Search Blog Stats Labs

Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits

About

About Exploit Intel About Exploit Forge Privacy Policy

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Color Theme

Search Blog Statistics Labs Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits About About Exploit Forge Privacy

Exploit Database Researchers CWE Categories Vendors Ecosystems

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Follow:

Theme:

Home / CWE / CWE-639

CWE-639

High likelihood

Authorization Bypass Through User-Controlled Key

Parent: CWE-863 - Incorrect Authorization

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

1,777 vulnerabilities with CWE-639

CVE-2026-35430 HIGH

Azure Privileged Identity Management (PIM) Elevation of Privilege Vulnerability

CVE-2026-39968 HIGH

TypeBot: Cross-Workspace Credential Theft via Bot-Engine Preview Endpoint

CVE-2026-39967 LOW

TypeBot: Cross-Typebot Result Data Access via Missing typebotId Filter

CVE-2026-28444 MEDIUM

Typebot: IDOR in Result Logs Endpoint Allows Cross-Workspace Data Disclosure

CVE-2026-9248 LOW

Devolutions Server - Authorization Bypass Through User-Controlled Key

CVE-2026-8347 MEDIUM

Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in Express association Reorder dialog

CVE-2026-3473 MEDIUM

Improper file ownership validation in the Boards API allows unauthorised file access

CVE-2026-8679 HIGH

AudioIgniter Music Player <= 2.0.2 - Unauthenticated Insecure Direct Object Reference to 'audioigniter_playlist_id' Parameter

CVE-2026-8337 MEDIUM

Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys when sites are running concurrent public surveys and private surveys

CVE-2026-7886 MEDIUM

Concrete CMS 9.5.0 and below is vulnerable to IDOR in AddMessage/UpdateMessage via attachments[] parameter

CVE-2026-7881 MEDIUM

Concrete CMS 9.5.0 and below is vulnerable to IDOR in the Express Entry Detail block

CVE-2026-8204 MEDIUM

Concrete CMS 9.5.0 and below is vulnerable to Authorization Bypass in the Calendar Event Frontend Dialog

CVE-2026-45760 HIGH

Apache Camel K: Camel K Cross-Namespace Build Deputy Attack

CVE-2026-9152 CRITICAL

Unauthenticated SOAP Endpoint in Altium 365 SearchService Allows Cross-Tenant Data Exfiltration and Index Destruction

CVE-2026-1881 MEDIUM

Broadstreet <= 1.52.2 - Authenticated (Subscriber+) Private Post Meta Disclosure via get_sponsored_meta

CVE-2026-9136 MEDIUM

Unauthorized ShadowAttribute modification in MISP via client-supplied identifier

CVE-2026-9087 MEDIUM

Keycloak: cross-session email verification proof not bound to upstream identity in first-broker-login

CVE-2026-47068 LOW

Cross-session PubSub topic injection via URL parameter in phoenix_storybook

CVE-2026-6566 MEDIUM

Photo Gallery, Sliders, Proofing and Themes <= 4.2.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Image Deletion via REST API

CVE-2026-6072 MEDIUM

Oliver POS <= 2.4.2.6 - Unauthenticated Authorization Bypass Through User-Controlled Key to 'OliverAuth' Header

CVE-2026-42097 HIGH

Authentication Bypass in Sparx Pro Cloud Server

CVE-2026-4630 MEDIUM

Keycloak: keycloak: unauthorized resource access and data modification via insecure direct object reference

CVE-2026-37978 MEDIUM

Keycloak: org.keycloak.services: keycloak: information disclosure via evaluate-scopes admin api

CVE-2026-46721 MEDIUM

Broken Access Control in extension "Frontend User Registration" (sf_register)

CVE-2026-33052 MEDIUM

MantisBT: Authorization Bypass in Global Profile Creation

Previous Page 5 of 72 Next

Details

Vulnerabilities 1,777

Exploit Likelihood High

Links

MITRE CWE Entry Search this CWE With Exploits

Exploit Intelligence Platform

Blog Stats Labs Exploits Researchers CWE Ecosystems CLI MCP API Limits About Privacy