Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

CVEs (3,046)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-4101 1Multivendorx 1Multivendorx May 28, 2025 May 17, 2025 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The MultiVendorX – WooCommerce Multivendor Marketplace Solutions plugin for WordPress is vulnerable to unauthorized loss of data due to a misconfigured capability check on the 'delete_fpm_product' function in all version...Show more The MultiVendorX – WooCommerce Multivendor Marketplace Solutions plugin for WordPress is vulnerable to unauthorized loss of data due to a misconfigured capability check on the 'delete_fpm_product' function in all versions up to, and including, 4.2.22. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary posts, pages, attachments, and products. The vulnerability was partially patched in version 4.2.22.Show less
CVE-2025-47930 1Zulip 1Zulip Aug 27, 2025 May 16, 2025 5.3 MEDIUM· v4 5.3 MEDIUM· v3 N/A· v2 Zulip is an open-source team chat application. Starting in version 10.0 and prior to version 10.3, the "Who can create public channels" access control mechanism can be circumvented by creating a private or web-public cha...Show more Zulip is an open-source team chat application. Starting in version 10.0 and prior to version 10.3, the "Who can create public channels" access control mechanism can be circumvented by creating a private or web-public channel, and then changing the channel privacy to public. A similar technique works for creating private channels without permission, though such a process requires either the API or modifying the HTML, as we do mark the "private" radio button as disabled in such cases. Version 10.3 contains a patch.Show less
CVE-2025-46834 - - May 16, 2025 May 15, 2025 6.6 MEDIUM· v4 N/A· v3 N/A· v2 Alchemy's Modular Account is a smart contract account that is compatible with ERC-4337 and ERC-6900. In versions on the 2.x branch prior to commit 5e6f540d249afcaeaf76ab95517d0359fde883b0, owners of Modular Accounts can...Show more Alchemy's Modular Account is a smart contract account that is compatible with ERC-4337 and ERC-6900. In versions on the 2.x branch prior to commit 5e6f540d249afcaeaf76ab95517d0359fde883b0, owners of Modular Accounts can grant session keys (scoped external keys) to external parties and would use the allowlist module to restrict which external contracts can be accessed by the session key. There is a bug in the allowlist module in that we don't check for the `executeUserOp` -> `execute` or `executeBatch` path, effectively allowing any session key to bypass any access control restrictions set on the session key. Session keys are able to access ERC20 and ERC721 token contracts amongst others, transferring all tokens from the account out andonfigure the permissions on external modules on session keys. They would be able to remove all restrictions set on themselves this way, or rotate the keys of other keys with higher privileges into keys that they control. Commit 5e6f540d249afcaeaf76ab95517d0359fde883b0 fixes this issue.Show less
CVE-2025-2570 1Mattermost 1Mattermost Server Oct 6, 2025 May 15, 2025 N/A· v4 2.7 LOW· v3 N/A· v2 Mattermost versions 10.5.x <= 10.5.3, 9.11.x <= 9.11.11 fail to check `RestrictSystemAdmin` setting if user doesn't have access to `ExperimentalSettings` which allows a System Manager to access `ExperimentSettings` when...Show more Mattermost versions 10.5.x <= 10.5.3, 9.11.x <= 9.11.11 fail to check `RestrictSystemAdmin` setting if user doesn't have access to `ExperimentalSettings` which allows a System Manager to access `ExperimentSettings` when `RestrictSystemAdmin` is true via System Console.Show less
CVE-2025-2527 1Mattermost 1Mattermost Server Aug 22, 2025 May 15, 2025 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Mattermost versions 10.5.x <= 10.5.2, 9.11.x <= 9.11.11 failed to properly verify a user's permissions when accessing groups, which allows an attacker to view group information via an API request.
CVE-2025-3446 1Mattermost 1Mattermost Server Sep 29, 2025 May 15, 2025 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Mattermost versions 10.6.x <= 10.6.1, 10.5.x <= 10.5.2, 10.4.x <= 10.4.4, 9.11.x <= 9.11.11 fail to check the correct permissions which allows authenticated users who only have permission to invite non-guest users to a t...Show more Mattermost versions 10.6.x <= 10.6.1, 10.5.x <= 10.5.2, 10.4.x <= 10.4.4, 9.11.x <= 9.11.11 fail to check the correct permissions which allows authenticated users who only have permission to invite non-guest users to a team to add guest users to that team via the API to add a single user to a team.Show less
CVE-2025-43565 1Adobe 1Coldfusion May 19, 2025 May 13, 2025 N/A· v4 8.4 HIGH· v3 N/A· v2 ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Incorrect Authorization vulnerability that could lead to arbitrary code execution in the context of the current user. A high-privileged attacker...Show more ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Incorrect Authorization vulnerability that could lead to arbitrary code execution in the context of the current user. A high-privileged attacker could leverage this vulnerability to bypass security protections and execute code. Exploitation of this issue requires user interaction and scope is changed.Show less
CVE-2025-43564 1Adobe 1Coldfusion Jul 15, 2025 May 13, 2025 N/A· v4 9.1 CRITICAL· v3 N/A· v2 ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary file system read. A high-privileged attacker could leverage this vulnerabil...Show more ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary file system read. A high-privileged attacker could leverage this vulnerability to access or modify sensitive data without proper authorization. Exploitation of this issue does not require user interaction, and scope is changedShow less
CVE-2025-43561 1Adobe 1Coldfusion May 19, 2025 May 13, 2025 N/A· v4 9.1 CRITICAL· v3 N/A· v2 ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. A high-privileged attack...Show more ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. A high-privileged attacker could leverage this vulnerability to bypass authentication mechanisms and execute code. Exploitation of this issue does not require user interaction and scope is changed.Show less
CVE-2025-4646 1Centreon 1Centreon Web Oct 22, 2025 May 13, 2025 N/A· v4 7.2 HIGH· v3 N/A· v2 Incorrect Authorization vulnerability in Centreon web (API Token creation form modules) allows Privilege Escalation.This issue affects web: from 24.04.0 before 24.04.10, from 24.10.0 before 24.10.4.
CVE-2025-27696 1Apache 1Superset Sep 29, 2025 May 13, 2025 5.3 MEDIUM· v4 8.8 HIGH· v3 N/A· v2 Incorrect Authorization vulnerability in Apache Superset allows ownership takeover of dashboards, charts or datasets by authenticated users with read permissions. This issue affects Apache Superset: through 4.1.1. User...Show more Incorrect Authorization vulnerability in Apache Superset allows ownership takeover of dashboards, charts or datasets by authenticated users with read permissions. This issue affects Apache Superset: through 4.1.1. Users are recommended to upgrade to version 4.1.2 or above, which fixes the issue.Show less
CVE-2025-31227 1Apple 2Ipados Iphone Os Nov 3, 2025 May 12, 2025 N/A· v4 4.6 MEDIUM· v3 N/A· v2 A logic issue was addressed with improved checks. This issue is fixed in iOS 18.5 and iPadOS 18.5. An attacker with physical access to a device may be able to access a deleted call recording.
CVE-2025-30440 1Apple 1Macos Apr 2, 2026 May 12, 2025 N/A· v4 5.5 MEDIUM· v3 N/A· v2 The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.5, macOS Sonoma 14.7.6, macOS Ventura 13.7.6. An app may be able to bypass ASLR.
CVE-2025-46744 - - Oct 1, 2025 May 12, 2025 N/A· v4 2.7 LOW· v3 N/A· v2 An authenticated administrator could modify the Created By username for a user account
CVE-2025-29827 1Microsoft 1Azure Automation Jun 5, 2025 May 8, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 Improper Authorization in Azure Automation allows an authorized attacker to elevate privileges over a network.
CVE-2025-26842 1Znuny 1Znuny Jun 12, 2025 May 8, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 An issue was discovered in Znuny through 7.1.3. If access to a ticket is not given, the content of S/MIME encrypted e-mail messages is visible to users with access to the CommunicationLog.
CVE-2025-46265 1F5 2F5os A F5os C Oct 21, 2025 May 7, 2025 8.7 HIGH· v4 8.8 HIGH· v3 N/A· v2 On F5OS, an improper authorization vulnerability exists where remotely authenticated users (LDAP, RADIUS, TACACS+) may be authorized with higher privilege F5OS roles. Note: Software versions which have reached End of Tec...Show more On F5OS, an improper authorization vulnerability exists where remotely authenticated users (LDAP, RADIUS, TACACS+) may be authorized with higher privilege F5OS roles. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.Show less
CVE-2025-36546 1F5 2F5os A F5os C Oct 21, 2025 May 7, 2025 9.2 CRITICAL· v4 8.1 HIGH· v3 N/A· v2 On an F5OS system, if the root user had previously configured the system to allow login via SSH key-based authentication, and then enabled Appliance Mode; access via SSH key-based authentication is still allowed. For an...Show more On an F5OS system, if the root user had previously configured the system to allow login via SSH key-based authentication, and then enabled Appliance Mode; access via SSH key-based authentication is still allowed. For an attacker to exploit this vulnerability they must obtain the root user's SSH private key. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.Show less
CVE-2025-3476 - - May 8, 2025 May 7, 2025 9.4 CRITICAL· v4 N/A· v3 N/A· v2 Incorrect Authorization vulnerability in OpenText™ Operations Bridge Manager. The vulnerability could allows privilege escalation by authenticated users.This issue affects Operations Bridge Manager: 2023.05, 23.4, 24.2,...Show more Incorrect Authorization vulnerability in OpenText™ Operations Bridge Manager. The vulnerability could allows privilege escalation by authenticated users.This issue affects Operations Bridge Manager: 2023.05, 23.4, 24.2, 24.4.Show less
CVE-2025-3272 - - May 8, 2025 May 7, 2025 6.7 MEDIUM· v4 N/A· v3 N/A· v2 Incorrect Authorization vulnerability in OpenText™ Operations Bridge Manager. The vulnerability could allow authenticated users to change their password without providing their old password. This issue affects Operati...Show more Incorrect Authorization vulnerability in OpenText™ Operations Bridge Manager. The vulnerability could allow authenticated users to change their password without providing their old password. This issue affects Operations Bridge Manager: 24.2, 24.4.Show less

Previous 1...464748...153 Next