Search Blog Stats Labs

Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits

About

About Exploit Intel About Exploit Forge Privacy Policy

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Color Theme

Search Blog Statistics Labs Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits About About Exploit Forge Privacy

Exploit Database Researchers CWE Categories Vendors Ecosystems

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Follow:

Theme:

Home / CWE / CWE-639

CWE-639

High likelihood

Authorization Bypass Through User-Controlled Key

Parent: CWE-863 - Incorrect Authorization

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

1,571 vulnerabilities with CWE-639

CVE-2026-33297 CRITICAL

AVideo has an IDOR - Any Admin Can Set Another User's Channel Password via setPassword.json.php

CVE-2026-4563 MEDIUM

MacCMS Member Order Detail User.php order_info authorization

CVE-2026-4549 LOW

mickasmt next-saas-stripe-starter Stripe API open-customer-portal.ts openCustomerPortal authorization

CVE-2026-33425 MEDIUM

Discourse has inferable private group membership or existence via exclude_groups parameter

CVE-2026-33053 HIGH

Langflow has Missing Ownership Verification in API Key Deletion (IDOR)

CVE-2026-32114 MEDIUM

Discourse's unscoped status lookups leak restricted metadata

CVE-2026-31869 MEDIUM

Discourse: Composer mentions endpoint leaks hidden group membership through PM `allowed_names` check

CVE-2026-32761 MEDIUM

File Browser has an Authorization Policy Bypass in its Public Share Download Flow

CVE-2026-32697 MEDIUM

SuiteCRM: RecordHandler::getRecord() missing ACLAccess('view') check allows any authenticated user to read any record (IDOR)

CVE-2026-29189 HIGH

SuiteCRM has a REST API V8 IDOR: Missing ACL Checks on User Preferences and Relationship Endpoints

CVE-2026-32039 MEDIUM

OpenClaw < 2026.2.22 - Sender Authorization Bypass via Identity Collision in toolsBySender

CVE-2026-33304 MEDIUM

OpenEMR has Authorization Bypass in Dated Reminders Log

CVE-2026-25744 MEDIUM

OpenEMR: POST /api/.../vital Accepts Attacker-Supplied id and Overwrites Arbitrary Vitals

CVE-2026-32867 MEDIUM

OPEXUS eComplaint unauthenticated file upload

CVE-2026-27397 MEDIUM

WordPress Really Simple Security Pro plugin <= 9.5.4.0 - Insecure Direct Object References (IDOR) vulnerability

CVE-2026-32638 LOW

StudioCMS REST getUsers Exposes Owner Account Records to Admin Tokens

CVE-2026-25745 MEDIUM

OpenEMR's Message Update Ignores Patient id

CVE-2026-32694 MEDIUM

Insecure Direct Object Reference attack via predictable secret ID in Juju

CVE-2026-30884 CRITICAL

mdjnelson/moodle-mod_customcert Vulnerable to Authorization Bypass Through User-Controlled Key

CVE-2026-26004 MEDIUM

Sentry allows unauthorized access to event data across organizational boundaries

CVE-2026-24901 HIGH

Outline's IDOR allows unauthorized viewing and seizing of private deleted drafts

CVE-2026-4208 HIGH

Authentication Bypass in extension "E-Mail MFA Provider" (mfa_email)

CVE-2026-4171 MEDIUM

CodeGenieApp serverless-express API Endpoint TodoList.ts authorization

CVE-2026-3020 HIGH

Identity based authorization bypass vulnerability (IDOR) in the Wakyma application web

CVE-2026-2461 MEDIUM

Missing authorization check allows unauthorized modification of other users' comments on a board

Previous Page 7 of 63 Next

Details

Vulnerabilities 1,571

Exploit Likelihood High

Links

MITRE CWE Entry Search this CWE With Exploits

Exploit Intelligence Platform

Blog Stats Labs Exploits Researchers CWE Ecosystems CLI MCP API Limits About Privacy