CWE-862

High likelihood

Missing Authorization

Parent: CWE-285 - Improper Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

7,700 vulnerabilities with CWE-862
CVE-2026-40349 HIGH
Authenticated Movary User Can Self-Escalate to Administrator via PUT /settings/users/{userId} by Setting isAdmin=true
CVSS 8.8
CVE-2026-40474 HIGH
wger has Broken Access Control in the Global Gym Configuration Update Endpoint
CVSS 7.6
CVE-2026-35061 MEDIUM
Anviz Products Missing Authorization
CVSS 5.3
CVE-2026-33093 MEDIUM
Anviz Products Missing Authorization
CVSS 5.3
CVE-2026-32648 MEDIUM
Anviz Products Missing Authorization
CVSS 5.3
CVE-2026-6441 MEDIUM
Canto <= 3.1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Setting Modification
CVSS 4.3
CVE-2026-5502 MEDIUM
Tutor LMS <= 3.9.8 - Authenticated (Subscriber+) Arbitrary Course Content Manipulation via tutor_update_course_content_order
CVSS 5.3
CVE-2026-5427 MEDIUM
Kubio AI Page Builder <= 2.7.2 - Missing Authorization to Authenticated (Contributor+) Limited File Upload via Kubio Block Attributes
CVSS 5.3
CVE-2026-4666 MEDIUM
wpForo Forum <= 2.4.16 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Forum Post Modification via 'guestposting' Parameter
CVSS 6.5
CVE-2026-3488 MEDIUM
WP Statistics <= 14.16.4 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure and Privacy Audit Manipulation
CVSS 6.5
CVE-2026-40265 MEDIUM
Note Mark has Broken Access Control on Asset Download
CVSS 5.9
CVE-2026-3155 LOW
OneSignal – Web Push Notifications <= 3.8.0 - Missing Authorization to Authenticated (Subscriber+) Post Meta Deletion via 'post_id'
CVSS 3.1
CVE-2026-0718 MEDIUM
Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX <= 5.0.5 - Missing Authorization to Limited Post Meta Modification
CVSS 5.3
CVE-2026-3614 HIGH
AcyMailing 9.11.0 - 10.8.1 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation
CVSS 8.8
CVE-2026-3596 CRITICAL
Riaxe Product Customizer <= 2.1.2 - Missing Authorization to Unauthenticated Arbitrary Options Update to Privilege Escalation via 'install-imprint' AJAX Action
CVSS 9.8
CVE-2026-3595 MEDIUM
Riaxe Product Customizer <= 2.1.2 - Unauthenticated Arbitrary User Deletion via 'user_id' Parameter
CVSS 5.3
CVE-2026-3581 MEDIUM
Basic Google Maps Placemarks <= 1.10.7 - Missing Authorization to Unauthenticated Default Map Coordinate Update
CVSS 5.3
CVE-2026-40502 HIGH
OpenHarness Remote Administrative Command Injection via Gateway Handler
CVSS 8.8
CVE-2026-4949 MEDIUM
ProfilePress <= 4.16.12 - Missing Authorization to Authenticated (Subscriber+) Inactive Membership Plan Subscription
CVSS 4.3
CVE-2026-33214 MEDIUM
Weblate has improper access control for the translation memory API
CVSS 4.3
CVE-2026-6372 HIGH
WordPress Accept Cryptocurrencies with Plisio plugin <= 2.0.5 - Payment Bypass vulnerability
CVSS 7.5
CVE-2026-5387 CRITICAL
AVEVA Pipeline Simulation Missing Authorization
CVE-2026-40786 MEDIUM
WordPress MyRewards plugin <= 5.7.3 - Broken Access Control vulnerability
CVSS 4.3
CVE-2026-40778 MEDIUM
WordPress Majestic Support plugin <= 1.1.2 - Broken Access Control vulnerability
CVSS 5.3
CVE-2026-40763 MEDIUM
WordPress Royal Elementor Addons plugin <= 1.7.1056 - Broken Access Control vulnerability
CVSS 5.3
Details
Vulnerabilities 7,700
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits