Search Blog Stats Labs

Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits

About

About Exploit Intel About Exploit Forge Privacy Policy

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Color Theme

Search Blog Statistics Labs Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits About About Exploit Forge Privacy

Exploit Database Researchers CWE Categories Vendors Ecosystems

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Follow:

Theme:

Home / CWE / CWE-639

CWE-639

High likelihood

Authorization Bypass Through User-Controlled Key

Parent: CWE-863 - Incorrect Authorization

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

1,776 vulnerabilities with CWE-639

CVE-2026-48599 HIGH

Authorization bypass via path binding override in elixir-grpc/grpc HTTP transcoding

CVE-2026-52699 HIGH

WordPress VikRentCar plugin <= 1.4.5 - Insecure Direct Object References (IDOR) vulnerability

CVE-2026-48872 HIGH

WordPress EmbedPress plugin <= 4.5.2 - Sensitive Data Exposure vulnerability

CVE-2026-48868 HIGH

WordPress Simple Shopping Cart plugin <= 5.2.9 - Insecure Direct Object References (IDOR) vulnerability

CVE-2026-40792 MEDIUM

WordPress KiviCare plugin <= 4.2.1 - Insecure Direct Object References (IDOR) vulnerability

CVE-2026-39518 HIGH

WordPress EventPrime plugin <= 4.3.0.0 - Insecure Direct Object References (IDOR) vulnerability

CVE-2026-12204 HIGH

ShopXO Scheduled Task Endpoint Crontab.php GoodsGiveIntegral authorization

CVE-2026-1291 MEDIUM

Meow Gallery <= 5.4.4 - Missing Authorization to Authenticated (Author+) Shortcode creation

CVE-2026-54361 HIGH

MISP mass assignment vulnerabilities allow unauthorized modification of ownership and delegation records

CVE-2026-54360 HIGH

MISP sharing group creation mass assignment allows unauthorized takeover of existing sharing groups

CVE-2026-54357 MEDIUM

MISP improper authorization allows organization administrators to modify site administrator user settings

CVE-2026-53726 MEDIUM

Parse Server: Relation `$relatedTo` query bypasses `protectedFields` and owning-object ACL

CVE-2026-42947 HIGH

Naxclow IoT Platform Authorization bypass through User-Controlled key

CVE-2026-8828 HIGH

ChromaDB - Authorization Bypass Through User-Controlled Key

CVE-2026-45832 HIGH

ChromaDB - Authorization Bypass Through User-Controlled Key

CVE-2026-45830 HIGH

ChromaDB - Authorization Bypass Through User-Controlled Key

CVE-2026-44207 MEDIUM

Frappe: Insecure Direct Object Reference for email accounts

CVE-2026-47238 MEDIUM

ClipBucket: IDOR in videos subtitle editor

CVE-2026-47189 HIGH

Quest Bot: AutoMod removal can delete rules from another guild by global rule ID

CVE-2026-7787 HIGH

IBM Langflow OSS - Unauthenticated Session History Access via Public Flow Execution

CVE-2026-8406 HIGH

openSIS Classic 9.3 - Insecure Direct Object Reference in Sent Mail

CVE-2026-6976 LOW

Authorization Bypass Through User-Controlled Key in GitLab

CVE-2026-6552 HIGH

Authorization Bypass Through User-Controlled Key in GitLab

CVE-2026-53911 MEDIUM

Cerebrate < 1.37 - Authenticated Mass Assignment Record Overwrite

CVE-2026-44692 HIGH

Authenticated Sharp users can download unrelated Laravel Storage objects through the generic download endpoint

Page 1 of 72 Next

Details

Vulnerabilities 1,776

Exploit Likelihood High

Links

MITRE CWE Entry Search this CWE With Exploits

Exploit Intelligence Platform

Blog Stats Labs Exploits Researchers CWE Ecosystems CLI MCP API Limits About Privacy