CWE-639

High likelihood

Authorization Bypass Through User-Controlled Key

Parent: CWE-863 - Incorrect Authorization

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

1,779 vulnerabilities with CWE-639
CVE-2025-12063 MEDIUM
AXIS Camera Station Pro < 6.14.10768 - Authorization Bypass via Insecure Direct Object Reference
CVSS 5.7
CVE-2025-15147 MEDIUM
WCFM Membership - WooCommerce Memberships <2.11.8 - Insecure Direct...
CVSS 4.3
CVE-2025-69207 MEDIUM
khoj < 2.0.0-beta.23 - Unauthenticated IDOR via Notion OAuth Callback State Parameter
CVSS 5.4
CVE-2025-36365 MEDIUM
IBM Db2 11.5.0-11.5.9 and 12.1.0-12.1.3 - Authenticated Authorization Bypass via Cataloged Remote Storage Alias
CVSS 6.8
CVE-2025-7013 MEDIUM
QR Menu Pro Smart Menu Systems Menu Panel <29012026 - Auth Bypass
CVSS 5.7
CVE-2025-65887 MEDIUM
OneFlow v0.9.0 - Denial of Service via flow.floor_divide() Division-by-Zero
CVSS 6.5
CVE-2025-9520 MEDIUM
TP-Link Omada Controllers - Administrator IDOR Owner Account Hijack
CVSS 6.8
CVE-2025-14459 HIGH
KubeVirt CDI - Privilege Escalation
CVSS 8.5
CVE-2025-47555 LOW
Themeum Tutor LMS <3.9.4 - Auth Bypass
CVSS 3.8
CVE-2025-65098 HIGH
typebot < 3.13.2 - Unauthenticated Credential Theft via Malicious Typebot Preview
CVSS 7.4
CVE-2025-10855 HIGH
Teknoera through 01102025 - Authorization Bypass via User-Controlled Key
CVSS 7.5
CVE-2025-10024 HIGH
EXERT Computer Technologies Software Ltd. Co. Education Management ...
CVSS 7.5
CVE-2025-15521 CRITICAL
Academy LMS - WordPress LMS Plugin <3.5.0 - Privilege Escalation
CVSS 9.8
CVE-2025-14844 HIGH
Membership Plugin - Restrict Content <= 3.2.16 - Unauthenticated Stripe SetupIntent Secret Leak
CVSS 8.2
CVE-2025-15370 MEDIUM
Shield: Blocks Bots - Insecure Direct Object Reference
CVSS 4.3
CVE-2025-64516 HIGH
GLPI 10.0.0-10.0.20 - Unauthenticated Document Access via Public FAQ
CVSS 7.5
CVE-2025-68492 MEDIUM
Chainlit < 2.8.5 - Authorization Bypass via User-Controlled Key
CVSS 4.2
CVE-2025-40805 CRITICAL
Siemens Industrial Edge Cloud Device and Device Kit - Authentication Bypass
CVSS 10.0
CVE-2025-41077 HIGH
Viafirma Inbox < 4.5.27 - Authenticated Insecure Direct Object Reference
CVSS 8.1
CVE-2025-69274 HIGH
Broadcom DX NetOps Spectrum < 24.3.11 - Privilege Escalation via Authorization Bypass
CVSS 8.8
CVE-2025-13457 HIGH
WooCommerce Square <5.1.1 - Info Disclosure
CVSS 7.5
CVE-2025-4596 MEDIUM
Asseco ADMX <6.09.01.62 - Info Disclosure
CVE-2025-67919 MEDIUM
WofficeIO Woffice Core <5.4.30 - Auth Bypass
CVSS 6.5
CVE-2025-15018 CRITICAL
WordPress Optional Email <1.3.11 - Privilege Escalation
CVSS 9.8
CVE-2025-14802 MEDIUM
LearnPress - WordPress LMS Plugin <4.3.2.2 - Info Disclosure
CVSS 5.4
Details
Vulnerabilities 1,779
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits