Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (4,991)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2026-44277 1Fortinet 1Fortiauthenticator May 28, 2026 May 12, 2026 N/A· v4 9.8 CRITICAL· v3 N/A· v2 A improper access control vulnerability in Fortinet FortiAuthenticator 8.0.2, FortiAuthenticator 8.0.0, FortiAuthenticator 6.6.0 through 6.6.8, FortiAuthenticator 6.5.0 through 6.5.6 may allow attacker to execute unautho...Show more A improper access control vulnerability in Fortinet FortiAuthenticator 8.0.2, FortiAuthenticator 8.0.0, FortiAuthenticator 6.6.0 through 6.6.8, FortiAuthenticator 6.5.0 through 6.5.6 may allow attacker to execute unauthorized code or commands via crafted requests.Show less
CVE-2026-42832 1Microsoft 4Excel OfficeOffice Long Term Servicing Channel+1 more May 19, 2026 May 12, 2026 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Improper access control in Microsoft Office allows an unauthorized attacker to perform spoofing locally.
CVE-2026-42823 1Microsoft 1Azure Logic Apps May 14, 2026 May 12, 2026 N/A· v4 9.9 CRITICAL· v3 N/A· v2 Improper access control in Azure Logic Apps allows an authorized attacker to elevate privileges over a network.
CVE-2026-42177 - - May 13, 2026 May 12, 2026 N/A· v4 5.3 MEDIUM· v3 N/A· v2 linux-entra-sso is a browser plugin for Linux to SSO on Microsoft Entra ID. Prior to 1.8.1, platform/chrome/js/platform-chrome.js:69-88 registers a single declarativeNetRequest rule whose urlFilter is Platform.SSO_URL +...Show more linux-entra-sso is a browser plugin for Linux to SSO on Microsoft Entra ID. Prior to 1.8.1, platform/chrome/js/platform-chrome.js:69-88 registers a single declarativeNetRequest rule whose urlFilter is Platform.SSO_URL + "/", i.e. "https://login.microsoftonline.com/". Chrome's urlFilter without a \| or \|\| anchor is substring-matched against the full request URL. The same applied rule action is modifyHeaders that attaches the Entra ID Primary Refresh Token cookie. The Firefox adapter in platform/firefox/js/platform-firefox.js:53 performs a belt-and-braces startsWith(Platform.SSO_URL) check before injecting the header; the Chrome adapter does not. When the extension holds broad host permissions through the optional_host_permissions: ["https:///"] declared in platform/chrome/manifest.json:34, a main-frame navigation to a URL whose path embeds https://login.microsoftonline.com/ causes Chrome to attach the PRT cookie to the request to the attacker-controlled host. This vulnerability is fixed in 1.8.1.Show less
CVE-2026-41614 1Microsoft 1365 Copilot May 14, 2026 May 12, 2026 N/A· v4 6.2 MEDIUM· v3 N/A· v2 Improper access control in M365 Copilot for Desktop allows an unauthorized attacker to perform spoofing locally.
CVE-2026-41102 1Microsoft 1Powerpoint May 16, 2026 May 12, 2026 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Improper access control in Microsoft Office PowerPoint allows an authorized attacker to perform spoofing locally.
CVE-2026-41101 1Microsoft 1Word May 16, 2026 May 12, 2026 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Improper access control in Microsoft Office Word allows an authorized attacker to perform spoofing locally.
CVE-2026-41100 1Microsoft 1365 Copilot May 16, 2026 May 12, 2026 N/A· v4 4.4 MEDIUM· v3 N/A· v2 Improper access control in M365 Copilot allows an authorized attacker to perform spoofing locally.
CVE-2026-41086 1Microsoft 1Windows Admin Center May 15, 2026 May 12, 2026 N/A· v4 8.8 HIGH· v3 N/A· v2 Improper access control in Windows Admin Center allows an authorized attacker to elevate privileges over a network.
CVE-2026-40420 1Microsoft 3365 Apps OfficeOffice Long Term Servicing Channel Jun 1, 2026 May 12, 2026 N/A· v4 8.8 HIGH· v3 N/A· v2 Use after free in Microsoft Office allows an authorized attacker to elevate privileges locally.
CVE-2026-40381 1Microsoft 1Azure Connected Machine Agent May 18, 2026 May 12, 2026 N/A· v4 7.8 HIGH· v3 N/A· v2 Improper access control in Azure Connected Machine Agent allows an authorized attacker to elevate privileges locally.
CVE-2026-33834 1Microsoft 14Windows 10 1607 Windows 10 1809Windows 10 21h2+11 more May 14, 2026 May 12, 2026 N/A· v4 7.8 HIGH· v3 N/A· v2 Improper access control in Windows Event Logging Service allows an authorized attacker to elevate privileges locally.
CVE-2026-32209 1Microsoft 14Windows 10 1607 Windows 10 1809Windows 10 21h2+11 more May 14, 2026 May 12, 2026 N/A· v4 4.4 MEDIUM· v3 N/A· v2 Improper access control in Windows Filtering Platform (WFP) allows an authorized attacker to bypass a security feature locally.
CVE-2025-43524 1Apple 1Macos May 13, 2026 May 12, 2026 N/A· v4 8.8 HIGH· v3 N/A· v2 An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.2. An app may be able to break out of its sandbox.
CVE-2026-40300 1Zulip 1Zulip Server May 13, 2026 May 12, 2026 6.0 MEDIUM· v4 6.5 MEDIUM· v3 N/A· v2 Zulip is an open-source team collaboration tool. Prior to 12.0, With message_edit_history_visibility_policy set to "moves", /api/v1/messages/{id}/history still returns historical content values, allowing low-privilege us...Show more Zulip is an open-source team collaboration tool. Prior to 12.0, With message_edit_history_visibility_policy set to "moves", /api/v1/messages/{id}/history still returns historical content values, allowing low-privilege users to recover text that was edited away from other users' messages. This vulnerability is fixed in 12.0.Show less
CVE-2026-20887 - - May 13, 2026 May 12, 2026 8.8 HIGH· v4 N/A· v3 N/A· v2 Improper access control for some Intel Vision software for all versions within Ring 3: User Applications may allow a denial of service. Unprivileged software adversary with an unauthenticated user combined with a low com...Show more Improper access control for some Intel Vision software for all versions within Ring 3: User Applications may allow a denial of service. Unprivileged software adversary with an unauthenticated user combined with a low complexity attack may enable remote code execution. This result may potentially occur via network access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (low) and availability (low) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.Show less
CVE-2026-40020 2Dovecot Open Xchange 2Dovecot Dovecot May 18, 2026 May 12, 2026 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes folders to be spammed to all users. The impact is limited to being able to...Show more Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes folders to be spammed to all users. The impact is limited to being able to spam folders to other users, no unexpected access is gained. Install to fixed version. No publicly available exploits are known.Show less
CVE-2026-43652 1Apple 1Macos May 14, 2026 May 11, 2026 N/A· v4 7.5 HIGH· v3 N/A· v2 A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.5. An app may be able to access protected user data.
CVE-2026-28993 1Apple 4Ipados Iphone OsMacos+1 more May 13, 2026 May 11, 2026 N/A· v4 5.5 MEDIUM· v3 N/A· v2 This issue was addressed by adding an additional prompt for user consent. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, vision...Show more This issue was addressed by adding an additional prompt for user consent. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, visionOS 26.5. An app may be able to access user-sensitive data.Show less
CVE-2026-28988 1Apple 5Ipados Iphone OsMacos+2 more May 13, 2026 May 11, 2026 N/A· v4 5.5 MEDIUM· v3 N/A· v2 A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5, watchOS 26.5. An app may be able to bypass certain Privacy preferences.

Previous 1...678...250 Next