CWE-862

High likelihood

Missing Authorization

Parent: CWE-285 - Improper Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

8,143 vulnerabilities with CWE-862
CVE-2026-33420 MEDIUM
Vaultwarden missing authorization check allows Manager-role users to enumerate all collections
CVSS 5.3
CVE-2026-43573 HIGH
OpenClaw < 2026.4.10 - SSRF Policy Bypass in Existing-Session Browser Interaction Routes
CVSS 7.7
CVE-2026-43572 MEDIUM
OpenClaw 2026.4.10 < 2026.4.14 - Missing Sender Authorization in Microsoft Teams SSO Invoke Handler
CVSS 5.3
CVE-2026-43568 MEDIUM
OpenClaw 2026.4.5 < 2026.4.10 - Privilege Escalation via Memory Dreaming Configuration in /dreaming Endpoint
CVSS 6.5
CVE-2026-43567 MEDIUM
OpenClaw < 2026.4.10 - Path Traversal in screen_record outPath Parameter
CVSS 6.5
CVE-2026-42439 HIGH
OpenClaw < 2026.4.10 - SSRF Policy Bypass in Browser Tabs Action Routes
CVSS 8.5
CVE-2026-42436 HIGH
OpenClaw < 2026.4.14 - Internal Page Content Exposure via Browser Snapshot and Screenshot Routes
CVSS 7.7
CVE-2026-42433 MEDIUM
OpenClaw < 2026.4.10 - Unauthorized Matrix Profile Config Persistence Access via operator.write Message Tools
CVSS 6.5
CVE-2026-3601 MEDIUM
User Registration & Membership <= 5.1.4 - Missing Authorization to Authenticated (Contributor+) Limited Page Content Modification
CVSS 4.3
CVE-2026-4362 MEDIUM
ElementsKit Elementor Addons <= 3.8.2 - Missing Authorization to Unauthenticated Widget Content Overwrite
CVSS 6.5
CVE-2026-5294 CRITICAL
GeekyBot <= 1.2.2 - Unauthenticated Plugin Installation
CVSS 9.8
CVE-2026-42228 MEDIUM
n8n: Hijacking of Unauthenticated Chat Execution
CVSS 6.5
CVE-2026-42226 HIGH
n8n: Credential Authorization Bypass in dynamic-node-parameters Allows Foreign API Key Replay
CVSS 7.5
CVE-2026-42809 CRITICAL
Apache Polaris: staged table creation could vend storage credentials for unvalidated locations
CVSS 9.9
CVE-2026-4100 HIGH
Paid Memberships Pro <= 3.6.5 - Missing Authorization to Authenticated (Subscriber+) Stripe Webhook Deletion and Payment Processing Disruption
CVSS 7.1
CVE-2026-4024 MEDIUM
Royal Addons for Elementor <= 1.7.1056 - Missing Authorization to Unauthenticated Form Action Meta Modification
CVSS 5.3
CVE-2026-4650 MEDIUM
FundPress <= 2.0.8 - Missing Authorization to Unauthenticated Arbitrary Donation Status Modification via donate_action_status AJAX Handler
CVSS 5.3
CVE-2026-6963 HIGH
WP Mail Gateway <= 1.8 - Missing Authorization to Authenticated (Subscriber+) SMTP Configuration Modification via 'wmg_save_provider_config' AJAX Action
CVSS 8.8
CVE-2026-3143 MEDIUM
Total Upkeep <= 1.17.1 - Missing Authorization to Unauthenticated Rollback Cancellation
CVSS 5.3
CVE-2026-40601 HIGH
Chartbrew: Missing Authorization in /api/chart/:chart_id/query via team-level refresh toggle
CVSS 7.5
CVE-2026-42522 MEDIUM
Jenkins GitHub Branch Source Plugin <=1967.vdea_d580c1a_b_a_ - Auth Bypass
CVSS 4.3
CVE-2026-42519 MEDIUM
Jenkins Script Security Plugin <=1399.ve6a_66547f6e1 - Info Disclosure
CVSS 4.3
CVE-2026-42648 MEDIUM
WordPress Spectra plugin <= 2.19.22 - Broken Access Control vulnerability
CVSS 4.3
CVE-2026-42642 MEDIUM
WordPress GiveWP plugin <= 4.14.5 - Broken Access Control vulnerability
CVSS 5.3
CVE-2026-4019 MEDIUM
Complianz – GDPR/CCPA Cookie Consent <= 7.4.5 - Missing Authorization to Unauthenticated Private Post Content Disclosure via Consent Area REST Endpoint
CVSS 5.3
Details
Vulnerabilities 8,143
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits