Search Blog Stats Labs

Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits

About

About Exploit Intel About Exploit Forge Privacy Policy

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Color Theme

Search Blog Statistics Labs Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits About About Exploit Forge Privacy

Exploit Database Researchers CWE Categories Vendors Ecosystems

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Follow:

Theme:

Home / CWE / CWE-639

CWE-639

High likelihood

Authorization Bypass Through User-Controlled Key

Parent: CWE-863 - Incorrect Authorization

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

1,777 vulnerabilities with CWE-639

CVE-2026-41949 MEDIUM

Dify v1.14.1 Authorization Bypass via File Preview Endpoint

CVE-2026-41947 CRITICAL

Dify v1.14.1 Authorization Bypass via Trace Configuration Endpoints

CVE-2026-8786 MEDIUM

Tencent WeKnora Config API Endpoint initialization.go getKnowledgeBaseForInitialization authorization

CVE-2026-45666 MEDIUM

Open WebUI: Indirect Object Reference (IDOR) in user notes

CVE-2026-44570 HIGH

Open WebUI: Inconsistent authorization controls within memories API

CVE-2026-45402 HIGH

Open WebUI: Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints

CVE-2026-45398 HIGH

Open WebUI: IDOR - Retrieval API Bypasses Knowledge Base Access Controls

CVE-2026-45386 MEDIUM

Open WebUI: An IDOR vulnerability exists in the pin_channel_message API endpoint

CVE-2026-45385 MEDIUM

Open WebUI: An IDOR vulnerability exists in the update_message_by_id API endpoint

CVE-2026-45671 HIGH

Open WebUI: shared-chat branch ignores access_type, allowing unauthorized file deletion

CVE-2026-45349 HIGH

Open WebUI: Broken Access Control for Completions API

CVE-2026-46408 HIGH

Vvveb: checkout IDOR allows unauthorized reuse of another user's cart

CVE-2026-46407 HIGH

Vvveb: admin/auth-token IDOR allows unauthorized disclosure of administrator REST API tokens

CVE-2026-44718 MEDIUM

Mathesar: Missing collaborator checks allowed access to saved explorations in other databases

CVE-2026-44678 HIGH

Tuist: IDOR in preview deletion API allows cross-tenant deletion of any preview by UUID

CVE-2026-8629 HIGH

Crabbox < v0.12.0 Privilege Escalation via Agent Ticket Endpoints

CVE-2026-44544 MEDIUM

gittuf: Policy can be rolled back to prior valid version

CVE-2026-42572 MEDIUM

Hatchet: Cross-tenant information disclosure in `listTasksByDAGIds`

CVE-2026-44504 HIGH

Aegra: Cross-user run injection in /threads/{thread_id}/runs (IDOR)

CVE-2026-6008 MEDIUM

IDOR in Im Park's DijiDemi

CVE-2026-5798 HIGH

Unsafe Object Reference (IDOR) vulnerability in Stel Order

CVE-2026-2347 CRITICAL

IDOR in Akıllı Ticaret's E-Commerce Pack

CVE-2026-6206 MEDIUM

MW WP Form <= 5.1.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure via 'post_id' Query Parameter

CVE-2026-5395 HIGH

Fluent Forms <= 6.2.0 - Authenticated (Subscriber+) Authorization Bypass via 'table' Parameter

CVE-2026-6063 MEDIUM

Authorization Bypass Through User-Controlled Key in GitLab

Previous Page 6 of 72 Next

Details

Vulnerabilities 1,777

Exploit Likelihood High

Links

MITRE CWE Entry Search this CWE With Exploits

Exploit Intelligence Platform

Blog Stats Labs Exploits Researchers CWE Ecosystems CLI MCP API Limits About Privacy