CWE-862(Missing Authorization)描述一种在漏洞数据库与安全评估中使用的弱点类型;定义、背景与映射 CVE 见下方各节。
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
来自 CWE 目录的扩展上下文(由 MITRE XHTML 渲染)。
| 类型 | 名称 | 类 | 普遍性 | OS / CPE |
|---|---|---|---|---|
| language | — | Not Language-Specific | Undetermined | — |
| technology | AI/ML | — | Often | — |
| technology | Web Server | — | Often | — |
| technology | Database Server | — | Often | — |
| technology | — | Not Technology-Specific | Undetermined | — |
下列 CVE 在本库中映射到该弱点,并保留以便追溯与检索。
| CVE | 公开时间 | 摘要 |
|---|---|---|
| CVE-2026-15349 | 2026-07-17 | The ERP: Complete HR, Accounting & CRM Suite Built for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.17.6. This is due to the plugin no… |
| CVE-2026-13765 | 2026-07-17 | The LearnPress – WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.4.1 via the check_… |
| CVE-2026-8616 | 2026-07-17 | The Fense Proxy & VPN Blocker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and missing nonce validation on the fense_bpvt_save_settings() f… |
| CVE-2026-62235 | 2026-07-16 | Grav Flex-Objects before version 1.4.3 contains a broken access control vulnerability in the admin-next REST API that allows authenticated users with only api.access permission to perform unauthorized… |
| CVE-2026-62233 | 2026-07-16 | grav-plugin-api before 1.0.6 fails to validate super-admin status in createApiKey, generate2fa, and disable2fa endpoints, allowing non-super api.users.write managers to escalate to super-admin. Attack… |
| CVE-2026-62232 | 2026-07-16 | Grav before 2.0.4 contains a two-factor authentication bypass vulnerability in the login plugin where the regenerate2FASecret task checks only user existence, not authorization, during the pending TOT… |
| CVE-2026-62218 | 2026-07-16 | OpenClaw 2026.1.20 before 2026.5.27 contain an authorization bypass vulnerability in the device.pair.approve feature that allows lower-trust callers to bypass role-management checks. Attackers can per… |
| CVE-2026-62207 | 2026-07-16 | OpenClaw versions before 2026.6.5 contain an authentication bypass vulnerability that allows lower-trust callers to reach admin-scoped tools. Attackers can perform actions requiring stronger authoriza… |
| CVE-2026-62206 | 2026-07-16 | OpenClaw versions before 2026.6.9 contain a missing authorization vulnerability in Discord moderation actions. In affected versions, a lower-trust caller or configured input path could perform moderat… |
| CVE-2026-62205 | 2026-07-16 | OpenClaw versions 2026.4.12-beta.1 before 2026.6.6 contain a missing-authorization vulnerability in the MS Teams message actions feature. When the affected feature is enabled and reachable, a lower-tr… |
| CVE-2026-45334 | 2026-07-16 | Kirby is an open-source content management system. In versions prior to 4.9.1 and 5.4.1, the content-locking feature returned lock information without checking the requesting user's access permissions… |
| CVE-2026-44176 | 2026-07-16 | Kirby is an open-source content management system. Versions prior to 4.9.1 and 5.4.1 do not check the `pages.access` permission during page draft rendering. Permissions are defined for each user role… |
| CVE-2026-61718 | 2026-07-16 | bunkerweb is an Open-source and next-generation Web Application Firewall (WAF). From 1.6.2 until 1.6.12, the BunkerWeb web UI BiscuitMiddleware authorization bypass list included the /cache/ URL prefi… |
| CVE-2026-47089 | 2026-07-16 | An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. LISTRIGHTS os not limited to users with admin access. An authenticated user could call IMAP LISTRIGHTS against any mailbox they cou… |
| CVE-2026-46515 | 2026-07-16 | Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.3, PERM_READ access was sufficient to call fm_list_managers, fm_list_pinsets, fm_show_context, fm_get_mcp_config, fm_backup… |
| CVE-2026-55548 | 2026-07-16 | Yamcs is a mission control framework. Prior to 5.12.8 and 5.13.2, the PacketsApi.exportPackets endpoint in yamcs-core/src/main/java/org/yamcs/http/api/PacketsApi.java failed to enforce object-level Re… |
| CVE-2026-44595 | 2026-07-16 | Yamcs is a mission control framework. Prior to 5.12.7, the IAM API endpoints listUsers, getUser, listGroups, and getGroup in yamcs-core did not enforce the required SystemPrivilege.ControlAccess check… |
| CVE-2026-63082 | 2026-07-16 | Perfect Support Ticketing & Document Management System through 1.7 contains a broken access control vulnerability that allows authenticated attackers with Agent-level privileges to manipulate the Supp… |
| CVE-2026-57206 | 2026-07-16 | SimpleChat is a secure AI conversation application with personal and group workspaces for document-grounded interactions. Prior to 0.241.206, several plugin validation routes in application/single_app… |
| CVE-2026-57205 | 2026-07-16 | SimpleChat is a secure AI conversation application with personal and group workspaces for document-grounded interactions. Prior to 0.241.203, the authenticated GET /api/user/info/<user_id> and GET /ap… |
| 日期 | 名称 | 版本 | 重要性 | 评论 |
|---|---|---|---|---|
| 2011-06-27 | CWE Content Team | 2.0 | — | updated Demonstrative_Examples, Related_Attack_Patterns, Relationships |
| 2011-09-13 | CWE Content Team | 2.1 | — | updated Potential_Mitigations, References, Relationships |
| 2012-05-11 | CWE Content Team | 2.2 | — | updated Demonstrative_Examples, Observed_Examples, References, Relationships |
| 2012-10-30 | CWE Content Team | 2.3 | — | updated Potential_Mitigations |
| 2014-02-18 | CWE Content Team | 2.6 | — | updated Relationships |
| 2014-07-30 | CWE Content Team | 2.8 | — | updated Detection_Factors |
| 2017-01-19 | CWE Content Team | 2.10 | — | updated Relationships |
| 2017-11-08 | CWE Content Team | 3.0 | — | updated Applicable_Platforms, Modes_of_Introduction, References, Relationships |
| 2018-03-27 | CWE Content Team | 3.1 | — | updated References |
| 2019-06-20 | CWE Content Team | 3.3 | — | updated Relationships |
| 2020-02-24 | CWE Content Team | 4.0 | — | updated Relationships |
| 2020-08-20 | CWE Content Team | 4.2 | — | updated Relationships |
| 2020-12-10 | CWE Content Team | 4.3 | — | updated Relationships |
| 2021-03-15 | CWE Content Team | 4.4 | — | updated Alternate_Terms, Observed_Examples |
| 2021-07-20 | CWE Content Team | 4.5 | — | updated Observed_Examples, Related_Attack_Patterns, Relationships |
| 2021-10-28 | CWE Content Team | 4.6 | — | updated Relationships |
| 2022-06-28 | CWE Content Team | 4.8 | — | updated Relationships |
| 2022-10-13 | CWE Content Team | 4.9 | — | updated Observed_Examples |
| 2023-01-31 | CWE Content Team | 4.10 | — | updated Description, Potential_Mitigations |
| 2023-04-27 | CWE Content Team | 4.11 | — | updated References, Relationships, Taxonomy_Mappings |
| 2023-06-29 | CWE Content Team | 4.12 | — | updated Mapping_Notes, Relationships, Taxonomy_Mappings |
| 2024-11-19 | CWE Content Team | 4.16 | — | updated Common_Consequences, Description, Diagram, Relationships, Terminology_Notes |
| 2025-09-09 | CWE Content Team | 4.18 | — | updated Applicable_Platforms, Detection_Factors, Observed_Examples, References |
| 2025-12-11 | CWE Content Team | 4.19 | — | updated Applicable_Platforms, Relationships, Weakness_Ordinalities |
| 2026-04-30 | CWE Content Team | 4.20 | — | updated Applicable_Platforms, Observed_Examples, Relationships |
| 类型 | 名称 | 日期 | 评论 |
|---|---|---|---|
| Content | "Mapping CWE to 62443" Sub-Working Group | 2023-04-25 | Suggested mappings to ISA/IEC 62443. |
| Content | Abhi Balakrishnan | 2024-02-29 | Provided diagram to improve CWE usability |