CWE-639 1966 件の CVE MITRE の定義 ↗

CWE-639: Authorization Bypass Through User-Controlled Key

概要

CWE-639(Authorization Bypass Through User-Controlled Key)は各種脆弱性データベースや評価で用いられる弱点タイプを説明します。定義・背景・対応する CVE は以下の各セクションを参照してください。

セキュリティへの影響
セキュリティ影響:製品や文脈に依存します。CVE 記録、深刻度、MITRE の説明を参照して優先度を判断してください。

説明

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

適用プラットフォーム

種別 名称 クラス 普遍性 OS / CPE
language Not Language-Specific Undetermined

このデータベースの関連 CVE

これらの CVE は本データベースでこの弱点に対応付けられており、追跡と検索のために保持されています。

CVE 公開 概要
CVE-2026-58410 2026-07-13 ChurchCRM is an open-source church management system. Prior to version 7.4.0, there was an authorization flaw in the family-scoped endpoints which allowed low-privileged users to read and modify other…
CVE-2026-6541 2026-07-13 Mattermost versions 11.7.x <= 11.7.1, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to restrict metric configuration changes to the playbook being saved, which allows an authenticated user with team acce…
CVE-2026-61971 2026-07-13 Authorization Bypass Through User-Controlled Key vulnerability in Cozmoslabs User Profile Picture metronet-profile-picture allows Exploiting Incorrectly Configured Access Control Security Levels.This …
CVE-2026-57694 2026-07-13 Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a…
CVE-2026-9708 2026-07-13 Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to validate that an assigned incoming webhook user has access to the target team or channel, which allows a requester w…
CVE-2026-10103 2026-07-13 Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to verify post ownership in the shared channel inbound sync handler, which allows an authenticated remote cluster to mo…
CVE-2026-14165 2026-07-13 An Authorization Bypass Through User-Controlled Key vulnerability affecting Tuleap Enterprise Edition from 17.0 through 17.5 could allow an attacker to access data of other users without authorization…
CVE-2026-15516 2026-07-12 A vulnerability was detected in MacCMS Pro up to 2022.1000.3005. Impacted is the function step5 of the file application/install/controller/Index.php of the component Installation Module. The manipulat…
CVE-2026-10041 2026-07-11 The WCFM – Frontend Manager for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.27 via the wcfm_product_archive due to miss…
CVE-2026-13116 2026-07-11 The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.14.0 via the generate_document_shortcode…
CVE-2026-55881 2026-07-10 OpenReplay is a self-hosted session replay suite. From 1.22.0 before 1.27.0, getFirstMob returned 15-second presigned S3 download URLs for a session's DOM-replay recording based solely on the session …
CVE-2026-55880 2026-07-10 OpenReplay is a self-hosted session replay suite. In 1.27.0 and earlier, three dashboard and note mutation functions ran their SQL without the ownership predicate that their sibling read and edit func…
CVE-2026-55515 2026-07-10 Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the unaccepted-assets report delete endpoint authorizes only reports.view and deletes CheckoutAcceptance::pending()->find($acceptance…
CVE-2026-6212 2026-07-10 Authorization bypass through User-Controlled key vulnerability in Teracity Software Technologies Inc. TeraMIS allows Privilege Abuse. This issue affects TeraMIS: from V03.26.01.14 through 30.04.2026.…
CVE-2026-61460 2026-07-10 Krayin CRM through 2.2.3 contains an insecure direct object reference vulnerability in LeadController, PersonController, OrganizationController, QuoteController, and ActivityController that allows aut…
CVE-2026-55516 2026-07-10 Snipe-IT is an IT asset/license management system. Prior to 8.6.2, PATCH or PUT /api/v1/maintenances/{maintenance_id} checks access to the current maintenance record and asset but then fills attacker-…
CVE-2026-55478 2026-07-10 Snipe-IT is an IT asset/license management system. Prior to 8.6.2, POST /api/v1/kits/{kit_id}/licenses checks whether the caller can edit kits but does not authorize access to the referenced license o…
CVE-2026-55670 2026-07-10 ZITADEL is an open source identity management platform. Prior to 4.15.1, ZITADEL's event store validation can retain the original resource owner for a deleted user identifier, causing a later user rec…
CVE-2026-59190 2026-07-10 grav-plugin-admin is an HTML user interface that provides a way to configure Grav and create and modify pages. In 1.10.52 and earlier, an authenticated attacker with admin.users permission can change …
CVE-2026-2398 2026-07-10 Authorization bypass through User-Controlled key vulnerability in Adam Retail Automation Ltd. MobilMen 20T allows Privilege Escalation. This issue affects MobilMen 20T: from v3 through 10072026. NOTE…

旧名称

  • Access Control Bypass Through User-Controlled Key (2011-03-29)

コンテンツ投稿

名称
Evgeny Lebanidze
組織
Cigital
日付
2008-01-30
バージョン
Draft 8

コンテンツの変更履歴

日付 名称 バージョン 重要度 コメント
2008-09-08 CWE Content Team 1.0 updated Common_Consequences, Relationships, Type
2008-10-14 CWE Content Team 1.0.1 updated Description
2009-03-10 CWE Content Team 1.3 updated Relationships
2009-05-27 CWE Content Team 1.4 updated Relationships
2009-10-29 CWE Content Team 1.6 updated Common_Consequences
2010-06-21 CWE Content Team 1.9 updated Relationships
2011-03-29 CWE Content Team 1.12 updated Alternate_Terms, Applicable_Platforms, Description, Name, Potential_Mitigations, Relationships
2011-06-01 CWE Content Team 1.13 updated Common_Consequences, Relationships
2012-05-11 CWE Content Team 2.2 updated Relationships
2013-02-21 CWE Content Team 2.4 updated Alternate_Terms, Common_Consequences
2013-07-17 CWE Content Team 2.5 updated Relationships
2014-07-30 CWE Content Team 2.8 updated Relationships
2017-11-08 CWE Content Team 3.0 updated Description, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Relationships
2018-03-27 CWE Content Team 3.1 updated Relationships
2019-06-20 CWE Content Team 3.3 updated Relationships
2020-02-24 CWE Content Team 4.0 updated Relationships
2020-06-25 CWE Content Team 4.1 updated Alternate_Terms
2020-12-10 CWE Content Team 4.3 updated Relationships
2021-03-15 CWE Content Team 4.4 updated Alternate_Terms
2021-10-28 CWE Content Team 4.6 updated Relationships
2023-04-27 CWE Content Team 4.11 updated Detection_Factors, Relationships
2023-06-29 CWE Content Team 4.12 updated Mapping_Notes
2023-10-26 CWE Content Team 4.13 updated Observed_Examples
2024-02-29 CWE Content Team 4.14 updated Demonstrative_Examples
2025-12-11 CWE Content Team 4.19 updated References, Relationships, Weakness_Ordinalities
2026-04-30 CWE Content Team 4.20 updated Alternate_Terms, Maintenance_Notes, References

貢献

タイプ 名称 日付 コメント
Feedback Mateus Godinho Pantoja 2024-08-09 Suggested corrections to use of IDOR versus BOLA
cvelogic Threat Intelligence