CWE-639

High likelihood

Authorization Bypass Through User-Controlled Key

Parent: CWE-863 - Incorrect Authorization

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

1,777 vulnerabilities with CWE-639
CVE-2026-42278 HIGH
UltraDAG: Smart Account Spending Policy Bypass via Pockets
CVE-2026-42277 MEDIUM
Onyx: IDOR in /chat/file/{file_id} allows any authenticated user to download other users files
CVSS 6.5
CVE-2026-42276 MEDIUM
Onyx: IDOR in /chat/stop-chat-session allows any authenticated user to interrupt other users chat sessions
CVSS 4.3
CVE-2026-41906 HIGH
FreeScout: Conversation Change-Customer Cross-Mailbox Authorization Bypass
CVSS 7.1
CVE-2026-27329 MEDIUM
WordPress YITH WooCommerce Wishlist plugin <= 4.12.0 - Insecure Direct Object References (IDOR) vulnerability
CVSS 5.3
CVE-2026-40981 HIGH
Spring Cloud Config Authorization Bypass via Google Secrets Manager
CVSS 7.5
CVE-2026-20219 MEDIUM
Cisco Slido - Insecure Direct Object Reference in REST API
CVSS 5.4
CVE-2026-8027 MEDIUM
FlowiseAI Flowise User Controller authorization
CVSS 4.3
CVE-2026-7573 MEDIUM
GetUserRoles API endpoint allows any authenticated user to enumerate ACL policies across all organizations
CVSS 5.0
CVE-2026-41950 MEDIUM
Dify < 1.14.0 Authorization Bypass via File UUID
CVSS 6.5
CVE-2026-3454 MEDIUM
GenerateBlocks <= 2.2.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Exposure via Dynamic Tag Replacements
CVSS 6.5
CVE-2026-2729 MEDIUM
Forminator Forms < 1.52.0 - Unauthenticated Authorization Bypass via Stripe PaymentIntent Reuse
CVSS 5.3
CVE-2026-7782 MEDIUM
CodeCanyon Perfex CRM Tenant Clients.php project authorization
CVSS 6.3
CVE-2026-42227 MEDIUM
n8n: Public API Variables IDOR Allows Cross-Project Secret Disclosure
CVSS 6.5
CVE-2026-41471 HIGH
Easy PayPal Events & Tickets 1.3 Information Disclosure via QR Code Endpoint
CVSS 7.5
CVE-2026-29200 CRITICAL
WebPros Comet Backup 20.11.0 to 26.1.1 and 26.2.1 - Insecure Direct Object Reference
CVE-2026-7702 MEDIUM
toeverything AFFiNE Public Markdown Preview Endpoint :docId allowDocPreview authorization
CVSS 5.3
CVE-2026-5337 MEDIUM
Frontend File Manager Plugin <= 23.6 - Subscriber+ Arbitrary Download Access via IDOR
CVSS 6.5
CVE-2026-7681 MEDIUM
jsbroks COCO Annotator Dataset API datasets.py authorization
CVSS 6.5
CVE-2026-2554 HIGH
WCFM Frontend Manager for WooCommerce <= 6.7.25 - Insecure Direct Object Reference
CVSS 8.1
CVE-2026-7491 HIGH
Zyosoft|School App - Insecure Direct Object Reference
CVSS 8.1
CVE-2026-7638 MEDIUM
App Builder <= 5.5.10 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Avatar Modification via 'user_id' Parameter
CVSS 5.3
CVE-2026-7510 MEDIUM
OWAP DefectDojo Benchmark/Engagement/Product/Survey authorization
CVSS 6.3
CVE-2026-7502 MEDIUM
LinkStackOrg LinkStack Management Endpoint UserController.php saveLink authorization
CVSS 5.4
CVE-2026-6542 MEDIUM
Monitor API allows cross-user read of transaction logs and deletion of build data via flow_id
CVSS 6.5
Details
Vulnerabilities 1,777
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits