CWE-284

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

5,080 vulnerabilities with CWE-284
CVE-2026-22564 CRITICAL
UniFi Play PowerAmp <1.0.38 - Auth Bypass
CVSS 9.8
CVE-2026-6201 MEDIUM
CodeAstro Online Job Portal Delete Job Posting job-delete.php access control
CVSS 5.4
CVE-2026-31282 CRITICAL
Totara LMS <=v19.1.5 - Incorrect Access Control
CVSS 9.8
CVE-2026-34860 MEDIUM
Huawei HarmonyOS <6.0.0 - Auth Bypass
CVSS 4.1
CVE-2026-40252 HIGH
Broken Access Control (IDOR) Leading to Cross-Tenant Application Access in FastGPT
CVSS 8.1
CVE-2026-23782 HIGH
BMC Control-M/MFT 9.0.20-9.0.22 - Info Disclosure
CVSS 7.5
CVE-2026-6000 MEDIUM
code-projects Online Library Management System SQL Database Backup File library.sql information disclosure
CVSS 4.3
CVE-2026-39942 HIGH
Directus <11.17.0 File Management API - Broken Access Control
CVSS 8.5
CVE-2026-5960 MEDIUM
code-projects Patient Record Management System SQL Database Backup File hcpms.sql information disclosure
CVSS 4.3
CVE-2026-5847 MEDIUM
code-projects Movie Ticketing System SQL Database Backup File moviedb.sql information disclosure
CVSS 4.3
CVE-2026-5881 MEDIUM
Google Chrome <147.0.7727.55 - Policy Bypass
CVSS 6.5
CVE-2026-5863 HIGH
Google Chrome < 147.0.7727.55 - Remote Code Execution via V8 Inappropriate Implementation
CVSS 8.8
CVE-2026-34723 HIGH
Zammad has incorrect access control in getting_started_controller
CVSS 7.5
CVE-2026-34248 MEDIUM
Zammad <7.0.1 Shared Organizations - Ticket Field Disclosure
CVSS 5.7
CVE-2026-35533 HIGH
mise 2026.2.18-2026.4.5 Local Settings - Config Trust Bypass
CVSS 7.7
CVE-2026-34045 HIGH
Podman Desktop WebView Server Exposed
CVSS 8.2
CVE-2026-39364 HIGH
Vite Dev Server server.fs.deny - File Access Bypass
CVSS 7.5
CVE-2026-39346 MEDIUM
OrangeHRM has Improper Access Control Allowing Access to Disabled Modules via URL Encoding
CVSS 5.4
CVE-2026-39339 CRITICAL
ChurchCRM <7.1.0 API Middleware - Authentication Bypass
CVSS 9.1
CVE-2026-31272 CRITICAL
MRCMS 3.1.2 - Unauthenticated Privilege Escalation via UserController save() Method
CVSS 9.8
CVE-2026-1079 MEDIUM
Pega Browser Extension < 3.1.45 - Native Messaging Host Access Control Issue
CVE-2026-1078 HIGH
Pega Robot Studio 22.1 and R25 - Arbitrary File Write
CVE-2026-1114 CRITICAL
Improper Access Control via Weak JWT Token in parisneo/lollms
CVSS 9.8
CVE-2026-35185 HIGH
HAX CMS's public /server-status endpoint exposes authentication tokens, user activity, and client IP addresses
CVSS 7.5
CVE-2026-35172 HIGH
Distribution has stale blob access resurrection via repo-scoped redis descriptor cache invalidation
CVSS 7.5
Details
Vulnerabilities 5,080
Links
MITRE CWE Entry Search this CWE With Exploits