CWE-284

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

5,075 vulnerabilities with CWE-284
CVE-2026-47261 HIGH
Wasmtime: WASI path_open(TRUNCATE) bypasses `FilePerms::WRITE` host restriction
CVSS 7.5
CVE-2026-5230 HIGH
Improper Access Control in Mia Technologies' Pizzy Library
CVSS 7.1
CVE-2026-12212 MEDIUM
hcengineering Huly Platform RPC operations.ts getMailboxSecret access control
CVSS 4.3
CVE-2026-12203 MEDIUM
HKUDS AI-Trader Research Export agents.csv information disclosure
CVSS 5.3
CVE-2026-53520 MEDIUM
Nezha Monitoring - Authenticated Dashboard Host Takeover
CVSS 6.5
CVE-2026-44783 MEDIUM
Discourse: Replying to a whisper lets non-whisperers create staff-only whisper posts
CVSS 5.4
CVE-2026-47182 MEDIUM
Frappe: Broken Access Control on Private Files
CVE-2026-44976 MEDIUM
Frappe: IDOR in update_onboarding_step
CVE-2026-44208 MEDIUM
Frappe: IDOR in `submit_discussion()`
CVE-2026-47200 MEDIUM
Nuxt: Route middleware not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*`
CVSS 5.3
CVE-2026-48610 HIGH
Ubiquiti INC Udm - Improper Access Control
CVSS 8.1
CVE-2026-47366 HIGH
phpBB < 3.3.16 - Improper Access Control
CVSS 7.2
CVE-2026-44249 HIGH
Netty has an IPv6 Subnet Filter Bypass via Incorrect Comparator Masking
CVSS 8.1
CVE-2026-45178 HIGH
Idira Secrets Manager Self-Hosted: Improper Access Control in Internal Cluster Endpoints
CVE-2026-45177 CRITICAL
Idira Secrets Manager SaaS Edge: Authentication Bypass of an internal validation mechanism
CVE-2026-41856 HIGH
Spring GraphQL Annotation Detection Vulnerability
CVSS 7.5
CVE-2026-46695 CRITICAL
BoxLite: Permission Bypass in boxlite Allows Modification of Read-Only Files
CVSS 10.0
CVE-2026-50564 CRITICAL
Fission Environment CRD podspec passthrough enables hostPID/hostNetwork/privileged pods, node escape
CVSS 9.9
CVE-2026-50563 CRITICAL
Fission Container Executor Function PodSpec Injection Leading to Node Escape
CVSS 9.9
CVE-2026-50545 CRITICAL
Fission Environment CRD PodSpec Injection Leading to Node Escape and Cluster Takeover
CVSS 9.9
CVE-2026-49824 HIGH
Fission: Cross-namespace Environment reference via unvalidated EnvironmentRef in Function admission webhook
CVSS 8.5
CVE-2026-49823 HIGH
Fission: Cross-namespace Package read via unvalidated PackageRef in Function admission webhook
CVSS 7.7
CVE-2026-49822 HIGH
Fission: Cross-namespace event leakage via KubernetesWatchTrigger allows persistent tenant surveillance
CVSS 7.7
CVE-2026-46614 CRITICAL
Fission router exposes /fission-function/<ns>/<name> on its public listener, allowing invocation of any function without an HTTPTrigger
CVSS 9.8
CVE-2026-20259 MEDIUM
Improper Access Control in Splunk Enterprise
CVSS 5.5
Details
Vulnerabilities 5,075
Links
MITRE CWE Entry Search this CWE With Exploits