Search Blog Stats Labs

Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits

About

About Exploit Intel About Exploit Forge Privacy Policy

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Color Theme

Search Blog Statistics Labs Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits About About Exploit Forge Privacy

Exploit Database Researchers CWE Categories Vendors Ecosystems

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Follow:

Theme:

Home / CWE / CWE-639

CWE-639

High likelihood

Authorization Bypass Through User-Controlled Key

Parent: CWE-863 - Incorrect Authorization

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

1,570 vulnerabilities with CWE-639

CVE-2026-5845 CRITICAL

Improper authorization fallback allows scoped user-to-server token installation escape in GitHub Enterprise Server

CVE-2026-3307 LOW

Authorization bypass in GitHub Enterprise Server secret scanning push protection allows cross-repository modification of delegated bypass reviewers

CVE-2026-40907 MEDIUM

WWBN AVideo has IDOR in Live Restreams list.json.php that Exposes Other Users' Stream Keys and OAuth Tokens

CVE-2026-40867 HIGH

Horilla: Unauthorized Helpdesk Attachment Access via Attachment ID Manipulation

CVE-2026-40866 HIGH

Horilla: Unauthorized Document Overwrite via File Upload Endpoint

CVE-2026-40865 HIGH

Horilla: Insecure Direct Object Reference at `/employee/view-file/<int:id>

CVE-2026-5652 CRITICAL

Authorization Bypass Through User-Controlled Key in Crafty Controller

CVE-2026-40591 HIGH

FreeScout: Improper Authorization in Phone Conversation Creation Enables Cross-Mailbox Hidden Customer Modification

CVE-2026-40590 MEDIUM

FreeScout's Customer AJAX Create Modifies Hidden Existing Customer

CVE-2026-40589 HIGH

FreeScout has Customer Edit Cross-Mailbox Email Takeover

CVE-2026-40570 MEDIUM

FreeScout's Missing Authorization in load_customer_info Allows Any Authenticated User to Access Full Customer PII

CVE-2026-39386 HIGH

Neko has Self-service Privilege Escalation for Authenticated Users

CVE-2026-40896 MEDIUM

OpenProject has Cross-Project Meeting Agenda Item Injection via Unscoped Section Lookup

CVE-2026-6614 MEDIUM

TransformerOptimus SuperAGI project.py get_projects_organisation authorization

CVE-2026-6613 MEDIUM

TransformerOptimus SuperAGI agent.py get_schedule_data authorization

CVE-2026-6612 MEDIUM

TransformerOptimus SuperAGI Agent Execution Endpoint agent_execution.py update_agent_execution authorization

CVE-2026-6586 MEDIUM

TransformerOptimus SuperAGI Budget Endpoint budget.py update_budget authorization

CVE-2026-6585 MEDIUM

TransformerOptimus SuperAGI Organisation Update Endpoint organisation.py update_organisation authorization

CVE-2026-6584 MEDIUM

TransformerOptimus SuperAGI User Update Endpoint user.py update_user authorization

CVE-2026-6583 MEDIUM

TransformerOptimus SuperAGI API Key Management Endpoint api_key.py edit_api_key authorization

CVE-2026-6571 MEDIUM

kodcloud KodExplorer systemRole.class.php roleGroupAction authorization

CVE-2026-6570 LOW

kodcloud KodExplorer systemMember.class.php initInstall authorization

CVE-2026-40480 HIGH

ChurchCRM has Missing Object-Level Authorization / IDOR in `/api/person/{personId}`

CVE-2026-5234 MEDIUM

LatePoint <= 5.3.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Financial Data Exposure via Sequential Invoice ID

CVE-2026-40308 HIGH

My Calendar: Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog

Previous Page 2 of 63 Next

Details

Vulnerabilities 1,570

Exploit Likelihood High

Links

MITRE CWE Entry Search this CWE With Exploits

Exploit Intelligence Platform

Blog Stats Labs Exploits Researchers CWE Ecosystems CLI MCP API Limits About Privacy