CWE-285

High likelihood

Improper Authorization

Parent: CWE-284 - Improper Access Control

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

1,213 vulnerabilities with CWE-285
CVE-2026-34056 HIGH
OpenEMR has a Privilege Escalation that Allows a Low-Level User to View Admin-Only Data
CVSS 7.7
CVE-2026-34051 MEDIUM
OpenEMR has Improper ACL On Import/Export Popup
CVSS 5.4
CVE-2026-33222 MEDIUM
NATS JetStream has an authorization bypass through its Management API
CVSS 4.9
CVE-2026-28881 MEDIUM
Apple macOS <26.4 - Info Disclosure
CVSS 5.5
CVE-2026-28865 HIGH
Apple Ios And Ipados < 18.7.7 - Denial of Service
CVSS 7.5
CVE-2026-28845 MEDIUM
macOS <26.4 - Auth Bypass
CVSS 5.5
CVE-2026-28839 MEDIUM
macOS <14.8.5 - Info Disclosure
CVSS 5.3
CVE-2026-33162 MEDIUM
Craft CMS: Authorization bypass in "entries/move-to-section" allows control panel user to move entries without section permissions
CVSS 6.5
CVE-2026-33680 HIGH
Vikunja Vulnerable to Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation
CVSS 7.5
CVE-2026-33668 HIGH
Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect
CVSS 8.1
CVE-2026-4617 HIGH
SourceCodester Patients Waiting Area Queue Management System Patient Check-In api_patient_checkin.php ValidateToken improper authorization
CVSS 7.3
CVE-2026-32300 HIGH
Connect-CMS 1.x-1.41.0/2.x-2.41.0 - Privilege Escalation
CVSS 8.1
CVE-2026-4563 MEDIUM
MacCMS Member Order Detail User.php order_info authorization
CVSS 4.3
CVE-2026-4549 LOW
mickasmt next-saas-stripe-starter Stripe API open-customer-portal.ts openCustomerPortal authorization
CVSS 3.1
CVE-2026-4548 MEDIUM
mickasmt next-saas-stripe-starter update-user-role.ts updateUserrole improper authorization
CVSS 6.3
CVE-2026-2294 MEDIUM
UiPress lite | Effortless custom dashboards, admin themes and pages <= 3.5.09 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update
CVSS 4.3
CVE-2026-33186 CRITICAL
gRPC-Go has an authorization bypass via missing leading slash in :path
CVSS 9.1
CVE-2026-31836 HIGH
Mass Assignment Privilege Escalation in Checkmate
CVSS 8.1
CVE-2026-33125 HIGH
Frigate Broken Access Control: Users assigned the viewer role can delete admin and other low-privileged accounts
CVSS 7.1
CVE-2026-31869 MEDIUM
Discourse: Composer mentions endpoint leaks hidden group membership through PM `allowed_names` check
CVSS 4.3
CVE-2026-30702 CRITICAL
WiFi Extender WDR201A HW V2.1 FW LFMZX28040922V1.02 - Auth Bypass
CVSS 9.8
CVE-2026-32692 HIGH
Unauthorized update of out-of-scope Vault secrets
CVSS 7.6
CVE-2026-21886 MEDIUM
OpenCTI's GraphQL Mutations Allow Deletion of Unrelated Entities
CVSS 6.5
CVE-2026-3237 MEDIUM
Octopus Server <2025.3.14731 - Privilege Escalation
CVSS 4.3
CVE-2026-4171 MEDIUM
CodeGenieApp serverless-express API Endpoint TodoList.ts authorization
CVSS 6.3
Details
Vulnerabilities 1,213
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits