CWE-862(Missing Authorization)は各種脆弱性データベースや評価で用いられる弱点タイプを説明します。定義・背景・対応する CVE は以下の各セクションを参照してください。
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE カタログからの補足説明(MITRE XHTML を基に表示)。
| 種別 | 名称 | クラス | 普遍性 | OS / CPE |
|---|---|---|---|---|
| language | — | Not Language-Specific | Undetermined | — |
| technology | AI/ML | — | Often | — |
| technology | Web Server | — | Often | — |
| technology | Database Server | — | Often | — |
| technology | — | Not Technology-Specific | Undetermined | — |
これらの CVE は本データベースでこの弱点に対応付けられており、追跡と検索のために保持されています。
| CVE | 公開 | 概要 |
|---|---|---|
| CVE-2026-7624 | 2026-06-06 | The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 12.4.16. This is due to the plugin not properly verifying that a user is… |
| CVE-2026-8502 | 2026-06-06 | The LearnPress – WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.6 via the 'retur… |
| CVE-2026-9008 | 2026-06-06 | The Page-list plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.2. This is due to the pagelist_unqprfx_ext_shortcode() function (the [pagelist_ext] / … |
| CVE-2026-8976 | 2026-06-06 | The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.7.… |
| CVE-2026-7523 | 2026-06-05 | The Alba Board plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.1.3. This is due to the plugin not properly verifying that a user is authorized to per… |
| CVE-2026-5228 | 2026-06-04 | Improper Access Control, Missing Authorization vulnerability in Kurt Software Studio WriteUp Mobile App allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects WriteUp Mob… |
| CVE-2026-10815 | 2026-06-04 | A vulnerability was found in LakshayD02 Hostel-Management-System-PHP up to f87e67c283bab6f718faf2fec6ae39a13bd7036b. This issue affects some unknown processing of the file hostel/index.php of the comp… |
| CVE-2026-10855 | 2026-06-04 | An authorization flaw existed in the MISP Event Template Importer overwrite workflow. When importing an event template in overwrite mode, the application checked whether a matching template already ex… |
| CVE-2026-4881 | 2026-06-04 | In affected versions of Octopus Server, permissions were not checked correctly resulting in any authenticated user being able to make server level changes using a certain API endpoint despite receivin… |
| CVE-2026-10737 | 2026-06-04 | The SP Project & Document Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the view_file function in all versions up to, and including, 4.71. This… |
| CVE-2026-44281 | 2026-06-03 | GLPI is a free asset and IT management software package. Starting in version 0.78 and prior to versions 10.0.25 and 11.0.7, an authenticated user with config READ permission can read a specific asset … |
| CVE-2026-42320 | 2026-06-03 | GLPI is a free asset and IT management software package. Starting in version 0.50 and prior to versions 10.0.25 and 11.0.7, a technician can read arbitrary files inside the GLPI_DOC_DIR. Upgrade to 10… |
| CVE-2026-42318 | 2026-06-03 | GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to versions 10.0.25 and 11.0.7, low privilege users with access to planning can delete any object in GLPI. … |
| CVE-2026-42317 | 2026-06-03 | GLPI is a free asset and IT management software package. Starting in version 0.78 and prior to versions 10.0.25 and 11.0.7, a technician can delete arbitrary files from the filesystem as long as the w… |
| CVE-2026-31942 | 2026-06-02 | LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.7.6, an Insecure Direct Object Reference (IDOR) vulnerability exists in the API keys manag… |
| CVE-2026-10616 | 2026-06-02 | A weakness has been identified in nextlevelbuilder GoClaw up to 3.11.3. The impacted element is the function TeamTasksTool.executeComplete of the file internal/tools/team_tasks_lifecycle.go of the com… |
| CVE-2026-40571 | 2026-06-02 | NamelessMC is website software for Minecraft servers. In version 2.2.4, `core/classes/Misc/ProfilePostReactionContext.php` only verifies that the wall post exists and does not enforce blocked/private-… |
| CVE-2026-40314 | 2026-06-02 | NamelessMC is website software for Minecraft servers. In version 2.2.4,`core/classes/Misc/ProfilePostReactionContext.php` only verifies that the wall post exists and does not enforce blocked/private-p… |
| CVE-2026-35443 | 2026-06-02 | NamelessMC is website software for Minecraft servers. In version 2.2.4, `modules/Forum/classes/ForumPostReactionContext.php` only verifies that the caller can view the forum, but it does not re-enforc… |
| CVE-2026-49782 | 2026-06-02 | Missing Authorization vulnerability in Elementor Elementor Website Builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Elementor Website Builder: from … |
| 日付 | 名称 | バージョン | 重要度 | コメント |
|---|---|---|---|---|
| 2011-06-27 | CWE Content Team | 2.0 | — | updated Demonstrative_Examples, Related_Attack_Patterns, Relationships |
| 2011-09-13 | CWE Content Team | 2.1 | — | updated Potential_Mitigations, References, Relationships |
| 2012-05-11 | CWE Content Team | 2.2 | — | updated Demonstrative_Examples, Observed_Examples, References, Relationships |
| 2012-10-30 | CWE Content Team | 2.3 | — | updated Potential_Mitigations |
| 2014-02-18 | CWE Content Team | 2.6 | — | updated Relationships |
| 2014-07-30 | CWE Content Team | 2.8 | — | updated Detection_Factors |
| 2017-01-19 | CWE Content Team | 2.10 | — | updated Relationships |
| 2017-11-08 | CWE Content Team | 3.0 | — | updated Applicable_Platforms, Modes_of_Introduction, References, Relationships |
| 2018-03-27 | CWE Content Team | 3.1 | — | updated References |
| 2019-06-20 | CWE Content Team | 3.3 | — | updated Relationships |
| 2020-02-24 | CWE Content Team | 4.0 | — | updated Relationships |
| 2020-08-20 | CWE Content Team | 4.2 | — | updated Relationships |
| 2020-12-10 | CWE Content Team | 4.3 | — | updated Relationships |
| 2021-03-15 | CWE Content Team | 4.4 | — | updated Alternate_Terms, Observed_Examples |
| 2021-07-20 | CWE Content Team | 4.5 | — | updated Observed_Examples, Related_Attack_Patterns, Relationships |
| 2021-10-28 | CWE Content Team | 4.6 | — | updated Relationships |
| 2022-06-28 | CWE Content Team | 4.8 | — | updated Relationships |
| 2022-10-13 | CWE Content Team | 4.9 | — | updated Observed_Examples |
| 2023-01-31 | CWE Content Team | 4.10 | — | updated Description, Potential_Mitigations |
| 2023-04-27 | CWE Content Team | 4.11 | — | updated References, Relationships, Taxonomy_Mappings |
| 2023-06-29 | CWE Content Team | 4.12 | — | updated Mapping_Notes, Relationships, Taxonomy_Mappings |
| 2024-11-19 | CWE Content Team | 4.16 | — | updated Common_Consequences, Description, Diagram, Relationships, Terminology_Notes |
| 2025-09-09 | CWE Content Team | 4.18 | — | updated Applicable_Platforms, Detection_Factors, Observed_Examples, References |
| 2025-12-11 | CWE Content Team | 4.19 | — | updated Applicable_Platforms, Relationships, Weakness_Ordinalities |
| 2026-04-30 | CWE Content Team | 4.20 | — | updated Applicable_Platforms, Observed_Examples, Relationships |
| タイプ | 名称 | 日付 | コメント |
|---|---|---|---|
| Content | "Mapping CWE to 62443" Sub-Working Group | 2023-04-25 | Suggested mappings to ISA/IEC 62443. |
| Content | Abhi Balakrishnan | 2024-02-29 | Provided diagram to improve CWE usability |