The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
3,040 vulnerabilities with CWE-863
CVE-2026-47238
MEDIUM
ClipBucket: IDOR in videos subtitle editor
CVSS 6.5
CVE-2026-53809
LOW
OpenClaw < 2026.4.25 - Provider Alias Confusion in Embedded Runner Policy
CVSS 3.8
CVE-2026-53808
MEDIUM
OpenClaw < 2026.5.6 - Approval Policy Bypass in Skill Workshop Apply Flow
CVSS 6.5
CVE-2026-53807
HIGH
OpenClaw < 2026.5.6 - Authorization Bypass in Telegram Interactive Callbacks via commands.allowFrom
CVSS 8.8
CVE-2026-46519
HIGH
mcp-server-kubernetes Affected By Tool Access Control Bypass: Presentation-Layer Filtering Without Execution-Layer Enforcement
CVSS 8.8
CVE-2026-6277
MEDIUM
Incorrect Authorization in GitLab
CVSS 4.3
CVE-2026-6269
MEDIUM
Incorrect Authorization in GitLab
CVSS 5.4
CVE-2026-3553
LOW
Incorrect Authorization in GitLab
CVSS 3.1
CVE-2026-49219
MEDIUM
ImageMagick: Policy Bypass can read disallowed files
CVSS 5.5
CVE-2026-53738
HIGH
Copy & Delete Posts through 1.5.4 Privilege Escalation via cdp_action_handling Handler
CVSS 8.1
CVE-2026-49824
HIGH
Fission: Cross-namespace Environment reference via unvalidated EnvironmentRef in Function admission webhook
CVSS 8.5
CVE-2026-49823
HIGH
Fission: Cross-namespace Package read via unvalidated PackageRef in Function admission webhook
CVSS 7.7
CVE-2026-48860
MEDIUM
Distribution-over-TLS LAN allowlist silently bypassed due to sockname/peername confusion in inet_tls_dist
CVSS 6.5
CVE-2026-45563
MEDIUM
Roxy-WI: IDOR — any authenticated user can read another user's full action history
CVSS 4.3
CVE-2026-45552
CRITICAL
Roxy-WI <= 8.2.6.4 - Cross-Tenant Install Authorization Bypass
CVSS 9.9
CVE-2026-45550
CRITICAL
Roxy-WI: IDOR on PUT /smon/check — any user can rewrite any tenant's monitoring URL/IP/body
CVSS 9.1
CVE-2026-45549
HIGH
Roxy-WI <= 8.2.6.4 - smon-agent Action Authorization Bypass
CVSS 8.5
CVE-2026-24724
HIGH
QNAP File Station 5 < 5.5.6.5243 - Incorrect Authorization
CVSS 8.1
CVE-2026-48303
CRITICAL
Adobe Campaign Classic (ACC) | Incorrect Authorization (CWE-863)
CVSS 10.0
CVE-2026-47929
HIGH
ColdFusion | Incorrect Authorization (CWE-863)
CVSS 8.4
CVE-2026-47910
MEDIUM
Dreamweaver Desktop | Incorrect Authorization (CWE-863)
CVSS 6.3
CVE-2026-41852
LOW
Spring Framework Arbitrary Method Invocation in SpEL Expressions
CVSS 3.7
CVE-2026-48507
HIGH
Snipe-IT: Bulk editing users allowed `ldap_import` and `activated_in` bulk editing users
CVSS 7.1
CVE-2026-7765
MEDIUM
User Messages widget leaked issuer messages on shared dashboards
CVSS 5.3
CVE-2026-11577
HIGH
Keycloak: keycloak: privilege escalation via partialimport fgap permission bypass
CVSS 7.2
Details
Vulnerabilities
3,040
Exploit Likelihood
High