Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

CVEs (3,042)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-9136 1Huawei 2Emui Harmonyos Sep 18, 2025 Sep 27, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 Access permission verification vulnerability in the App Multiplier module Impact: Successful exploitation of this vulnerability may affect service confidentiality.
CVE-2024-8974 1Gitlab 1Gitlab Oct 4, 2024 Sep 26, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Information disclosure in Gitlab EE/CE affecting all versions from 15.6 prior to 17.2.8, 17.3 prior to 17.3.4, and 17.4 prior to 17.4.1 in specific conditions it was possible to disclose to an unauthorised user the path...Show more Information disclosure in Gitlab EE/CE affecting all versions from 15.6 prior to 17.2.8, 17.3 prior to 17.3.4, and 17.4 prior to 17.4.1 in specific conditions it was possible to disclose to an unauthorised user the path of a private project."Show less
CVE-2024-9155 1Mattermost 1Mattermost Server Sep 29, 2025 Sep 26, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Mattermost versions 9.10.x <= 9.10.1, 9.9.x <= 9.9.2, 9.5.x <= 9.5.8 fail to limit access to channels files that have not been linked to a post which allows an attacker to view them in channels that they are a member of.
CVE-2024-7108 1Nationalkeep 1Cybermath Jun 3, 2026 Sep 26, 2024 8.2 HIGH· v4 9.8 CRITICAL· v3 N/A· v2 Incorrect Authorization vulnerability in National Keep Cyber Security Services CyberMath allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects CyberMath: before CYBM.240816253.
CVE-2024-20510 1Cisco 1Ios Xe Oct 3, 2024 Sep 25, 2024 N/A· v4 9.3 CRITICAL· v3 N/A· v2 A vulnerability in the Central Web Authentication (CWA) feature of Cisco IOS XE Software for Wireless Controllers could allow an unauthenticated, adjacent attacker to bypass the pre-authentication access control list (AC...Show more A vulnerability in the Central Web Authentication (CWA) feature of Cisco IOS XE Software for Wireless Controllers could allow an unauthenticated, adjacent attacker to bypass the pre-authentication access control list (ACL), which could allow access to network resources before user authentication. This vulnerability is due to a logic error when activating the pre-authentication ACL that is received from the authentication, authorization, and accounting (AAA) server. An attacker could exploit this vulnerability by connecting to a wireless network that is configured for CWA and sending traffic through an affected device that should be denied by the configured ACL before user authentication. A successful exploit could allow the attacker to bypass configured ACL protections on the affected device before the user authentication is completed, allowing the attacker to access trusted networks that the device might be protecting.Show less
CVE-2024-47078 1Meshtastic 1Meshtastic Firmware Dec 2, 2024 Sep 25, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Meshtastic is an open source, off-grid, decentralized, mesh network. Meshtastic uses MQTT to communicate over an internet connection to a shared or private MQTT Server. Nodes can communicate directly via an internet conn...Show more Meshtastic is an open source, off-grid, decentralized, mesh network. Meshtastic uses MQTT to communicate over an internet connection to a shared or private MQTT Server. Nodes can communicate directly via an internet connection or proxied through a connected phone (i.e., via bluetooth). Prior to version 2.5.1, multiple weaknesses in the MQTT implementation allow for authentication and authorization bypasses resulting in unauthorized control of MQTT-connected nodes. Version 2.5.1 contains a patch.Show less
CVE-2023-25189 - - Oct 29, 2024 Sep 25, 2024 N/A· v4 3.3 LOW· v3 N/A· v2 BTS is affected by information disclosure vulnerability where mobile network operator personnel connected over BTS Web Element Manager, regardless of the access privileges, having a possibility to read BTS service operat...Show more BTS is affected by information disclosure vulnerability where mobile network operator personnel connected over BTS Web Element Manager, regardless of the access privileges, having a possibility to read BTS service operation details performed by Nokia Care service personnel via SSH.Show less
CVE-2024-6512 1Devolutions 1Devolutions Server Mar 14, 2025 Sep 25, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Authorization bypass in the PAM access request approval mechanism in Devolutions Server 2024.2.10 and earlier allows authenticated users with permissions to approve their own requests, bypassing intended security restric...Show more Authorization bypass in the PAM access request approval mechanism in Devolutions Server 2024.2.10 and earlier allows authenticated users with permissions to approve their own requests, bypassing intended security restrictions, via the PAM access request approval mechanism.Show less
CVE-2024-6593 1Watchguard 1Authentication Gateway Oct 1, 2024 Sep 25, 2024 N/A· v4 9.1 CRITICAL· v3 N/A· v2 Incorrect Authorization vulnerability in WatchGuard Authentication Gateway (aka Single Sign-On Agent) on Windows allows an attacker with network access to execute restricted management commands. This issue affects Authen...Show more Incorrect Authorization vulnerability in WatchGuard Authentication Gateway (aka Single Sign-On Agent) on Windows allows an attacker with network access to execute restricted management commands. This issue affects Authentication Gateway: through 12.10.2.Show less
CVE-2024-6592 1Watchguard 2Authentication Gateway Single Sign On Client Oct 15, 2025 Sep 25, 2024 N/A· v4 9.1 CRITICAL· v3 N/A· v2 Incorrect Authorization vulnerability in the protocol communication between the WatchGuard Authentication Gateway (aka Single Sign-On Agent) on Windows and the WatchGuard Single Sign-On Client on Windows and MacOS allows...Show more Incorrect Authorization vulnerability in the protocol communication between the WatchGuard Authentication Gateway (aka Single Sign-On Agent) on Windows and the WatchGuard Single Sign-On Client on Windows and MacOS allows Authentication Bypass.This issue affects the Authentication Gateway: through 12.10.2; Windows Single Sign-On Client: through 12.7; MacOS Single Sign-On Client: through 12.5.4.Show less
CVE-2024-8606 1Checkmk 1Checkmk Sep 30, 2024 Sep 23, 2024 9.2 CRITICAL· v4 8.8 HIGH· v3 N/A· v2 Bypass of two factor authentication in RestAPI in Checkmk < 2.3.0p16 and < 2.2.0p34 allows authenticated users to bypass two factor authentication
CVE-2024-9082 1Oretnom23 1Online Eyewear Shop Sep 30, 2025 Sep 22, 2024 5.3 MEDIUM· v4 9.8 CRITICAL· v3 6.5 MEDIUM· v2 A vulnerability was found in SourceCodester Online Eyewear Shop 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /classes/Users.php?f=save of the component User Creatio...Show more A vulnerability was found in SourceCodester Online Eyewear Shop 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /classes/Users.php?f=save of the component User Creation Handler. The manipulation of the argument Type with the input 1 leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2024-47060 1Zitadel 1Zitadel Sep 25, 2024 Sep 20, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Zitadel is an open source identity management platform. In Zitadel, even after an organization is deactivated, associated projects, respectively their applications remain active. Users across other organizations can stil...Show more Zitadel is an open source identity management platform. In Zitadel, even after an organization is deactivated, associated projects, respectively their applications remain active. Users across other organizations can still log in and access through these applications, leading to unauthorized access. Additionally, if a project was deactivated access to applications was also still possible. The issue stems from the fact that when an organization is deactivated in Zitadel, the applications associated with it do not automatically deactivate. The application lifecycle is not tightly coupled with the organization's lifecycle, leading to a situation where the organization or project is marked as inactive, but its resources remain accessible. This vulnerability allows for unauthorized access to projects and their resources, which should have been restricted post-organization deactivation. Versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 have been released which address this issue. Users are advised to upgrade. Users unable to upgrade may explicitly disable the application to make sure the client is not allowed anymore.Show less
CVE-2024-47160 1Jetbrains 1Youtrack Sep 24, 2024 Sep 19, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 In JetBrains YouTrack before 2024.3.44799 access to global app config data without appropriate permissions was possible
CVE-2024-47159 1Jetbrains 1Youtrack Sep 24, 2024 Sep 19, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 In JetBrains YouTrack before 2024.3.44799 user without appropriate permissions could restore workflows attached to a project
CVE-2024-44162 1Apple 1Xcode Nov 4, 2025 Sep 17, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 This issue was addressed by enabling hardened runtime. This issue is fixed in Xcode 16. A malicious application may gain access to a user's Keychain items.
CVE-2024-40843 1Apple 1Macos Nov 4, 2025 Sep 17, 2024 N/A· v4 5.5 MEDIUM· v3 N/A· v2 The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15. An app may be able to modify protected parts of the file system.
CVE-2024-40770 1Apple 1Macos Nov 4, 2025 Sep 17, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15. A non-privileged user may be able to modify restricted network settings.
CVE-2024-46918 1Misp 1Misp Mar 13, 2025 Sep 15, 2024 N/A· v4 4.9 MEDIUM· v3 N/A· v2 app/Controller/UserLoginProfilesController.php in MISP before 2.4.198 does not prevent an org admin from viewing sensitive login fields of another org admin in the same org.
CVE-2024-2743 1Gitlab 1Gitlab Nov 21, 2024 Sep 12, 2024 N/A· v4 9.1 CRITICAL· v3 N/A· v2 An issue was discovered in GitLab-EE starting with version 13.3 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2 that would allow an attacker to modify an on-demand DAST scan without permissions and leak variabl...Show more An issue was discovered in GitLab-EE starting with version 13.3 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2 that would allow an attacker to modify an on-demand DAST scan without permissions and leak variables.Show less

Previous 1...656667...153 Next