CWE-639

High likelihood

Authorization Bypass Through User-Controlled Key

Parent: CWE-863 - Incorrect Authorization

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

1,777 vulnerabilities with CWE-639
CVE-2026-40737 MEDIUM
WordPress COMPE plugin <= 1.1.4 - Insecure Direct Object References (IDOR) vulnerability
CVSS 5.3
CVE-2026-5617 HIGH
Login as User <= 1.0.3 - Authenticated (Subscriber+) Privilege Escalation via 'oclaup_original_admin' Cookie
CVSS 8.8
CVE-2026-1541 MEDIUM
Avada (Fusion) Builder <= 3.15.1 - Authenticated (Subscriber+) Sensitive Information Exposure via Insecure Direct Object Reference
CVSS 4.3
CVE-2026-34602 HIGH
Chamilo LMS: IDOR in /api/course_rel_users Allows Unauthorized Enrollment of Arbitrary Users into Courses
CVSS 7.1
CVE-2026-34370 MEDIUM
Chamilo LMS: IDOR in the Notebook Module allows an attacker to view other users' private notes
CVSS 6.5
CVE-2026-34213 MEDIUM
Docmost has cross-page attachment overwrite via flawed attachmentId overwrite validation
CVSS 5.4
CVE-2026-38532 HIGH
Webkul Krayin CRM 2.2.x - Auth Bypass
CVSS 8.1
CVE-2026-38530 HIGH
Krayin Laravel CRM 2.2.x - Authenticated Broken Object-Level Authorization in LeadController
CVSS 8.1
CVE-2026-38529 HIGH
Webkul Krayin CRM 2.2.x - Auth Bypass
CVSS 8.8
CVE-2026-25654 HIGH
Siemens SINEC NMS <V4.0 SP3 - Auth Bypass
CVSS 8.8
CVE-2026-33740 MEDIUM
EspoCRM: Email importEml can import and delete another user's attachment by raw fileId
CVSS 5.4
CVE-2026-40043 MEDIUM
Pachno 1.0.6 Authentication Bypass via runSwitchUser()
CVSS 6.5
CVE-2026-3371 MEDIUM
Tutor LMS <= 3.9.7 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Course Content Modification
CVSS 4.3
CVE-2026-40252 HIGH
Broken Access Control (IDOR) Leading to Cross-Tenant Application Access in FastGPT
CVSS 8.1
CVE-2026-33736 MEDIUM
Chamilo LMS API Users - Insecure Direct Object Reference
CVSS 6.5
CVE-2026-33703 MEDIUM
Chamilo LMS Critical IDOR: Any Authenticated User Can Extract All Users’ Personal Data and API Tokens
CVSS 6.5
CVE-2026-33702 HIGH
Chamilo LMS Learning Path Progress - Insecure Direct Object Reference
CVSS 7.1
CVE-2026-33141 MEDIUM
Chamilo LMS REST API Stats - Insecure Direct Object Reference
CVSS 6.5
CVE-2026-32930 HIGH
Chamilo LMS Gradebook Evaluations - Insecure Direct Object Reference
CVSS 7.1
CVE-2026-32894 HIGH
Chamilo LMS Gradebook Results - Insecure Direct Object Reference
CVSS 7.1
CVE-2026-29002 HIGH
CouchCMS Privilege Escalation via f_k_levels_list Parameter
CVSS 7.2
CVE-2026-39942 HIGH
Directus <11.17.0 File Management API - Broken Access Control
CVSS 8.5
CVE-2026-5842 HIGH
decolua 9router Administrative API Endpoint api authorization
CVSS 7.3
CVE-2026-3568 MEDIUM
MStore API <= 4.18.3 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Meta Update
CVSS 4.3
CVE-2026-2104 MEDIUM
Authorization Bypass Through User-Controlled Key in GitLab
CVSS 4.3
Details
Vulnerabilities 1,777
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits