CWE-862 8612 个 CVE MITRE 定义 ↗

CWE-862:Missing Authorization

概览

CWE-862(Missing Authorization)描述一种在漏洞数据库与安全评估中使用的弱点类型;定义、背景与映射 CVE 见下方各节。

安全影响
安全影响:因产品与场景而异;请结合 CVE 记录、严重度评分与 MITRE 说明进行优先级判断。

描述

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

背景详情

来自 CWE 目录的扩展上下文(由 MITRE XHTML 渲染)。

An access control list (ACL) represents who/what has permissions to a given object. Different operating systems implement (ACLs) in different ways. In UNIX, there are three types of permissions: read, write, and execute. Users are divided into three classes for file access: owner, group owner, and all other users where each class has a separate set of rights. In Windows NT, there are four basic types of permissions for files: "No access", "Read access", "Change access", and "Full control". Windows NT extends the concept of three types of users in UNIX to include a list of users and groups along with their associated permissions. A user can create an object (file) and assign specified permissions to that object.

适用平台

类型 名称 普遍性 OS / CPE
language Not Language-Specific Undetermined
technology AI/ML Often
technology Web Server Often
technology Database Server Often
technology Not Technology-Specific Undetermined

本库相关 CVE

下列 CVE 在本库中映射到该弱点,并保留以便追溯与检索。

CVE 公开时间 摘要
CVE-2026-15349 2026-07-17 The ERP: Complete HR, Accounting & CRM Suite Built for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.17.6. This is due to the plugin no…
CVE-2026-13765 2026-07-17 The LearnPress – WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.4.1 via the check_…
CVE-2026-8616 2026-07-17 The Fense Proxy & VPN Blocker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and missing nonce validation on the fense_bpvt_save_settings() f…
CVE-2026-62235 2026-07-16 Grav Flex-Objects before version 1.4.3 contains a broken access control vulnerability in the admin-next REST API that allows authenticated users with only api.access permission to perform unauthorized…
CVE-2026-62233 2026-07-16 grav-plugin-api before 1.0.6 fails to validate super-admin status in createApiKey, generate2fa, and disable2fa endpoints, allowing non-super api.users.write managers to escalate to super-admin. Attack…
CVE-2026-62232 2026-07-16 Grav before 2.0.4 contains a two-factor authentication bypass vulnerability in the login plugin where the regenerate2FASecret task checks only user existence, not authorization, during the pending TOT…
CVE-2026-62218 2026-07-16 OpenClaw 2026.1.20 before 2026.5.27 contain an authorization bypass vulnerability in the device.pair.approve feature that allows lower-trust callers to bypass role-management checks. Attackers can per…
CVE-2026-62207 2026-07-16 OpenClaw versions before 2026.6.5 contain an authentication bypass vulnerability that allows lower-trust callers to reach admin-scoped tools. Attackers can perform actions requiring stronger authoriza…
CVE-2026-62206 2026-07-16 OpenClaw versions before 2026.6.9 contain a missing authorization vulnerability in Discord moderation actions. In affected versions, a lower-trust caller or configured input path could perform moderat…
CVE-2026-62205 2026-07-16 OpenClaw versions 2026.4.12-beta.1 before 2026.6.6 contain a missing-authorization vulnerability in the MS Teams message actions feature. When the affected feature is enabled and reachable, a lower-tr…
CVE-2026-45334 2026-07-16 Kirby is an open-source content management system. In versions prior to 4.9.1 and 5.4.1, the content-locking feature returned lock information without checking the requesting user's access permissions…
CVE-2026-44176 2026-07-16 Kirby is an open-source content management system. Versions prior to 4.9.1 and 5.4.1 do not check the `pages.access` permission during page draft rendering. Permissions are defined for each user role…
CVE-2026-61718 2026-07-16 bunkerweb is an Open-source and next-generation Web Application Firewall (WAF). From 1.6.2 until 1.6.12, the BunkerWeb web UI BiscuitMiddleware authorization bypass list included the /cache/ URL prefi…
CVE-2026-47089 2026-07-16 An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. LISTRIGHTS os not limited to users with admin access. An authenticated user could call IMAP LISTRIGHTS against any mailbox they cou…
CVE-2026-46515 2026-07-16 Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.3, PERM_READ access was sufficient to call fm_list_managers, fm_list_pinsets, fm_show_context, fm_get_mcp_config, fm_backup…
CVE-2026-55548 2026-07-16 Yamcs is a mission control framework. Prior to 5.12.8 and 5.13.2, the PacketsApi.exportPackets endpoint in yamcs-core/src/main/java/org/yamcs/http/api/PacketsApi.java failed to enforce object-level Re…
CVE-2026-44595 2026-07-16 Yamcs is a mission control framework. Prior to 5.12.7, the IAM API endpoints listUsers, getUser, listGroups, and getGroup in yamcs-core did not enforce the required SystemPrivilege.ControlAccess check…
CVE-2026-63082 2026-07-16 Perfect Support Ticketing & Document Management System through 1.7 contains a broken access control vulnerability that allows authenticated attackers with Agent-level privileges to manipulate the Supp…
CVE-2026-57206 2026-07-16 SimpleChat is a secure AI conversation application with personal and group workspaces for document-grounded interactions. Prior to 0.241.206, several plugin validation routes in application/single_app…
CVE-2026-57205 2026-07-16 SimpleChat is a secure AI conversation application with personal and group workspaces for document-grounded interactions. Prior to 0.241.203, the authenticated GET /api/user/info/<user_id> and GET /ap…

内容提交

名称
CWE Content Team
组织
MITRE
日期
2011-05-24
版本
1.13

内容修订

日期 名称 版本 重要性 评论
2011-06-27 CWE Content Team 2.0 updated Demonstrative_Examples, Related_Attack_Patterns, Relationships
2011-09-13 CWE Content Team 2.1 updated Potential_Mitigations, References, Relationships
2012-05-11 CWE Content Team 2.2 updated Demonstrative_Examples, Observed_Examples, References, Relationships
2012-10-30 CWE Content Team 2.3 updated Potential_Mitigations
2014-02-18 CWE Content Team 2.6 updated Relationships
2014-07-30 CWE Content Team 2.8 updated Detection_Factors
2017-01-19 CWE Content Team 2.10 updated Relationships
2017-11-08 CWE Content Team 3.0 updated Applicable_Platforms, Modes_of_Introduction, References, Relationships
2018-03-27 CWE Content Team 3.1 updated References
2019-06-20 CWE Content Team 3.3 updated Relationships
2020-02-24 CWE Content Team 4.0 updated Relationships
2020-08-20 CWE Content Team 4.2 updated Relationships
2020-12-10 CWE Content Team 4.3 updated Relationships
2021-03-15 CWE Content Team 4.4 updated Alternate_Terms, Observed_Examples
2021-07-20 CWE Content Team 4.5 updated Observed_Examples, Related_Attack_Patterns, Relationships
2021-10-28 CWE Content Team 4.6 updated Relationships
2022-06-28 CWE Content Team 4.8 updated Relationships
2022-10-13 CWE Content Team 4.9 updated Observed_Examples
2023-01-31 CWE Content Team 4.10 updated Description, Potential_Mitigations
2023-04-27 CWE Content Team 4.11 updated References, Relationships, Taxonomy_Mappings
2023-06-29 CWE Content Team 4.12 updated Mapping_Notes, Relationships, Taxonomy_Mappings
2024-11-19 CWE Content Team 4.16 updated Common_Consequences, Description, Diagram, Relationships, Terminology_Notes
2025-09-09 CWE Content Team 4.18 updated Applicable_Platforms, Detection_Factors, Observed_Examples, References
2025-12-11 CWE Content Team 4.19 updated Applicable_Platforms, Relationships, Weakness_Ordinalities
2026-04-30 CWE Content Team 4.20 updated Applicable_Platforms, Observed_Examples, Relationships

贡献

类型 名称 日期 评论
Content "Mapping CWE to 62443" Sub-Working Group 2023-04-25 Suggested mappings to ISA/IEC 62443.
Content Abhi Balakrishnan 2024-02-29 Provided diagram to improve CWE usability
cvelogic Threat Intelligence