CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5537 vulnerabilities reference this CWE, most recent first.
CVE-2026-6343 (GCVE-0-2026-6343)
Vulnerability from cvelistv5 – Published: 2026-05-18 08:32 – Updated: 2026-05-18 14:37- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.5.0 , ≤ 11.5.1
(semver)
Affected: 10.11.0 , ≤ 10.11.13 (semver) Affected: 11.4.0 , ≤ 11.4.3 (semver) Unaffected: 11.6.0 Unaffected: 11.5.2 Unaffected: 10.11.14 Unaffected: 11.4.4 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6343",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-18T14:37:43.377670Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T14:37:55.344Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.5.1",
"status": "affected",
"version": "11.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.13",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.4.3",
"status": "affected",
"version": "11.4.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.6.0"
},
{
"status": "unaffected",
"version": "11.5.2"
},
{
"status": "unaffected",
"version": "10.11.14"
},
{
"status": "unaffected",
"version": "11.4.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "0x7oda7123"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.5.x \u003c= 11.5.1, 10.11.x \u003c= 10.11.13, 11.4.x \u003c= 11.4.3 fail to check public/private permissions which allows members without these permissions to access public playbooks via /get.. Mattermost Advisory ID: MMSA-2026-00591"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T08:32:28.121Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00591",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.6.0, 11.5.2, 10.11.14, 11.4.4 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00591",
"defect": [
"https://mattermost.atlassian.net/browse/MM-67188"
],
"discovery": "EXTERNAL"
},
"title": "Mattermost Playbooks Plugin fails to enforce view permissions in list endpoints, allowing unauthorized access to public playbooks",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-6343",
"datePublished": "2026-05-18T08:32:28.121Z",
"dateReserved": "2026-04-15T10:41:22.511Z",
"dateUpdated": "2026-05-18T14:37:55.344Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6342 (GCVE-0-2026-6342)
Vulnerability from cvelistv5 – Published: 2026-05-18 07:00 – Updated: 2026-05-18 14:32- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
0 , ≤ 11.1.5
(semver)
Affected: 0 , ≤ 10.13.11 (semver) Affected: 0 , ≤ 11.3.4 (semver) Unaffected: 11.6.0 Unaffected: 11.5.2 Unaffected: 10.11.14 Unaffected: 11.4.4 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6342",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-18T14:32:47.309733Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T14:32:56.965Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.1.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.13.11",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.3.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.6.0"
},
{
"status": "unaffected",
"version": "11.5.2"
},
{
"status": "unaffected",
"version": "10.11.14"
},
{
"status": "unaffected",
"version": "11.4.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "eahmed"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost Plugins versions \u003c=11.5 11.1.5 10.13.11 11.3.4.0 fail to appropriately check for valid namespaces which allows plugin users to create subscriptions to groups that were not whitelisted via creating groups that share the same prefix as a whitelisted group. Mattermost Advisory ID: MMSA-2026-00601"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T07:00:24.969Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00601",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost Plugins to versions 11.6.0, 11.5.2, 10.11.14, 11.4.4 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00601",
"defect": [
"https://mattermost.atlassian.net/browse/MM-67465"
],
"discovery": "EXTERNAL"
},
"title": "Group prefix matching bypass for subscriptions",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-6342",
"datePublished": "2026-05-18T07:00:24.969Z",
"dateReserved": "2026-04-15T10:38:08.317Z",
"dateUpdated": "2026-05-18T14:32:56.965Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6341 (GCVE-0-2026-6341)
Vulnerability from cvelistv5 – Published: 2026-05-18 07:05 – Updated: 2026-05-18 14:32- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
0 , ≤ 11.1.5
(semver)
Affected: 0 , ≤ 10.13.11 (semver) Affected: 0 , ≤ 11.3.4 (semver) Unaffected: 11.6.0 Unaffected: 11.5.2 Unaffected: 10.11.14 Unaffected: 11.4.4 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6341",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-18T14:32:03.597675Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T14:32:15.675Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.1.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.13.11",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.3.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.6.0"
},
{
"status": "unaffected",
"version": "11.5.2"
},
{
"status": "unaffected",
"version": "10.11.14"
},
{
"status": "unaffected",
"version": "11.4.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "eahmed"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost Plugins versions \u003c=11.5 11.1.5 10.13.11 11.3.4.0 fail to have API-level checks on which groups the user can create issues or attach comments to which allows a user that is member of multiple groups to create issues to a locked group via direct API requests. Mattermost Advisory ID: MMSA-2026-00602"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T07:05:03.305Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00602",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost Plugins to versions 11.6.0, 11.5.2, 10.11.14, 11.4.4 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00602",
"defect": [
"https://mattermost.atlassian.net/browse/MM-67477"
],
"discovery": "EXTERNAL"
},
"title": "Incomplete group locking implementation",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-6341",
"datePublished": "2026-05-18T07:05:03.305Z",
"dateReserved": "2026-04-15T10:36:38.308Z",
"dateUpdated": "2026-05-18T14:32:15.675Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6290 (GCVE-0-2026-6290)
Vulnerability from cvelistv5 – Published: 2026-04-15 17:29 – Updated: 2026-04-16 03:55| Vendor | Product | Version | |
|---|---|---|---|
| Rapid7 | Velociraptor |
Affected:
0 , < 0.76.3, 0.75.8
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6290",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-15T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T03:55:38.112Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Velociraptor",
"vendor": "Rapid7",
"versions": [
{
"lessThan": "0.76.3, 0.75.8",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Faisal Alhumaid"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Velociraptor versions prior to 0.76.3 contain a vulnerability in the query() plugin which allows access to all orgs with the user\u0027s current ACL token. This allows an authenticated GUI user with access in one org, to use the query() plugin, in a notebook cell, to run VQL queries on other orgs which they may not have access to. The user\u0027s permissions in the other org are\u003cbr\u003ethe same as the permissions they have in the org containing the notebook."
}
],
"value": "Velociraptor versions prior to 0.76.3 contain a vulnerability in the query() plugin which allows access to all orgs with the user\u0027s current ACL token. This allows an authenticated GUI user with access in one org, to use the query() plugin, in a notebook cell, to run VQL queries on other orgs which they may not have access to. The user\u0027s permissions in the other org are\nthe same as the permissions they have in the org containing the notebook."
}
],
"impacts": [
{
"capecId": "CAPEC-114",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-114 Authentication Abuse"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T17:29:04.306Z",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"url": "https://docs.velociraptor.app/announcements/advisories/cve-2026-6290/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Velociraptor Query() Plugin Misapplies Permissions To Orgs",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2026-6290",
"datePublished": "2026-04-15T17:29:04.306Z",
"dateReserved": "2026-04-14T17:31:37.803Z",
"dateUpdated": "2026-04-16T03:55:38.112Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6277 (GCVE-0-2026-6277)
Vulnerability from cvelistv5 – Published: 2026-06-11 10:20 – Updated: 2026-06-11 12:31- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://gitlab.com/gitlab-org/gitlab/-/work_items… | |
| https://hackerone.com/reports/3662615 | technical-descriptionexploitpermissions-required |
| https://about.gitlab.com/releases/2026/06/10/patc… |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6277",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-11T12:30:20.404806Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T12:31:03.704Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "GitLab",
"repo": "git://git@gitlab.com:gitlab-org/gitlab.git",
"vendor": "GitLab",
"versions": [
{
"lessThan": "18.10.8",
"status": "affected",
"version": "13.9",
"versionType": "semver"
},
{
"lessThan": "18.11.5",
"status": "affected",
"version": "18.11",
"versionType": "semver"
},
{
"lessThan": "19.0.2",
"status": "affected",
"version": "19.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thanks [mateuszek](https://hackerone.com/mateuszek) for reporting this vulnerability through our HackerOne bug bounty program"
}
],
"descriptions": [
{
"lang": "en",
"value": "GitLab has remediated an issue in GitLab EE affecting all versions from 13.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with Security Manager-role permissions to manage project security configuration even when the relevant feature was in a disabled state, due to incorrect authorization enforcement."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T10:20:31.429Z",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/596656"
},
{
"name": "HackerOne Bug Bounty Report #3662615",
"tags": [
"technical-description",
"exploit",
"permissions-required"
],
"url": "https://hackerone.com/reports/3662615"
},
{
"url": "https://about.gitlab.com/releases/2026/06/10/patch-release-gitlab-19-0-2-released/"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to versions 18.10.8, 18.11.5, 19.0.2 or above."
}
],
"title": "Incorrect Authorization in GitLab"
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2026-6277",
"datePublished": "2026-06-11T10:20:31.429Z",
"dateReserved": "2026-04-14T14:05:32.198Z",
"dateUpdated": "2026-06-11T12:31:03.704Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6269 (GCVE-0-2026-6269)
Vulnerability from cvelistv5 – Published: 2026-06-11 10:20 – Updated: 2026-06-11 12:30- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://gitlab.com/gitlab-org/gitlab/-/work_items… | |
| https://hackerone.com/reports/3661880 | technical-descriptionexploitpermissions-required |
| https://about.gitlab.com/releases/2026/06/10/patc… |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6269",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-11T12:29:55.738457Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T12:30:06.368Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "GitLab",
"repo": "git://git@gitlab.com:gitlab-org/gitlab.git",
"vendor": "GitLab",
"versions": [
{
"lessThan": "18.10.8",
"status": "affected",
"version": "15.10",
"versionType": "semver"
},
{
"lessThan": "18.11.5",
"status": "affected",
"version": "18.11",
"versionType": "semver"
},
{
"lessThan": "19.0.2",
"status": "affected",
"version": "19.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thanks [rogerace](https://hackerone.com/rogerace) for reporting this vulnerability through our HackerOne bug bounty program"
}
],
"descriptions": [
{
"lang": "en",
"value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with developer-role permissions to modify hidden merge requests due to incorrect authorization enforcements."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T10:20:41.430Z",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/596625"
},
{
"name": "HackerOne Bug Bounty Report #3661880",
"tags": [
"technical-description",
"exploit",
"permissions-required"
],
"url": "https://hackerone.com/reports/3661880"
},
{
"url": "https://about.gitlab.com/releases/2026/06/10/patch-release-gitlab-19-0-2-released/"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to versions 18.10.8, 18.11.5, 19.0.2 or above."
}
],
"title": "Incorrect Authorization in GitLab"
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2026-6269",
"datePublished": "2026-06-11T10:20:41.430Z",
"dateReserved": "2026-04-14T11:04:04.629Z",
"dateUpdated": "2026-06-11T12:30:06.368Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5952 (GCVE-0-2026-5952)
Vulnerability from cvelistv5 – Published: 2026-06-25 04:34 – Updated: 2026-06-25 13:07- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://gitlab.com/gitlab-org/gitlab/-/work_items… | |
| https://hackerone.com/reports/3632428 | technical-descriptionexploitpermissions-required |
| https://docs.gitlab.com/releases/patches/patch-re… |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5952",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T13:06:34.162967Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T13:07:25.242Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "GitLab",
"repo": "git://git@gitlab.com:gitlab-org/gitlab.git",
"vendor": "GitLab",
"versions": [
{
"lessThan": "18.11.6",
"status": "affected",
"version": "17.11",
"versionType": "semver"
},
{
"lessThan": "19.0.3",
"status": "affected",
"version": "19.0",
"versionType": "semver"
},
{
"lessThan": "19.1.1",
"status": "affected",
"version": "19.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thanks [pkkr](https://hackerone.com/pkkr) for reporting this vulnerability through our HackerOne bug bounty program"
}
],
"descriptions": [
{
"lang": "en",
"value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.11 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with developer-role permissions to bypass package protection rules and overwrite protected Maven package metadata due to incorrect authorization checks."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T04:34:14.043Z",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/596134"
},
{
"name": "HackerOne Bug Bounty Report #3632428",
"tags": [
"technical-description",
"exploit",
"permissions-required"
],
"url": "https://hackerone.com/reports/3632428"
},
{
"url": "https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-1-1-released/"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to versions 18.11.6, 19.0.3, 19.1.1 or above."
}
],
"title": "Incorrect Authorization in GitLab"
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2026-5952",
"datePublished": "2026-06-25T04:34:14.043Z",
"dateReserved": "2026-04-09T07:04:17.666Z",
"dateUpdated": "2026-06-25T13:07:25.242Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5796 (GCVE-0-2026-5796)
Vulnerability from cvelistv5 – Published: 2026-06-25 04:34 – Updated: 2026-06-25 13:03- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://gitlab.com/gitlab-org/gitlab/-/work_items… | |
| https://hackerone.com/reports/3646902 | technical-descriptionexploitpermissions-required |
| https://docs.gitlab.com/releases/patches/patch-re… |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5796",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T13:02:59.427397Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T13:03:08.906Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "GitLab",
"repo": "git://git@gitlab.com:gitlab-org/gitlab.git",
"vendor": "GitLab",
"versions": [
{
"lessThan": "18.11.6",
"status": "affected",
"version": "13.6",
"versionType": "semver"
},
{
"lessThan": "19.0.3",
"status": "affected",
"version": "19.0",
"versionType": "semver"
},
{
"lessThan": "19.1.1",
"status": "affected",
"version": "19.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thanks [harshinsecurity](https://hackerone.com/harshinsecurity) for reporting this vulnerability through our HackerOne bug bounty program"
}
],
"descriptions": [
{
"lang": "en",
"value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.6 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with Reporter-level group permissions to view package metadata from projects with the Package Registry disabled due to incorrect authorization checks in the group packages feature."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T04:34:24.040Z",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/596035"
},
{
"name": "HackerOne Bug Bounty Report #3646902",
"tags": [
"technical-description",
"exploit",
"permissions-required"
],
"url": "https://hackerone.com/reports/3646902"
},
{
"url": "https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-1-1-released/"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to versions 18.11.6, 19.0.3, 19.1.1 or above."
}
],
"title": "Incorrect Authorization in GitLab"
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2026-5796",
"datePublished": "2026-06-25T04:34:24.040Z",
"dateReserved": "2026-04-08T13:34:11.540Z",
"dateUpdated": "2026-06-25T13:03:08.906Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5712 (GCVE-0-2026-5712)
Vulnerability from cvelistv5 – Published: 2026-04-29 17:18 – Updated: 2026-04-30 03:56- CWE-863 - Incorrect Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| SailPoint Technologies | IdentityIQ |
Affected:
8.5 , < 8.5p2
(custom)
Affected: 8.4 , < 8.4p4 (custom) Affected: 8.3 , < 8.3p5 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5712",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-29T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-30T03:56:06.567Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "IdentityIQ",
"vendor": "SailPoint Technologies",
"versions": [
{
"lessThan": "8.5p2",
"status": "affected",
"version": "8.5",
"versionType": "custom"
},
{
"lessThan": "8.4p4",
"status": "affected",
"version": "8.4",
"versionType": "custom"
},
{
"lessThan": "8.3p5",
"status": "affected",
"version": "8.3",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "wildwildwes"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\n\n\u003cp\u003e\u003cspan\u003e\nThis vulnerability impacts all versions of IdentityIQ and allows an authenticated identity that is the requestor or assignee of a work item to edit the definition of a role without having an assigned capability that would allow role editing.\n\n\u003c/span\u003e\u003c/p\u003e\n\n\u003c/div\u003e\n\n\n\n\n\n\u003cbr\u003e"
}
],
"value": "This vulnerability impacts all versions of IdentityIQ and allows an authenticated identity that is the requestor or assignee of a work item to edit the definition of a role without having an assigned capability that would allow role editing."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T17:18:27.748Z",
"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"shortName": "SailPoint"
},
"references": [
{
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-role-editor-incorrect-authorization-vulnerability-cve-2026-5712"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IdentityIQ Role Editor Incorrect Authorization Vulnerability",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"assignerShortName": "SailPoint",
"cveId": "CVE-2026-5712",
"datePublished": "2026-04-29T17:18:27.748Z",
"dateReserved": "2026-04-06T17:12:18.180Z",
"dateUpdated": "2026-04-30T03:56:06.567Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5574 (GCVE-0-2026-5574)
Vulnerability from cvelistv5 – Published: 2026-04-05 14:45 – Updated: 2026-04-06 16:16| URL | Tags |
|---|---|
| https://vuldb.com/vuln/355344 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/355344/cti | signaturepermissions-required |
| https://vuldb.com/submit/783327 | third-party-advisory |
| https://github.com/shiky8/my--cve-vulnerability-r… | exploit |
| Vendor | Product | Version | |
|---|---|---|---|
| Technostrobe | HI-LED-WR120-G2 |
Affected:
5.5.0.1R6.03.30
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5574",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-06T16:16:39.703086Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T16:16:52.463Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"FsBrowseClean"
],
"product": "HI-LED-WR120-G2",
"vendor": "Technostrobe",
"versions": [
{
"status": "affected",
"version": "5.5.0.1R6.03.30"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "shiky8 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in Technostrobe HI-LED-WR120-G2 5.5.0.1R6.03.30. Affected is the function deletefile of the component FsBrowseClean. The manipulation of the argument dir/path leads to missing authorization. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.4,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-05T14:45:12.224Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-355344 | Technostrobe HI-LED-WR120-G2 FsBrowseClean deletefile authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/355344"
},
{
"name": "VDB-355344 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/355344/cti"
},
{
"name": "Submit #783327 | Technostrobe HI-LED-WR120-G2 Obstruction Lighting Controller 5.5.0.1R6.03.30 Improper Access Control for Unauthenticated File Deletion",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/783327"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/shiky8/my--cve-vulnerability-research/blob/main/my_VulnDB_cves/CVE-TECHNOSTROBE-06-FileDeletion.md"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-04T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-04T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-04T16:46:40.000Z",
"value": "VulDB entry last update"
}
],
"title": "Technostrobe HI-LED-WR120-G2 FsBrowseClean deletefile authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5574",
"datePublished": "2026-04-05T14:45:12.224Z",
"dateReserved": "2026-04-04T14:41:18.833Z",
"dateUpdated": "2026-04-06T16:16:52.463Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.