CWE-285

High likelihood

Improper Authorization

Parent: CWE-284 - Improper Access Control

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

1,318 vulnerabilities with CWE-285
CVE-2026-10154 MEDIUM
Dolibarr ERP CRM messaging.php authorization
CVSS 4.3
CVE-2026-48810 MEDIUM
FreeScout: Thread Edit Authorization Bypass via Missing Mailbox Check
CVSS 4.3
CVE-2026-47744 CRITICAL
Shopper: Authorization bypass and RBAC privilege escalation in team settings
CVSS 9.9
CVE-2026-47740 HIGH
Shopper: Authorization bypass in multiple Livewire admin components
CVSS 8.1
CVE-2026-10070 MEDIUM
macrozheng mall Super Admin Password update improper authorization
CVSS 4.7
CVE-2026-45620 MEDIUM
AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration
CVSS 5.3
CVE-2026-47713 LOW
AnythingLLM: Legacy mobile device tokens bypass multi-user workspace scoping after mode migration
CVSS 2.0
CVE-2026-45297 MEDIUM
Cross-tenant IDOR on feature-flag and assist-stats routes via {project_id} case mismatch
CVE-2026-47673 MEDIUM
Hono: JWT middleware accepts any Authorization scheme, not only Bearer
CVSS 4.8
CVE-2026-6938 MEDIUM
IBM® Db2® is vulnerable to authorization bypass when uploading to a remote object storage path with a special query
CVSS 6.5
CVE-2026-46620 MEDIUM
e107: CSRF in comment.php moderation endpoints via token-optional validation in session_handler::check()
CVSS 6.5
CVE-2026-9484 MEDIUM
SourceCodester Student Grades Management System classroom.php removeStudentFromClassroom improper authorization
CVSS 6.3
CVE-2026-9483 MEDIUM
SourceCodester Student Grades Management System grades.php improper authorization
CVSS 6.3
CVE-2026-9410 MEDIUM
Sushmi-pal Invoice-System Profile Workflow profile improper authorization
CVSS 4.3
CVE-2026-9409 MEDIUM
Sushmi-pal Invoice-System User Management user improper authorization
CVSS 4.3
CVE-2026-9397 HIGH
Besen BS20 EV Charging Station OTA Update Installation improper authorization
CVSS 8.1
CVE-2026-9376 MEDIUM
JPress UCenter Article Submission Endpoint doWriteSave improper authorization
CVSS 6.3
CVE-2026-9306 LOW
QuantumNous new-api Midjourney Image Relay Endpoint relay-router.go GetByOnlyMJId authorization
CVSS 3.7
CVE-2026-45187 MEDIUM
Apache OFBiz: Improper Authorization in Scheduled Job Creation Allows Low-Privileged Users to Submit System Jobs
CVSS 6.5
CVE-2026-8786 MEDIUM
Tencent WeKnora Config API Endpoint initialization.go getKnowledgeBaseForInitialization authorization
CVSS 6.3
CVE-2026-8747 MEDIUM
Z-BlogPHP Commend Approval c_system_event.php CheckComment improper authorization
CVSS 6.3
CVE-2026-8743 MEDIUM
Open5GS AMF/MME context.c ran_ue_find_by_amf_ue_ngap_id improper authorization
CVSS 6.3
CVE-2026-45365 MEDIUM
Open WebUI: Authenticated users can bypass model access control via exposed query parameter
CVSS 5.4
CVE-2026-45345 MEDIUM
Open WebUI: Missing authorization check at the model update function - models from other users can be updated
CVSS 6.5
CVE-2026-45371 HIGH
SiYuan: SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs
Details
Vulnerabilities 1,318
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits