Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

CVEs (3,046)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-30469 1Apple 2Ipados Iphone Os Nov 3, 2025 Mar 31, 2025 N/A· v4 2.4 LOW· v3 N/A· v2 This issue was addressed through improved state management. This issue is fixed in iOS 18.4 and iPadOS 18.4. A person with physical access to an iOS device may be able to access photos from the lock screen.
CVE-2025-24233 1Apple 1Macos Apr 2, 2026 Mar 31, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. A malicious app may be able to read or write to protected files.
CVE-2025-24221 1Apple 3Ipados Iphone OsVisionos Apr 2, 2026 Mar 31, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 This issue was addressed with improved data access restriction. This issue is fixed in iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, visionOS 2.4. Sensitive keychain data may be accessible from an iOS backup.
CVE-2025-31673 1Drupal 1Drupal Jun 2, 2025 Mar 31, 2025 N/A· v4 4.6 MEDIUM· v3 N/A· v2 Incorrect Authorization vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11...Show more Incorrect Authorization vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.Show less
CVE-2025-30209 1Enalean 1Tuleap Aug 21, 2025 Mar 31, 2025 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Tuleap is an Open Source Suite to improve management of software developments and collaboration. An attacker can access release notes content or information via the FRS REST endpoints it should not have access to. This v...Show more Tuleap is an Open Source Suite to improve management of software developments and collaboration. An attacker can access release notes content or information via the FRS REST endpoints it should not have access to. This vulnerability is fixed in Tuleap Community Edition 16.5.99.1742812323 and Tuleap Enterprise Edition 16.5-6 and 16.4-10.Show less
CVE-2025-30155 1Enalean 1Tuleap Aug 21, 2025 Mar 31, 2025 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Tuleap is an Open Source Suite to improve management of software developments and collaboration. Tuleap does not enforce read permissions on parent trackers in the REST API. This vulnerability is fixed in Tuleap Communit...Show more Tuleap is an Open Source Suite to improve management of software developments and collaboration. Tuleap does not enforce read permissions on parent trackers in the REST API. This vulnerability is fixed in Tuleap Community Edition 16.5.99.1742392651 and Tuleap Enterprise Edition 16.5-5 and 16.4-8.Show less
CVE-2025-30093 1Wisc 1Htcondor Apr 30, 2025 Mar 27, 2025 N/A· v4 8.1 HIGH· v3 N/A· v2 HTCondor 23.0.x before 23.0.22, 23.10.x before 23.10.22, 24.0.x before 24.0.6, and 24.6.x before 24.6.1 allows authenticated attackers to bypass authorization restrictions.
CVE-2025-2242 1Gitlab 1Gitlab Aug 13, 2025 Mar 27, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 An improper access control vulnerability in GitLab CE/EE affecting all versions from 17.4 prior to 17.8.6, 17.9 prior to 17.9.3, and 17.10 prior to 17.10.1 allows a user who was an instance admin before but has since bee...Show more An improper access control vulnerability in GitLab CE/EE affecting all versions from 17.4 prior to 17.8.6, 17.9 prior to 17.9.3, and 17.10 prior to 17.10.1 allows a user who was an instance admin before but has since been downgraded to a regular user to continue to maintain elevated privileges to groups and projects.Show less
CVE-2024-55965 1Appsmith 1Appsmith Jul 8, 2025 Mar 26, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 An issue was discovered in Appsmith before 1.51. Users invited as "App Viewer" incorrectly have access to development information of a workspace (specifically, a list of datasources in a workspace they're a member of). T...Show more An issue was discovered in Appsmith before 1.51. Users invited as "App Viewer" incorrectly have access to development information of a workspace (specifically, a list of datasources in a workspace they're a member of). This information disclosure does not expose sensitive data in the datasources, such as database passwords and API Keys.Show less
CVE-2025-30741 - - Mar 27, 2025 Mar 25, 2025 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Pixelfed before 0.12.5 allows anyone to follow private accounts and see private posts on other Fediverse servers. This affects users elsewhere in the Fediverse, if they otherwise have any followers from a Pixelfed instan...Show more Pixelfed before 0.12.5 allows anyone to follow private accounts and see private posts on other Fediverse servers. This affects users elsewhere in the Fediverse, if they otherwise have any followers from a Pixelfed instance.Show less
CVE-2025-30163 1Cilium 1Cilium Sep 4, 2025 Mar 24, 2025 N/A· v4 4.7 MEDIUM· v3 N/A· v2 Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Node based network policies (`fromNodes` and `toNodes`) will incorrectly permit traffic to/from non-node endpoints that share the...Show more Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Node based network policies (`fromNodes` and `toNodes`) will incorrectly permit traffic to/from non-node endpoints that share the labels specified in `fromNodes` and `toNodes` sections of network policies. Node based network policy is disabled by default in Cilium. This issue affects: Cilium v1.16 between v1.16.0 and v1.16.7 inclusive and v1.17 between v1.17.0 and v1.17.1 inclusive. This issue is fixed in Cilium v1.16.8 and v1.17.2. Users can work around this issue by ensuring that the labels used in `fromNodes` and `toNodes` fields are used exclusively by nodes and not by other endpoints.Show less
CVE-2025-30162 1Cilium 1Cilium Sep 4, 2025 Mar 24, 2025 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who use Gateway API for Ingress for some services and use LB-IPAM or BGP for LB Service implementation and use n...Show more Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who use Gateway API for Ingress for some services and use LB-IPAM or BGP for LB Service implementation and use network policies to block egress traffic from workloads in a namespace to workloads in other namespaces, egress traffic from workloads covered by such network policies to LoadBalancers configured by `Gateway` resources will incorrectly be allowed. LoadBalancer resources not deployed via a Gateway API configuration are not affected by this issue. This issue affects: Cilium v1.15 between v1.15.0 and v1.15.14 inclusive, v1.16 between v1.16.0 and v1.16.7 inclusive, and v1.17 between v1.17.0 and v1.17.1 inclusive. This issue is fixed in Cilium v1.15.15, v1.16.8, and v1.17.2. A Clusterwide Cilium Network Policy can be used to work around this issue for users who are unable to upgrade.Show less
CVE-2025-29927 1Vercel 1Next.js Sep 10, 2025 Mar 21, 2025 N/A· v4 9.1 CRITICAL· v3 N/A· v2 Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js...Show more Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.Show less
CVE-2025-30179 1Mattermost 1Mattermost Server Mar 27, 2025 Mar 21, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to enforce MFA on certain search APIs, which allows authenticated attackers to bypass MFA protections via user search, channel search, or team...Show more Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to enforce MFA on certain search APIs, which allows authenticated attackers to bypass MFA protections via user search, channel search, or team search queries.Show less
CVE-2025-27933 1Mattermost 1Mattermost Server Mar 27, 2025 Mar 21, 2025 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to fail to enforce channel conversion restrictions, which allows members with permission to convert public channels to private ones to also co...Show more Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to fail to enforce channel conversion restrictions, which allows members with permission to convert public channels to private ones to also convert private ones to publicShow less
CVE-2025-27715 1Mattermost 1Mattermost Server Mar 27, 2025 Mar 21, 2025 N/A· v4 2.7 LOW· v3 N/A· v2 Mattermost versions 9.11.x <= 9.11.8 fail to prompt for explicit approval before adding a team admin to a private channel, which team admins to joining private channels via crafted permalink links without explicit consen...Show more Mattermost versions 9.11.x <= 9.11.8 fail to prompt for explicit approval before adding a team admin to a private channel, which team admins to joining private channels via crafted permalink links without explicit consent from them.Show less
CVE-2025-25274 1Mattermost 1Mattermost Server Mar 27, 2025 Mar 21, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to restrict command execution in archived channels, which allows authenticated users to run commands in archived channels.
CVE-2025-24920 1Mattermost 1Mattermost Server Mar 27, 2025 Mar 21, 2025 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to restrict bookmark creation and updates in archived channels, which allows authenticated users created or update bookmarke...Show more Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to restrict bookmark creation and updates in archived channels, which allows authenticated users created or update bookmarked in archived channelsShow less
CVE-2024-44305 1Apple 1Macos Mar 24, 2025 Mar 21, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 This issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sonoma 14.6. An app may be able to gain root privileges.
CVE-2025-26853 1Descor 1Infocad Apr 23, 2025 Mar 20, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 DESCOR INFOCAD 3.5.1 and before and fixed in v.3.5.2.0 has a broken authorization schema.

Previous 1...495051...153 Next