CWE-285

High likelihood

Improper Authorization

Parent: CWE-284 - Improper Access Control

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

1,318 vulnerabilities with CWE-285
CVE-2026-45147 MEDIUM
SiYuan: Broken access control in SiYuan `/api/tag/getTag` — Reader role can mutate `Conf.Tag.Sort` and persist to disk
CVSS 4.3
CVE-2026-44504 HIGH
Aegra: Cross-user run injection in /threads/{thread_id}/runs (IDOR)
CVE-2026-34656 MEDIUM
Adobe Commerce | Improper Authorization (CWE-285)
CVSS 4.3
CVE-2026-43515 CRITICAL
Apache Tomcat: Security constraints not correctly applied
CVSS 9.1
CVE-2026-43983 HIGH
Pocket ID: OIDC refresh token flow bypasses authorization revocation, account disabling, and group restrictions
CVSS 8.1
CVE-2026-43912 HIGH
Vaultwarden: Cross-Org Group Binding Enables Unauthorized Read And Write Access Into Another Organization
CVSS 8.7
CVE-2026-42876 MEDIUM
External Secrets Operator: Priviledge escalation with secret overwriting
CVSS 4.9
CVE-2026-42875 MEDIUM
External Secrets Operator: Namespace Isolation Bypass in CAProvider ConfigMap Resolution for SecretStore
CVE-2026-42609 HIGH
Grav: Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic
CVSS 8.1
CVE-2026-8241 MEDIUM
Industrial Application Software IAS Canias ERP RMI iasGetServerInfoEvent improper authorization
CVSS 5.3
CVE-2026-8196 LOW
JeecgBoot mLogin Endpoint LoginController.java authorization
CVSS 3.7
CVE-2026-42202 MEDIUM
nova-toggle-5: Improper authorization on toggle endpoint allowed non-Nova users to modify boolean fields
CVSS 6.5
CVE-2026-33823 CRITICAL
Microsoft Team Events Portal Information Disclosure Vulnerability
CVSS 9.6
CVE-2026-30496 CRITICAL
Optoma CinemaX P2 TVOS-04.24.010.04.01 - Auth Bypass
CVSS 9.8
CVE-2026-30495 HIGH
Optoma CinemaX P2 TVOS-04.24.010.04.01 - Privilege Escalation
CVSS 8.8
CVE-2026-8027 MEDIUM
FlowiseAI Flowise User Controller authorization
CVSS 4.3
CVE-2026-7782 MEDIUM
CodeCanyon Perfex CRM Tenant Clients.php project authorization
CVSS 6.3
CVE-2026-41572 MEDIUM
Note Mark: Unauthenticated read of notes and assets in soft-deleted public books
CVSS 5.3
CVE-2026-7713 MEDIUM
crocodilestick Calibre-Web-Automated Kobo auth-token Route kobo_auth.py generate_auth_token improper authorization
CVSS 6.3
CVE-2026-7709 MEDIUM
janeczku Calibre-Web Endpoint kobo_auth.py generate_auth_token improper authorization
CVSS 6.3
CVE-2026-7702 MEDIUM
toeverything AFFiNE Public Markdown Preview Endpoint :docId allowDocPreview authorization
CVSS 5.3
CVE-2026-7681 MEDIUM
jsbroks COCO Annotator Dataset API datasets.py authorization
CVSS 6.5
CVE-2026-7644 HIGH
ChatGPTNextWeb NextChat actions.ts addMcpServer improper authorization
CVSS 7.3
CVE-2026-7631 MEDIUM
code-projects Online Hospital Management System Registration improper authorization
CVSS 5.4
CVE-2026-6449 MEDIUM
Booking for Appointments and Events Calendar – Amelia <= 2.1.2 - Unauthenticated Authorization Bypass via Remote Approval Endpoint
CVSS 5.3
Details
Vulnerabilities 1,318
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits