CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5489 vulnerabilities reference this CWE, most recent first.
GHSA-XWR9-QPH4-CPWG
Vulnerability from github – Published: 2025-08-14 15:30 – Updated: 2025-08-14 15:30A security issue exists within the 5032 16pt Digital Configurable module’s web server. The web server’s session number increments at an interval that correlates to the last two consecutive sign in session interval, making it predictable.
{
"affected": [],
"aliases": [
"CVE-2025-7773"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-14T14:15:35Z",
"severity": "HIGH"
},
"details": "A security issue exists within the 5032 16pt Digital Configurable module\u2019s web server. The web server\u2019s session number increments at an interval that correlates to the last two consecutive sign in session interval, making it predictable.",
"id": "GHSA-xwr9-qph4-cpwg",
"modified": "2025-08-14T15:30:45Z",
"published": "2025-08-14T15:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7773"
},
{
"type": "WEB",
"url": "https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1733.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-XWW8-GQVH-92X9
Vulnerability from github – Published: 2026-07-02 15:40 – Updated: 2026-07-02 15:40Summary
OpenClaw exec approvals could show a shortened command in the approval UI while keeping the full original command for execution. For very long commands, an approver could see and approve a benign-looking prefix while a hidden suffix remained part of the command that would run after approval.
This issue affects the approval display and binding for oversized exec commands. It does not make exec available to unauthenticated users, and it does not change OpenClaw's local-first trust model.
Affected configurations
This affects deployments where exec approval is enabled and an authenticated caller can create a pending host exec request with a command long enough to be truncated in the approval view.
Impact
An approver could make a decision from incomplete command text. If the hidden suffix contained additional shell operations, those operations could run after the approval was resolved.
The practical impact depends on who can request exec approvals and who is allowed to approve them. The issue is an approval integrity problem: the approval surface did not faithfully represent the command that would execute.
Patched Versions
The first stable patched version is 2026.5.18.
Mitigations
Upgrade to openclaw@2026.5.18 or later. Before upgrading, avoid approving unusually long exec commands and keep approval capability limited to trusted operators.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.5.18"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-02T15:40:36Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nOpenClaw exec approvals could show a shortened command in the approval UI while keeping the full original command for execution. For very long commands, an approver could see and approve a benign-looking prefix while a hidden suffix remained part of the command that would run after approval.\n\nThis issue affects the approval display and binding for oversized exec commands. It does not make exec available to unauthenticated users, and it does not change OpenClaw\u0027s local-first trust model.\n\n### Affected configurations\n\nThis affects deployments where exec approval is enabled and an authenticated caller can create a pending host exec request with a command long enough to be truncated in the approval view.\n\n### Impact\n\nAn approver could make a decision from incomplete command text. If the hidden suffix contained additional shell operations, those operations could run after the approval was resolved.\n\nThe practical impact depends on who can request exec approvals and who is allowed to approve them. The issue is an approval integrity problem: the approval surface did not faithfully represent the command that would execute.\n\n### Patched Versions\n\nThe first stable patched version is `2026.5.18`.\n\n### Mitigations\n\nUpgrade to `openclaw@2026.5.18` or later. Before upgrading, avoid approving unusually long exec commands and keep approval capability limited to trusted operators.",
"id": "GHSA-xww8-gqvh-92x9",
"modified": "2026-07-02T15:40:37Z",
"published": "2026-07-02T15:40:36Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xww8-gqvh-92x9"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "OpenClaw: Exec approval display truncation could hide the command being approved"
}
GHSA-XX38-QPXM-6J8X
Vulnerability from github – Published: 2022-05-05 02:49 – Updated: 2022-05-05 02:49IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.47, 7.0 before 7.0.0.29, 8.0 before 8.0.0.6, and 8.5 before 8.5.0.2 on Linux, Solaris, and HP-UX, when a Local OS registry is used, does not properly validate user accounts, which allows remote attackers to bypass intended access restrictions via unspecified vectors.
{
"affected": [],
"aliases": [
"CVE-2013-0543"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2013-04-24T10:28:00Z",
"severity": "MODERATE"
},
"details": "IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.47, 7.0 before 7.0.0.29, 8.0 before 8.0.0.6, and 8.5 before 8.5.0.2 on Linux, Solaris, and HP-UX, when a Local OS registry is used, does not properly validate user accounts, which allows remote attackers to bypass intended access restrictions via unspecified vectors.",
"id": "GHSA-xx38-qpxm-6j8x",
"modified": "2022-05-05T02:49:15Z",
"published": "2022-05-05T02:49:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0543"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/82759"
},
{
"type": "WEB",
"url": "http://www-01.ibm.com/support/docview.wss?\u0026uid=swg21632423"
},
{
"type": "WEB",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg1PM75582"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-XX75-RCGC-PC97
Vulnerability from github – Published: 2022-04-08 00:00 – Updated: 2022-04-15 00:00aEnrich a+HRD has inadequate privilege restrictions, an unauthenticated remote attacker can use the API function to upload and execute malicious scripts to control the system or disrupt service.
{
"affected": [],
"aliases": [
"CVE-2022-26676"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-07T19:15:00Z",
"severity": "CRITICAL"
},
"details": "aEnrich a+HRD has inadequate privilege restrictions, an unauthenticated remote attacker can use the API function to upload and execute malicious scripts to control the system or disrupt service.",
"id": "GHSA-xx75-rcgc-pc97",
"modified": "2022-04-15T00:00:59Z",
"published": "2022-04-08T00:00:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26676"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-5970-2f405-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XX9W-464F-7H6F
Vulnerability from github – Published: 2022-09-16 20:27 – Updated: 2024-11-19 16:25Impact
Harbor fails to validate the user permissions when updating a robot account that belongs to a project that the authenticated user doesn’t have access to. API call:
PUT /robots/{robot_id}
By sending a request that attempts to update a robot account, and specifying a robot account id and robot account name that belongs to a different project that the user doesn’t have access to, it was possible to revoke the robot account permissions.
Patches
This and similar issues are fixed in Harbor v2.5.2 and later. Please upgrade as soon as possible.
Workarounds
There are no workarounds available.
For more information
If you have any questions or comments about this advisory: * Open an issue in the Harbor GitHub repository
Credits
Thanks to Gal Goldstein and Daniel Abeles from Oxeye Security for reporting this issue.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.10.12"
},
"package": {
"ecosystem": "Go",
"name": "github.com/goharbor/harbor"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.10.13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.4.2"
},
"package": {
"ecosystem": "Go",
"name": "github.com/goharbor/harbor"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.4.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.5.1"
},
"package": {
"ecosystem": "Go",
"name": "github.com/goharbor/harbor"
},
"ranges": [
{
"events": [
{
"introduced": "2.5.0"
},
{
"fixed": "2.5.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-31667"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-16T20:27:13Z",
"nvd_published_at": "2024-11-14T12:15:16Z",
"severity": "MODERATE"
},
"details": "### Impact\nHarbor fails to validate the user permissions when updating a robot account that\nbelongs to a project that the authenticated user doesn\u2019t have access to. API call:\n\nPUT /robots/{robot_id}\n\nBy sending a request that attempts to update a robot account, and specifying a robot\naccount id and robot account name that belongs to a different project that the user\ndoesn\u2019t have access to, it was possible to revoke the robot account permissions.\n\n### Patches\nThis and similar issues are fixed in Harbor v2.5.2 and later. Please upgrade as soon as possible.\n\n### Workarounds\nThere are no workarounds available.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [the Harbor GitHub repository](https://github.com/goharbor/harbor)\n\n### Credits\nThanks to [Gal Goldstein](https://www.linkedin.com/in/gal-goldshtein/) and [Daniel Abeles](https://www.linkedin.com/in/daniel-abeles/) from [Oxeye Security](https://www.oxeye.io/) for reporting this issue.\n",
"id": "GHSA-xx9w-464f-7h6f",
"modified": "2024-11-19T16:25:22Z",
"published": "2022-09-16T20:27:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-xx9w-464f-7h6f"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31667"
},
{
"type": "PACKAGE",
"url": "https://github.com/goharbor/harbor"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": " Harbor fails to validate the user permissions when updating a robot account"
}
GHSA-XXHF-XQ6V-C8MJ
Vulnerability from github – Published: 2022-06-24 00:00 – Updated: 2022-12-05 22:35Embeddable Build Status Plugin 2.0.3 and earlier does not correctly perform the ViewStatus permission check in the HTTP endpoint it provides for \"unprotected\" status badge access.
This allows attackers without any permissions to obtain the build status badge icon for any attacker-specified job and/or build.
Embeddable Build Status Plugin 2.0.4 requires ViewStatus permission to obtain the build status badge icon.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:embeddable-build-status"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-34180"
],
"database_specific": {
"cwe_ids": [
"CWE-862",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-05T22:59:57Z",
"nvd_published_at": "2022-06-23T17:15:00Z",
"severity": "MODERATE"
},
"details": "Embeddable Build Status Plugin 2.0.3 and earlier does not correctly perform the ViewStatus permission check in the HTTP endpoint it provides for \\\"unprotected\\\" status badge access.\n\nThis allows attackers without any permissions to obtain the build status badge icon for any attacker-specified job and/or build.\n\nEmbeddable Build Status Plugin 2.0.4 requires ViewStatus permission to obtain the build status badge icon.",
"id": "GHSA-xxhf-xq6v-c8mj",
"modified": "2022-12-05T22:35:57Z",
"published": "2022-06-24T00:00:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34180"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/embeddable-build-status-plugin/commit/402148784b3f4b029eaf47cc26ebf6b9bc636183"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/embeddable-build-status-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2794"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Improper authorization in Jenkins Embeddable Build Status Plugin bypasses ViewStatus permission requirement"
}
GHSA-XXMC-MJXM-2M5R
Vulnerability from github – Published: 2023-07-06 19:24 – Updated: 2024-04-04 05:32A CWE-285: Improper Authorization vulnerability exists that could cause Denial of Service against the Geo SCADA server when specific messages are sent to the server over the database server TCP port. Affected Products: EcoStruxure™ Geo SCADA Expert 2019, EcoStruxure™ Geo SCADA Expert 2020, EcoStruxure™ Geo SCADA Expert 2021 (All versions prior to October 2022), ClearSCADA (All Versions).
{
"affected": [],
"aliases": [
"CVE-2023-22610"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-31T17:15:00Z",
"severity": "HIGH"
},
"details": "A CWE-285: Improper Authorization vulnerability exists that could cause Denial of Service against the Geo SCADA server when specific messages are sent to the server over the database server TCP port. Affected Products: EcoStruxure\u2122 Geo SCADA Expert 2019, EcoStruxure\u2122 Geo SCADA Expert 2020, EcoStruxure\u2122 Geo SCADA Expert 2021 (All versions prior to October 2022), ClearSCADA (All Versions).",
"id": "GHSA-xxmc-mjxm-2m5r",
"modified": "2024-04-04T05:32:13Z",
"published": "2023-07-06T19:24:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22610"
},
{
"type": "WEB",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-010-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2023-010-02_Geo_SCADA_Security_Notification.pdf"
},
{
"type": "WEB",
"url": "https://www.se.com/ww/en/download/document/SEVD-2023-010-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XXP7-M5H6-5JWV
Vulnerability from github – Published: 2022-05-05 00:29 – Updated: 2024-04-03 23:57Review Board: URL processing gives unauthorized users access to review lists
{
"affected": [],
"aliases": [
"CVE-2013-4411"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-12-03T15:15:00Z",
"severity": "MODERATE"
},
"details": "Review Board: URL processing gives unauthorized users access to review lists",
"id": "GHSA-xxp7-m5h6-5jwv",
"modified": "2024-04-03T23:57:34Z",
"published": "2022-05-05T00:29:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4411"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/cve-2013-4411"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4411"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/88061"
},
{
"type": "WEB",
"url": "https://security-tracker.debian.org/tracker/CVE-2013-4411"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-November/120619.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-October/119819.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-October/119820.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-October/119830.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-October/119831.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/63023"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XXWG-WFJG-VGJP
Vulnerability from github – Published: 2022-05-24 17:40 – Updated: 2022-05-24 17:40In the rcp client in MIT krb5-appl through 1.0.3, malicious servers could bypass intended access restrictions via the filename of . or an empty filename, similar to CVE-2018-20685 and CVE-2019-7282. The impact is modifying the permissions of the target directory on the client side. NOTE: MIT krb5-appl is not supported upstream but is shipped by a few Linux distributions. The affected code was removed from the supported MIT Kerberos 5 (aka krb5) product many years ago, at version 1.8.
{
"affected": [],
"aliases": [
"CVE-2019-25018"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-02T18:15:00Z",
"severity": "HIGH"
},
"details": "In the rcp client in MIT krb5-appl through 1.0.3, malicious servers could bypass intended access restrictions via the filename of . or an empty filename, similar to CVE-2018-20685 and CVE-2019-7282. The impact is modifying the permissions of the target directory on the client side. NOTE: MIT krb5-appl is not supported upstream but is shipped by a few Linux distributions. The affected code was removed from the supported MIT Kerberos 5 (aka krb5) product many years ago, at version 1.8.",
"id": "GHSA-xxwg-wfjg-vgjp",
"modified": "2022-05-24T17:40:45Z",
"published": "2022-05-24T17:40:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25018"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1131109"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.