Search Blog Stats Labs

Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits

About

About Exploit Intel About Exploit Forge Privacy Policy

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Color Theme

Search Blog Statistics Labs Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits About About Exploit Forge Privacy

Exploit Database Researchers CWE Categories Vendors Ecosystems

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Follow:

Theme:

Home / CWE / CWE-639

CWE-639

High likelihood

Authorization Bypass Through User-Controlled Key

Parent: CWE-863 - Incorrect Authorization

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

1,777 vulnerabilities with CWE-639

CVE-2026-33425 MEDIUM

Discourse has inferable private group membership or existence via exclude_groups parameter

CVE-2026-33053 HIGH

Langflow has Missing Ownership Verification in API Key Deletion (IDOR)

CVE-2026-32114 MEDIUM

Discourse's unscoped status lookups leak restricted metadata

CVE-2026-31869 MEDIUM

Discourse: Composer mentions endpoint leaks hidden group membership through PM `allowed_names` check

CVE-2026-32761 MEDIUM

File Browser <2.62.0 Public Shares - Download Authorization Bypass

CVE-2026-32697 MEDIUM

SuiteCRM < 8.9.3 - RecordHandler Authorization Bypass

CVE-2026-29189 HIGH

SuiteCRM REST API V8 - Insecure Direct Object Reference

CVE-2026-32039 MEDIUM

OpenClaw < 2026.2.22 - Sender Authorization Bypass via Identity Collision in toolsBySender

CVE-2026-33304 MEDIUM

OpenEMR has Authorization Bypass in Dated Reminders Log

CVE-2026-25744 MEDIUM

OpenEMR: POST /api/.../vital Accepts Attacker-Supplied id and Overwrites Arbitrary Vitals

CVE-2026-32867 MEDIUM

OPEXUS eComplaint unauthenticated file upload

CVE-2026-27397 MEDIUM

WordPress Really Simple Security Pro plugin <= 9.5.4.0 - Insecure Direct Object References (IDOR) vulnerability

CVE-2026-32638 LOW

StudioCMS REST getUsers Exposes Owner Account Records to Admin Tokens

CVE-2026-25745 MEDIUM

OpenEMR's Message Update Ignores Patient id

CVE-2026-32694 MEDIUM

Insecure Direct Object Reference attack via predictable secret ID in Juju

CVE-2026-30884 CRITICAL

mdjnelson/moodle-mod_customcert Vulnerable to Authorization Bypass Through User-Controlled Key

CVE-2026-26004 MEDIUM

Sentry allows unauthorized access to event data across organizational boundaries

CVE-2026-24901 HIGH

Outline's IDOR allows unauthorized viewing and seizing of private deleted drafts

CVE-2026-4208 HIGH

Authentication Bypass in extension "E-Mail MFA Provider" (mfa_email)

CVE-2026-4171 MEDIUM

CodeGenieApp serverless-express API Endpoint TodoList.ts authorization

CVE-2026-3020 HIGH

Identity based authorization bypass vulnerability (IDOR) in the Wakyma application web

CVE-2026-2461 MEDIUM

Missing authorization check allows unauthorized modification of other users' comments on a board

CVE-2026-1947 HIGH

NEX-Forms WordPress Plugin <=9.1.9 - Insecure Direct Object Reference

CVE-2026-1883 MEDIUM

Wicked Folders <4.1.0 - Insecure Direct Object Reference

CVE-2026-3999 HIGH

Pointsharp ID Server < 9.0.0 - Horizontal Privilege Escalation

Previous Page 15 of 72 Next

Details

Vulnerabilities 1,777

Exploit Likelihood High

Links

MITRE CWE Entry Search this CWE With Exploits

Exploit Intelligence Platform

Blog Stats Labs Exploits Researchers CWE Ecosystems CLI MCP API Limits About Privacy