CWE-639

High likelihood

Authorization Bypass Through User-Controlled Key

Parent: CWE-863 - Incorrect Authorization

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

1,796 vulnerabilities with CWE-639
CVE-2025-45968 CRITICAL
System PDV - Insecure Direct Object Reference Information Disclosure
CVSS 9.8
CVE-2025-55621 MEDIUM
Reolink v4.54.0.4.20250526 - Unauthenticated Profile Photo Access via IDOR
CVSS 6.5
CVE-2025-57886 MEDIUM
Equalize Digital Accessibility Checker <1.30.0 - Auth Bypass
CVSS 5.4
CVE-2025-55370 HIGH
jshERP 3.5 - Authorization Bypass via ResourceController ID Parameter
CVSS 8.8
CVE-2025-9264 MEDIUM
Xuxueli xxl-job <3.1.1 - Info Disclosure
CVSS 5.4
CVE-2025-9263 MEDIUM
Xuxueli xxl-job <3.1.1 - Info Disclosure
CVSS 4.3
CVE-2025-5261 HIGH
Pik Online < 3.1.5 - Authorization Bypass via User-Controlled Key
CVSS 7.5
CVE-2025-53208 HIGH
Maya Business <= 1.2.0 - Insecure Direct Object Reference
CVSS 7.5
CVE-2025-55737 MEDIUM
FlaskBlog < 2.8.0 - Unauthenticated Authorization Bypass via Comment Deletion
CVSS 6.5
CVE-2025-43732 LOW
Liferay Portal/DXP Insecure Direct Object Reference via GroupId Parameter
CVSS 2.7
CVE-2025-54691 MEDIUM
Stylemix Motors <1.4.80 - Auth Bypass
CVSS 5.3
CVE-2025-8770 MEDIUM
GitLab 18.0-18.0.6, 18.1-18.1.4, 18.2-18.2.2 - Merge Request Approval Policy Bypass
CVSS 6.5
CVE-2025-3089 MEDIUM
ServiceNow AI Platform - Privilege Escalation
CVE-2025-8794 MEDIUM
LitmusChaos Litmus < 3.19.0 - Authorization Bypass via projectID Manipulation
CVSS 5.3
CVE-2025-8789 MEDIUM
Portabilis i-educar < 2.9.0 - Authorization Bypass via /module/Api/Diario Endpoint
CVSS 4.3
CVE-2025-8755 MEDIUM
macrozheng mall < 1.0.3 - Authorization Bypass via UmsMemberController OrderId Parameter
CVSS 5.3
CVE-2025-4796 HIGH
Eventin < 4.0.35 - Unauthenticated Privilege Escalation via SpeakerController Email Update
CVSS 8.8
CVE-2025-36023 MEDIUM
IBM Cloud Pak For Business Automation - IDOR
CVSS 6.5
CVE-2025-51533 MEDIUM
Sage DPW < 2025_06_000 - Unauthenticated Insecure Direct Object Reference via Crafted GET Request
CVSS 5.3
CVE-2025-46387 HIGH
Emby/MediaBrowser 4.9.0.35 - Authorization Bypass Through User-Controlled Key
CVSS 8.8
CVE-2025-46386 HIGH
Emby MediaBrowser 4.9.0.35 - Authorization Bypass Through User-Controlled Key
CVSS 8.8
CVE-2025-51628 HIGH
Agenzia Impresa Eccobook <v2.81.1 - IDOR
CVSS 7.5
CVE-2025-50340 MEDIUM
SOGo Webmail <5.6.0 - Privilege Escalation
CVSS 4.3
CVE-2025-5947 CRITICAL
Service Finder Bookings <6.0 - Privilege Escalation
CVSS 9.8
CVE-2025-50849 HIGH
CS Cart 4.18.3 - Privilege Escalation
CVSS 8.0
Details
Vulnerabilities 1,796
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits