Search Blog Stats Labs

Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits

About

About Exploit Intel About Exploit Forge Privacy Policy

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Color Theme

Search Blog Statistics Labs Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits About About Exploit Forge Privacy

Exploit Database Researchers CWE Categories Vendors Ecosystems

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Follow:

Theme:

Home / CWE / CWE-639

CWE-639

High likelihood

Authorization Bypass Through User-Controlled Key

Parent: CWE-863 - Incorrect Authorization

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

1,570 vulnerabilities with CWE-639

CVE-2026-7510 MEDIUM

OWAP DefectDojo Benchmark/Engagement/Product/Survey authorization

CVE-2026-6542 MEDIUM

Monitor API allows cross-user read of transaction logs and deletion of build data via flow_id

CVE-2026-7502 MEDIUM

LinkStackOrg LinkStack Management Endpoint UserController.php saveLink authorization

CVE-2026-4503 HIGH

Unauthenticated Insecure Direct Object Reference (IDOR) Vulnerability in Langflow Desktop Image Download Endpoint

CVE-2026-40600 HIGH

Chartbrew: Incorrect Access Control in project share policy routes via unbound policy_id

CVE-2026-7399 HIGH

IDOR in MeWare Software's PDKS

CVE-2026-42517 HIGH

Cryptographic Failure Vulnerability in e-Sushrut HMIS

CVE-2026-42516 HIGH

Broken Access Control Vulnerability in e-Sushrut HMIS

CVE-2026-42515 HIGH

Insecure Direct Object Reference (IDOR) Vulnerability in e-Sushrut HMIS

CVE-2026-41649 HIGH

Outline has IDOR in document share creation that allows unauthorized access to private documents across workspaces

CVE-2026-41406 MEDIUM

OpenClaw < 2026.3.31 - Sender Allowlist Bypass via Thread History and Quoted Messages

CVE-2026-24178 CRITICAL

Nvidia Flare SDK - Authorization Bypass

CVE-2026-41372 MEDIUM

OpenClaw < 2026.4.2 - Loopback Protection Bypass via Trailing-Dot Localhost in CDP Discovery

CVE-2026-28747 HIGH

Milesight Cameras Authorization Bypass Through User-Controlled Key

CVE-2026-7145 MEDIUM

mettle sendportal Invitation WorkspaceInvitationsController.php destroy authorization

CVE-2026-7144 MEDIUM

1000 Projects Portfolio Management System MCA update_passwd_process.php authorization

CVE-2026-6810 MEDIUM

Booking Calendar Contact Form <= 1.2.63 - Authenticated (Subscriber+) Insecure Direct Object Reference to Calendar Takeover

CVE-2026-2028 MEDIUM

Maxi Blocks <= 2.1.8 - Missing Authorization to Authenticated (Author+) Media File Deletion via 'old_media_src' Parameter

CVE-2026-31956 MEDIUM

Xibo CMS has Preview and SavedReport IDOR via disableUserCheck without controller-level authorization

CVE-2026-6375 HIGH

Authorization bypass through User-Controlled key in SpiceJet Online Booking System

CVE-2026-41279 HIGH

Flowise: Unauthenticated TTS endpoint accepts arbitrary credential IDs — enables API credit abuse via stored credentials

CVE-2026-41277 HIGH

Flowise: Mass Assignment in DocumentStore Create Endpoint Leads to Cross-Workspace Object Takeover (IDOR)

CVE-2026-41267 HIGH

Flowise: Improper Mass Assignment in Account Registration Enables Unauthorized Organization Association

CVE-2026-5750 HIGH

Insecure direct object reference (IDOR) vulnerability in Fullstep

CVE-2026-41127 MEDIUM

BigBlueButton's missing authorization allows viewer to inject/overwrite captions

Page 1 of 63 Next

Details

Vulnerabilities 1,570

Exploit Likelihood High

Links

MITRE CWE Entry Search this CWE With Exploits

Exploit Intelligence Platform

Blog Stats Labs Exploits Researchers CWE Ecosystems CLI MCP API Limits About Privacy