CWE-862

High likelihood

Missing Authorization

Parent: CWE-285 - Improper Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

8,133 vulnerabilities with CWE-862
CVE-2026-44848 HIGH
Portainer Docker Plugin Endpoints - Missing Authorization
CVSS 8.8
CVE-2026-42071 HIGH
MantisBT: Private Bugnote Attachment Content Leak via REST API
CVE-2026-44794 MEDIUM
Nautobot: REST API permits creation of GenericForeignKey references to objects that the user should not be able to reference
CVSS 5.4
CVE-2026-41160 MEDIUM
EspoCRM: Broken Access Control / IDOR in Note Pinning API allows unauthorized modification of notes
CVSS 4.3
CVE-2026-9015 MEDIUM
Equalize Digital Accessibility Checker < 1.42.0 - Authorization Bypass
CVSS 4.3
CVE-2026-8689 MEDIUM
WordPress Visualizer <= 3.11.14 - Missing Authorization for Chart Actions
CVSS 4.3
CVE-2026-6937 MEDIUM
Appointment Booking Calendar <= 1.6.11.8 - Missing Authorization to Unauthenticated Arbitrary Modification via Bulk Appointments REST API Endpoint
CVSS 5.3
CVE-2026-8682 MEDIUM
3D Viewer <= 2.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Modification via settings REST endpoint
CVSS 4.3
CVE-2026-7621 MEDIUM
SMTP2GO for WordPress <= 1.16.0 - Missing Authorization to Authenticated (Subscriber+) Log Read/Truncate
CVSS 4.3
CVE-2026-7552 MEDIUM
Geo Mashup <= 1.13.19 - Missing Authorization to Unauthenticated Plugin Settings Disclosure via 'geo_mashup_content' Parameter
CVSS 5.3
CVE-2026-7802 HIGH
Frontend Admin by DynamiApps <= 3.29.2 - Missing Authorization to Authenticated (Subscriber+) Account Takeover via 'user_id' URL Query Parameter
CVSS 8.8
CVE-2026-4888 MEDIUM
Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder <= 3.4.7 - Missing Authorization to Authenticated (Subscriber+) Email Sending
CVSS 4.3
CVE-2026-46414 HIGH
Microsoft UFO WebSocket role spoofing allows authenticated peer task hijacking
CVSS 8.8
CVE-2026-5296 MEDIUM
Missing Authorization in GitLab
CVSS 4.3
CVE-2026-2601 MEDIUM
Missing Authorization in GitLab
CVSS 4.3
CVE-2026-48151 HIGH
Budibase: Webhook schema endpoint authorization bypass allows unauthenticated mutation of webhook and automation schema
CVSS 7.5
CVE-2026-46425 CRITICAL
Budibase: SCIM endpoints lack role-based authorization, BASIC users CRUD tenant users
CVSS 9.9
CVE-2026-45717 HIGH
Budibase < 3.38.1 - SSRF
CVSS 8.8
CVE-2026-49054 MEDIUM
WordPress The Post Grid plugin <= 7.9.2 - Broken Access Control vulnerability
CVSS 4.3
CVE-2026-44329 CRITICAL
free5GC: SMF UPI management interface lacks auth middleware; unauthenticated topology read/write requests reach handlers
CVSS 10.0
CVE-2026-44328 HIGH
free5GC: SMF UPI DELETE /upi/v1/upNodesLinks/{ref} panics on AN-node deletion via nil UPF dereference; unauthenticated, state-mutating
CVSS 8.2
CVE-2026-44327 CRITICAL
free5GC: NEF nnef-oam route group is unauthenticated; no-token requests reach the OAM handler
CVSS 10.0
CVE-2026-44326 CRITICAL
free5GC: NEF 3gpp-traffic-influence API is unauthenticated; missing or forged bearer tokens can create, read, patch, and delete subscriptions
CVSS 9.4
CVE-2026-44321 HIGH
free5GC: SMF UPI POST /upi/v1/upNodesLinks exits the SMF process on overlapping UE pools (unauthenticated, reachable Fatalf)
CVSS 7.5
CVE-2026-44320 HIGH
free5GC: NEF nnef-callback route group is unauthenticated; forged callback requests are accepted into the processing path
CVSS 7.3
Details
Vulnerabilities 8,133
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits