UNKNOWN"
},
"title": "SeaweedFS: Improper authorization in the S3Tables / Iceberg REST management API lets a low-privileged S3 user enumerate administrator-owned table buckets"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55873",
"datePublished": "2026-07-08T14:48:37.000Z",
"dateReserved": "2026-06-17T16:59:42.758Z",
"dateUpdated": "2026-07-08T15:33:34.018Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55672 (GCVE-0-2026-55672)
Vulnerability from cvelistv5 – Published: 2026-07-10 17:19 – Updated: 2026-07-10 18:38| URL | Tags |
|---|---|
| https://github.com/zitadel/zitadel/security/advis… | x_refsource_CONFIRM |
| https://github.com/zitadel/zitadel/commit/5624030… | x_refsource_MISC |
| https://github.com/zitadel/zitadel/commit/5b1708e… | x_refsource_MISC |
| https://github.com/zitadel/zitadel/releases/tag/v3.4.12 | x_refsource_MISC |
| https://github.com/zitadel/zitadel/releases/tag/v4.15.2 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55672",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-10T18:38:05.489144Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T18:38:10.755Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0-rc.1, \u003c 4.15.2"
},
{
"status": "affected",
"version": "\u003c 3.4.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL\u0027s OAuth2 and OIDC CodeExchange, RefreshToken, and device token flows fail to verify that the requesting client matches the client that initiated the authorization flow, allowing intercepted grants or refresh tokens to be exchanged under a different client. This issue is fixed in versions 3.4.12 and 4.15.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T17:19:05.266Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-xqxv-4jc2-x56x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-xqxv-4jc2-x56x"
},
{
"name": "https://github.com/zitadel/zitadel/commit/562403079a98cf2059cdac11865a45e2f285be71",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/562403079a98cf2059cdac11865a45e2f285be71"
},
{
"name": "https://github.com/zitadel/zitadel/commit/5b1708e0e650398f0ebc3341714f0798b0118917",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/5b1708e0e650398f0ebc3341714f0798b0118917"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v3.4.12",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v3.4.12"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v4.15.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v4.15.2"
}
],
"source": {
"advisory": "GHSA-xqxv-4jc2-x56x",
"discovery": "UNKNOWN"
},
"title": "ZITADEL: Missing client_id binding in OIDC authorization code exchange and refresh token flows (RFC 6749 Section 4.1.3 violation)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55672",
"datePublished": "2026-07-10T17:19:05.266Z",
"dateReserved": "2026-06-17T00:05:03.778Z",
"dateUpdated": "2026-07-10T18:38:10.755Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55638 (GCVE-0-2026-55638)
Vulnerability from cvelistv5 – Published: 2026-07-10 15:38 – Updated: 2026-07-10 16:46| URL | Tags |
|---|---|
| https://github.com/decolua/9router/security/advis… | x_refsource_CONFIRM |
| https://github.com/decolua/9router/commit/b282f05… | x_refsource_MISC |
| https://github.com/decolua/9router/releases/tag/v0.5.2 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55638",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-10T16:45:56.907696Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T16:46:33.965Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/decolua/9router/security/advisories/GHSA-8gmq-j984-vp4r"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "9router",
"vendor": "decolua",
"versions": [
{
"status": "affected",
"version": "\u003c 0.5.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "9Router is an AI router \u0026 token saver. Prior to 0.5.2, 9router protects /v1, /v1beta, /api/v1, and /api/v1beta in src/dashboardGuard.js but omits /codex before next.config.mjs rewrites /codex/* to /api/v1/responses. A remote unauthenticated attacker can send requests to /codex/* to bypass the API-key gate and cause the server to make upstream provider calls using operator-stored LLM provider credentials. This issue is fixed in version 0.5.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T15:38:21.922Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/decolua/9router/security/advisories/GHSA-8gmq-j984-vp4r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/decolua/9router/security/advisories/GHSA-8gmq-j984-vp4r"
},
{
"name": "https://github.com/decolua/9router/commit/b282f0554972ea35281520738759d76abcd0b0b3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decolua/9router/commit/b282f0554972ea35281520738759d76abcd0b0b3"
},
{
"name": "https://github.com/decolua/9router/releases/tag/v0.5.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decolua/9router/releases/tag/v0.5.2"
}
],
"source": {
"advisory": "GHSA-8gmq-j984-vp4r",
"discovery": "UNKNOWN"
},
"title": "9router: Unauthenticated LLM proxy access via /codex rewrite authorization bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55638",
"datePublished": "2026-07-10T15:38:21.922Z",
"dateReserved": "2026-06-16T23:52:12.057Z",
"dateUpdated": "2026-07-10T16:46:33.965Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55479 (GCVE-0-2026-55479)
Vulnerability from cvelistv5 – Published: 2026-07-10 19:40 – Updated: 2026-07-10 20:57- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/grokability/snipe-it/security/… | x_refsource_CONFIRM |
| https://github.com/grokability/snipe-it/commit/80… | x_refsource_MISC |
| https://github.com/grokability/snipe-it/releases/… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| grokability | snipe-it |
Affected:
< 8.6.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55479",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-10T20:46:16.560216Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T20:57:59.427Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "snipe-it",
"vendor": "grokability",
"versions": [
{
"status": "affected",
"version": "\u003c 8.6.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the legacy single-seat license checkin flow authorizes the action with the checkout permission instead of the checkin permission, allowing a user who can assign licenses but not unassign them to directly access the old checkin endpoint and reclaim a license seat assigned to another user or asset. This issue is fixed in version 8.6.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T19:40:52.446Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/grokability/snipe-it/security/advisories/GHSA-8frh-vhgh-64cf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/grokability/snipe-it/security/advisories/GHSA-8frh-vhgh-64cf"
},
{
"name": "https://github.com/grokability/snipe-it/commit/80c8aa41dc813b0815db00bb44eb0fff9f89a227",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grokability/snipe-it/commit/80c8aa41dc813b0815db00bb44eb0fff9f89a227"
},
{
"name": "https://github.com/grokability/snipe-it/releases/tag/v8.6.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grokability/snipe-it/releases/tag/v8.6.2"
}
],
"source": {
"advisory": "GHSA-8frh-vhgh-64cf",
"discovery": "UNKNOWN"
},
"title": "Snipe-IT: Incorrect permission for legacy license checkin API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55479",
"datePublished": "2026-07-10T19:40:52.446Z",
"dateReserved": "2026-06-16T22:28:27.061Z",
"dateUpdated": "2026-07-10T20:57:59.427Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55475 (GCVE-0-2026-55475)
Vulnerability from cvelistv5 – Published: 2026-07-10 19:43 – Updated: 2026-07-13 16:11- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/grokability/snipe-it/security/… | x_refsource_CONFIRM |
| https://github.com/grokability/snipe-it/pull/19072 | x_refsource_MISC |
| https://github.com/grokability/snipe-it/commit/39… | x_refsource_MISC |
| https://github.com/grokability/snipe-it/releases/… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| grokability | snipe-it |
Affected:
< 8.6.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55475",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-13T16:11:42.936956Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T16:11:50.638Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "snipe-it",
"vendor": "grokability",
"versions": [
{
"status": "affected",
"version": "\u003c 8.6.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Snipe-IT is an IT asset/license management system. Prior to 8.6.1, the Importer API endpoint allows a user with CSV import capabilities and a valid API key to overwrite the created_by value of an import file, allowing unauthorized modification of import ownership metadata. This issue is fixed in version 8.6.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T19:43:56.948Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/grokability/snipe-it/security/advisories/GHSA-5wx7-xq8j-v4qm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/grokability/snipe-it/security/advisories/GHSA-5wx7-xq8j-v4qm"
},
{
"name": "https://github.com/grokability/snipe-it/pull/19072",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grokability/snipe-it/pull/19072"
},
{
"name": "https://github.com/grokability/snipe-it/commit/39fbe983132feca2ef15c1c0200fcc77c23a1434",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grokability/snipe-it/commit/39fbe983132feca2ef15c1c0200fcc77c23a1434"
},
{
"name": "https://github.com/grokability/snipe-it/releases/tag/v8.6.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grokability/snipe-it/releases/tag/v8.6.1"
}
],
"source": {
"advisory": "GHSA-5wx7-xq8j-v4qm",
"discovery": "UNKNOWN"
},
"title": "Snipe-IT: Import created_by can be overwritten"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55475",
"datePublished": "2026-07-10T19:43:56.948Z",
"dateReserved": "2026-06-16T22:10:37.609Z",
"dateUpdated": "2026-07-13T16:11:50.638Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55472 (GCVE-0-2026-55472)
Vulnerability from cvelistv5 – Published: 2026-07-10 18:36 – Updated: 2026-07-13 18:22- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/grokability/snipe-it/security/… | x_refsource_CONFIRM |
| https://github.com/grokability/snipe-it/commit/9a… | x_refsource_MISC |
| https://github.com/grokability/snipe-it/releases/… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| grokability | snipe-it |
Affected:
< 8.6.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55472",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-13T18:22:35.325309Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T18:22:44.183Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "snipe-it",
"vendor": "grokability",
"versions": [
{
"status": "affected",
"version": "\u003c 8.6.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Snipe-IT is an IT asset/license management system. Prior to 8.6.2, when Full Multiple Companies Support and scope_locations_fmcs are enabled, the API location creation endpoint detects an invalid parent-child company mismatch but does not return immediately, allowing creation of a child location under a parent location from a different company. This issue is fixed in version 8.6.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T18:36:58.923Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/grokability/snipe-it/security/advisories/GHSA-8w8c-8mx9-52cw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/grokability/snipe-it/security/advisories/GHSA-8w8c-8mx9-52cw"
},
{
"name": "https://github.com/grokability/snipe-it/commit/9a8cbd6e00613a726b639a97a1da71b3c54f9489",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grokability/snipe-it/commit/9a8cbd6e00613a726b639a97a1da71b3c54f9489"
},
{
"name": "https://github.com/grokability/snipe-it/releases/tag/v8.6.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grokability/snipe-it/releases/tag/v8.6.2"
}
],
"source": {
"advisory": "GHSA-8w8c-8mx9-52cw",
"discovery": "UNKNOWN"
},
"title": "Snipe-IT: API Location Creation Bypasses FMCS Parent-Child Company Boundary Validation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55472",
"datePublished": "2026-07-10T18:36:58.923Z",
"dateReserved": "2026-06-16T22:10:37.609Z",
"dateUpdated": "2026-07-13T18:22:44.183Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55462 (GCVE-0-2026-55462)
Vulnerability from cvelistv5 – Published: 2026-07-10 19:35 – Updated: 2026-07-13 15:01- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/grokability/snipe-it/security/… | x_refsource_CONFIRM |
| https://github.com/grokability/snipe-it/commit/37… | x_refsource_MISC |
| https://github.com/grokability/snipe-it/releases/… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| grokability | snipe-it |
Affected:
< 8.6.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55462",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-13T15:01:13.489641Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T15:01:17.917Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/grokability/snipe-it/security/advisories/GHSA-fc33-6w3q-538h"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "snipe-it",
"vendor": "grokability",
"versions": [
{
"status": "affected",
"version": "\u003c 8.6.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Snipe-IT is an IT asset/license management system. Prior to 8.6.2, UsersController::show() and printInventory() authorize only user viewing before loading and rendering assigned license, accessory, and consumable relationships, allowing an authenticated user with only users.view to see inventory and cost/order metadata from modules that direct permissions would otherwise deny. This issue is fixed in version 8.6.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T19:35:05.107Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/grokability/snipe-it/security/advisories/GHSA-fc33-6w3q-538h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/grokability/snipe-it/security/advisories/GHSA-fc33-6w3q-538h"
},
{
"name": "https://github.com/grokability/snipe-it/commit/374f426f0c6bb7a4f129f7b85051cc1da753a0f5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grokability/snipe-it/commit/374f426f0c6bb7a4f129f7b85051cc1da753a0f5"
},
{
"name": "https://github.com/grokability/snipe-it/releases/tag/v8.6.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grokability/snipe-it/releases/tag/v8.6.2"
}
],
"source": {
"advisory": "GHSA-fc33-6w3q-538h",
"discovery": "UNKNOWN"
},
"title": "Snipe-IT: Authorization bypass on print inventory page"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55462",
"datePublished": "2026-07-10T19:35:05.107Z",
"dateReserved": "2026-06-16T22:10:37.608Z",
"dateUpdated": "2026-07-13T15:01:17.917Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55460 (GCVE-0-2026-55460)
Vulnerability from cvelistv5 – Published: 2026-07-10 18:39 – Updated: 2026-07-14 13:43- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/grokability/snipe-it/security/… | x_refsource_CONFIRM |
| https://github.com/grokability/snipe-it/commit/37… | x_refsource_MISC |
| https://github.com/grokability/snipe-it/releases/… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| grokability | snipe-it |
Affected:
< 8.6.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55460",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-14T13:43:09.369831Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T13:43:51.341Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/grokability/snipe-it/security/advisories/GHSA-vgx7-c78r-69w9"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "snipe-it",
"vendor": "grokability",
"versions": [
{
"status": "affected",
"version": "\u003c 8.6.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Snipe-IT is an IT asset/license management system. Prior to 8.6.2, an authenticated non-admin user with users.view and users.edit but without users.delete can directly POST to /users/bulksave with delete_user=1 because BulkUsersController::destroy() authorizes only update, allowing the user to soft-delete another non-admin user. This issue is fixed in version 8.6.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T18:39:22.370Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/grokability/snipe-it/security/advisories/GHSA-vgx7-c78r-69w9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/grokability/snipe-it/security/advisories/GHSA-vgx7-c78r-69w9"
},
{
"name": "https://github.com/grokability/snipe-it/commit/374f426f0c6bb7a4f129f7b85051cc1da753a0f5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grokability/snipe-it/commit/374f426f0c6bb7a4f129f7b85051cc1da753a0f5"
},
{
"name": "https://github.com/grokability/snipe-it/releases/tag/v8.6.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grokability/snipe-it/releases/tag/v8.6.2"
}
],
"source": {
"advisory": "GHSA-vgx7-c78r-69w9",
"discovery": "UNKNOWN"
},
"title": "Snipe-IT: Authorization bypass on bulk editing users"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55460",
"datePublished": "2026-07-10T18:39:22.370Z",
"dateReserved": "2026-06-16T22:10:37.608Z",
"dateUpdated": "2026-07-14T13:43:51.341Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55435 (GCVE-0-2026-55435)
Vulnerability from cvelistv5 – Published: 2026-07-07 17:37 – Updated: 2026-07-09 14:42- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/coder/coder/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/coder/coder/pull/26164 | x_refsource_MISC |
| https://github.com/coder/coder/pull/26173 | x_refsource_MISC |
| https://github.com/coder/coder/commit/0d2c9f904a8… | x_refsource_MISC |
| https://github.com/coder/coder/releases/tag/v2.32.7 | x_refsource_MISC |
| https://github.com/coder/coder/releases/tag/v2.33.8 | x_refsource_MISC |
| https://github.com/coder/coder/releases/tag/v2.34.2 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55435",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T14:21:14.795795Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T14:42:41.115Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "coder",
"vendor": "coder",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.34.0, \u003c 2.34.2"
},
{
"status": "affected",
"version": "\u003e= 2.33.0, \u003c 2.33.8"
},
{
"status": "affected",
"version": "\u003e= 2.30.0, \u003c 2.32.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.30.0 and prior to versions 2.32.7, 2.33.8, and 2.34.2, AI Bridge proxy endpoints authenticate via `Server.IsAuthorized` in `coderd/aibridgedserver`, which validates key format, expiry, secret and deleted or system users but does not check whether the account is suspended. Because suspension does not revoke existing API keys, a suspended user\u0027s unexpired token keeps working. Practical impact is limited to already-issued API keys of suspended users until those keys are deleted. Versions 2.32.7, 2.33.8, and 2.34.2 patch the issue. As a workaround, on suspension, delete the user\u0027s API keys via `DELETE /api/v2/users/{user}/keys`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T17:37:31.211Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coder/coder/security/advisories/GHSA-wqxv-w64v-5wh6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coder/coder/security/advisories/GHSA-wqxv-w64v-5wh6"
},
{
"name": "https://github.com/coder/coder/pull/26164",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coder/coder/pull/26164"
},
{
"name": "https://github.com/coder/coder/pull/26173",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coder/coder/pull/26173"
},
{
"name": "https://github.com/coder/coder/commit/0d2c9f904a8b75b888140fcc8fbf4633660cc787",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coder/coder/commit/0d2c9f904a8b75b888140fcc8fbf4633660cc787"
},
{
"name": "https://github.com/coder/coder/releases/tag/v2.32.7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coder/coder/releases/tag/v2.32.7"
},
{
"name": "https://github.com/coder/coder/releases/tag/v2.33.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coder/coder/releases/tag/v2.33.8"
},
{
"name": "https://github.com/coder/coder/releases/tag/v2.34.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coder/coder/releases/tag/v2.34.2"
}
],
"source": {
"advisory": "GHSA-wqxv-w64v-5wh6",
"discovery": "UNKNOWN"
},
"title": "Suspended Coder users retain access to AI Bridge LLM proxy endpoints"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55435",
"datePublished": "2026-07-07T17:37:31.211Z",
"dateReserved": "2026-06-16T21:59:57.017Z",
"dateUpdated": "2026-07-09T14:42:41.115Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55428 (GCVE-0-2026-55428)
Vulnerability from cvelistv5 – Published: 2026-07-07 23:57 – Updated: 2026-07-08 13:11| URL | Tags |
|---|---|
| https://github.com/coder/coder/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/coder/coder/pull/26144 | x_refsource_MISC |
| https://github.com/coder/coder/releases/tag/v2.29.17 | x_refsource_MISC |
| https://github.com/coder/coder/releases/tag/v2.32.7 | x_refsource_MISC |
| https://github.com/coder/coder/releases/tag/v2.33.8 | x_refsource_MISC |
| https://github.com/coder/coder/releases/tag/v2.34.2 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55428",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-08T13:10:59.507766Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T13:11:08.435Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "coder",
"vendor": "coder",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.34.0, \u003c 2.34.2"
},
{
"status": "affected",
"version": "\u003e= 2.33.0, \u003c 2.33.8"
},
{
"status": "affected",
"version": "\u003e= 2.30.0, \u003c 2.32.7"
},
{
"status": "affected",
"version": "\u003c 2.29.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the tailnet coordinator validates that an agent\u0027s `Addresses` derive from its authenticated UUID but applies no equivalent check to `AllowedIPs`. The coordinator forwards agent-supplied `AllowedIPs` verbatim to tunnel peers which install them into the WireGuard peer configuration. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 validates each `AllowedIPs` prefix against the authenticating agent\u0027s UUID just like `Addresses`. As a workaround, monitor coordinator logs for agents advertising unexpected `AllowedIPs` prefixes."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T23:57:45.338Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coder/coder/security/advisories/GHSA-wrq8-fcv5-8hvp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coder/coder/security/advisories/GHSA-wrq8-fcv5-8hvp"
},
{
"name": "https://github.com/coder/coder/pull/26144",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coder/coder/pull/26144"
},
{
"name": "https://github.com/coder/coder/releases/tag/v2.29.17",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coder/coder/releases/tag/v2.29.17"
},
{
"name": "https://github.com/coder/coder/releases/tag/v2.32.7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coder/coder/releases/tag/v2.32.7"
},
{
"name": "https://github.com/coder/coder/releases/tag/v2.33.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coder/coder/releases/tag/v2.33.8"
},
{
"name": "https://github.com/coder/coder/releases/tag/v2.34.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coder/coder/releases/tag/v2.34.2"
}
],
"source": {
"advisory": "GHSA-wrq8-fcv5-8hvp",
"discovery": "UNKNOWN"
},
"title": "Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55428",
"datePublished": "2026-07-07T23:57:45.338Z",
"dateReserved": "2026-06-16T21:59:57.016Z",
"dateUpdated": "2026-07-08T13:11:08.435Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.