CVE Database - Missing Authorization

An authentication logic vulnerability in multiple TP-Link range extenders allows an unauthenticated attacker on an adjacent network to manipulate a login parameter and reset the administrator password due to insufficient validation. Successful exploitation allows an attacker to obtain full administrative control of the affected device, potentially impacting on confidentiality, integrity, and availability.

TypeBot is a chatbot builder tool. In versions 3.15.2 and prior, the bot engine's the findResult query does not filter results by typebotId, allowing an authenticated user to load result data (user answers, variable values) from a different typebot by supplying a foreign resultId to the startChat endpoint. Exploitation is constrained by CUID2's cryptographically random 24-character IDs (making brute-force infeasible), the requirement that rememberUser be enabled, and the need for matching variable names in the current typebot. If successfully exploited, an attacker can access the original user's previous answers, session variable values, and hasStarted flag, potentially exposing PII like names, emails, and phone numbers. This issue has been fixed in version 3.16.0.

Missing input source validation in the tool authorization prompt in Kiro CLI before 1.28.0 allows a local attacker to execute arbitrary tools, including shell commands, without user approval by crafting content that is piped to kiro-cli via stdin. We recommend you to upgrade to kiro-cli version 1.28.0 or later.

Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the preview chat endpoint (POST /api/v1/typebots/{typebotId}/preview/startChat) allows unauthenticated users to achieve Server-Side Request Forgery (SSRF) by supplying a custom typebot definition with server-side code blocks. The fetch function exposed inside the isolated-vm sandbox calls Node.js native fetch without the SSRF validation (validateHttpReqUrl) that protects the HTTP Request block. This bypasses all SSRF mitigations added after GHSA-8gq9-rw7v-3jpr. Exploitation of this unauthenticated SSRF vulnerability can lead to cloud credential theft, internal network access and data exfiltration for any self-hosted Typebot deployments and hosted services. This issue has been fixed in version 3.16.0.

Missing authorization in the entry status management feature in Devolutions Server allows a non-administrator authenticated user to bypass the administrator-enforced Pending Approval flow and gain access to an entry's data via a crafted status change request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier

Improper access control in the entry documentation and attachment features in Devolutions Server allows an authenticated user with vault read access to retrieve the documentation and attachments of sealed entries via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier

Missing authorization in the user profile update feature in Devolutions Server allows an authenticated Active Directory user to modify their own profile attributes via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier

The Ditty – Responsive News Tickers, Sliders, and Lists plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.1.65. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to retrieve the full item content of non-public Dittys — including drafts, pending, scheduled, and disabled entries — by enumerating integer post IDs against the ditty_init AJAX endpoint. Unlike the non-AJAX init() counterpart, init_ajax() does not verify that the requested Ditty has a 'publish' post status before loading and returning its items, allowing content that administrators explicitly withheld from public view to be extracted.

The Vedrixa Forms – User Registration Form, Signup Form & Drag & Drop Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to overwrite the structure of any form — adding, removing, or altering fields — by writing attacker-controlled data to the plugin's FORMS database table. The 'ajax-nonce' nonce used by this handler is injected into the public frontend via wp_localize_script(), so any authenticated user who visits a page containing a form shortcode can obtain it without any elevated access.

The MotoPress Hotel Booking plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite or delete the internal notes (_mphb_booking_internal_notes) of any booking by supplying an arbitrary booking ID. The nonce for this action is output in the HTML source of every public page through wp_localize_script (MPHB._data.nonces), so any unauthenticated visitor can obtain a valid nonce and perform the action without any account or prior interaction.

A broken access control vulnerability exists in the TeamViewer DEX Platform (On‑Premises) prior version 9.2. Certain backend API endpoints do not correctly enforce authorization checks, allowing an authenticated user with low privileges to perform actions and access resources intended only for higher‑privileged roles. An attacker with low‑privileged credentials may exploit this to gain unauthorized access to administrative or sensitive functionality.

The Location Weather plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the `splw_update_block_options()` and `lwp_clean_weather_transients()` functions in all versions up to, and including, 3.0.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disable all weather blocks and purge all weather cache transients. The nonce required for these actions is exposed to all authenticated users via `wp_localize_script()` on the `init` hook.

There is an an information disclosure vulnerability in ZTE MU5250. Due to improper configuration of the access control mechanism, attackers can obtain information without authorization, causing the risk of information disclosure.

The FastX theme for WordPress is vulnerable to unauthorized limited plugin installation and activation due to missing capability checks on the 'ultp_install_callback' and 'ultp_activate_callback' functions in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate the PostX plugin.

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

The Verify() method for FIDO/U2F security key types ([email protected], [email protected]) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/get_rating' endpoint confirms existence and returns rating score for any message by ID. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Tristan Madani for reporting.

Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/message_page' endpoint returns the full content of any conversation message. An unauthenticated attacker can enumerate all conversation messages, including messages from restricted pages, member-only areas, and the moderation queue. File attachments with download URLs are also exposed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Tristan Madani for reporting.

Concrete CMS 9.5.0 and below is vulnerable to IDOR. The `/ccm/frontend/conversations/message_detail` endpoint returns the full content of any conversation message. An unauthenticated attacker can enumerate all conversation messages, including messages from restricted pages, member-only areas, and the moderation queue. File attachments with download URLs are also exposed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Eldudareeno for reporting.

Concrete CMS 9.5.0 and below is vulnerable to IDOR combined with a missing authentication gate. The endpoint /ccm/system/dialogs/file/usage/{fID} accepts an integer file ID in the URL and returns internal site structure data (page IDs, versions, URL paths) to anyone who sends a GET request. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting.

In Concrete CMS 9.5.0 and below,  the submit_password() method in concrete/controllers/single_page/download_file.php allows unauthorized file access since downloading permission-restricted files bypasses the view_file permission check. Files without passwords can be downloaded and any user who knows a file's password can download a password protected file regardless of whether they have permission to access the file. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N.  Thanks Youssef Eid for reporting

The GSheet For Woo Importer plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the process_ajax_restore_action() function in all versions up to, and including, 2.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's Google Sheets API token and configuration options.

Missing Authorization vulnerability in VillaTheme HAPPY allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects HAPPY: from n/a through 1.0.10.

Missing Authorization vulnerability in Tobias CF7 WOW Styler allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CF7 WOW Styler: from n/a through 1.7.6.

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions starting with 15.10.6 and prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/{wikiName} API executes a XAR import without performing any authentication or authorization checks, allowing an unauthenticated attacker to create or update documents in the target wiki. This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1 and 18.1.0-rc-1.

The HCL DominoIQ RAG feature is affected by a Broken Access Control vulnerability.  Under certain circumstances, document level access restrictions will be ignored when determining what data to return from an AI query.  This could enable an authenticated attacker to view sensitive data.

Missing Authorization vulnerability in ADD-ONS.ORG PDF for Elementor Forms + Drag And Drop Template Builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PDF for Elementor Forms + Drag And Drop Template Builder: from n/a through 5.5.1.

Missing Authorization vulnerability in WP Chill Image Photo Gallery Final Tiles Grid allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Image Photo Gallery Final Tiles Grid: from n/a through 3.6.11.

Missing Authorization vulnerability in Magepeople inc. WpBookingly allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WpBookingly: from n/a through 1.2.9.

The AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 10.8.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify privileged AcyMailing configuration, export subscriber secret keys, and chain these actions into administrator account takeover when a target administrator email address is known.

Missing authorization vulnerability exists in Movable Type. Under certain conditions, when a user without administrator privileges signs in to the product, unintended update processing may be executed.

The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the get_content_editor function in all versions up to, and including, 1.5.0. This makes it possible for unauthenticated attackers to create published Xpro templates.

The TypeSquare Webfonts for ConoHa plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the plugin's site-wide font settings, including the typesquare_auth option (fontThemeUseType), show_post_form, and typesquare_fonttheme, by submitting a POST request to any wp-admin page. For fontThemeUseType values 1 and 3, no nonce verification is performed either, meaning those branches are additionally exploitable via cross-site request forgery.

Missing Authorization vulnerability in Drupal Date iCal allows Forceful Browsing. This issue affects Date iCal: from 0.0.0 before 4.0.15.

CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contains a broken access control vulnerability where multiple admin controllers enforce permission checks on form display methods but omit equivalent checks on the corresponding write methods, allowing any authenticated user to bypass RBAC via direct POST/PATCH requests. Controllers missing checks on write methods store() and update() include ApplicationApiController (admin.api.write), CouponController (admin.coupons.write), PartnerController (admin.partners.write), ShopProductController (admin.store.write), UsefulLinkController (admin.useful_links.write), and VoucherController (admin.voucher.write); ProductController (admin.products.edit), ServerController (write/change_owner/change_identifier), and UserController (write/change_email/change_credits/change_username/change_password/change_role/change_referral/change_ptero/change_serverlimit) are missing checks on update() only, and ActivityLogController exposed empty stub store()/update() methods that silently accepted any request. An authenticated attacker without admin write privileges can issue API credentials, generate unlimited coupons and vouchers, assign arbitrary partner commission and discount rates, alter shop product pricing and limits, reassign server ownership or identifiers, and modify user accounts including roles, credits, passwords, and linked Pterodactyl IDs to achieve full privilege escalation, as well as abuse logBackIn() without the login_as permission to interfere with admin impersonation sessions. This issue has been fixed in version 1.2.0.

CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, multiple admin controllers expose DataTable endpoints without authorization checks, allowing any authenticated user to access sensitive administrative data that should be restricted to administrators only. The affected admin controllers define datatable() methods that are reachable via GET requests but lack any permission or role verification. Because the routes fall under the /admin/ prefix, operators may assume they are protected - however, the middleware applied to this route group does not enforce admin-level authorization on these specific endpoints. As a result, any authenticated user (regardless of role) can query these endpoints and receive paginated JSON responses containing sensitive records. Exploitation can result in enumeration of user PII, payment and transaction records, active voucher and coupon codes, role and permission structure, server ownership mappings and support ticket contents. This issue has been fixed in version 1.2.0.

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to view all Kirki frontend forms and read stored visitor form submission data, including contact details, messages, and any other visitor-provided information submitted through site forms.

Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, a vulnerability in the discourse-subscriptions plugin allows users to gain access to subscription-gated groups without completing payment. This issue has been fixed in versions 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1.

Funnel Builder for WooCommerce Checkout prior to 3.15.0.3 contains a missing authorization vulnerability in the public checkout endpoint that allows unauthenticated attackers to invoke internal methods and write arbitrary data to the plugin's External Scripts global setting. Attackers can inject malicious JavaScript through the External Scripts setting that executes in the browsers of all checkout page visitors.

Missing Authorization vulnerability in Brainstorm Force Presto Player allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Presto Player: from n/a through 4.1.3.

Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, an authenticated user on a Discourse instance with the form templates feature enabled can read the name and structured content of form templates that are intended exclusively for categories they are not authorized to access. Impact is limited to disclosure of site configuration metadata. This issue has been fixed in versions 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1.

GLPI is a free asset and IT management software package. In versions 11.0.0 through 11.0.6, an authenticated user with forms READ permission can export the structure of unauthorized forms. This issue has been fixed in version 11.0.7.

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Versions 0.6.36 through 0.6.50 are vulnerable to Authenticated Session Hijacking via IDOR. If an authenticated attacker can determine the session_id of another user's session, they can take it over, reading any messages in it and locking the legitimate user out. The PATCH /sessions/{session_id}/assign-user endpoint authenticates the caller but never verifies session ownership: the service layer invokes the session lookup with user_id=None, which the data access layer interprets as a privileged/system call that bypasses the ownership filter, allowing any authenticated user to reassign an arbitrary session to themselves. This issue has been patched in version 0.6.51.

Summarize prior to 0.15.1 contains a missing authorization vulnerability that allows attackers to execute browser automation actions without per-call user approval when the extension automation feature is enabled. Attackers can influence the agent through malicious page or summary content to invoke enabled extension automation tools such as navigation or debugger-backed actions, bypassing the final user approval step when a user interacts with attacker-controlled content.

Summarize prior to 0.15.1 contains a missing authorization vulnerability in the content script window.postMessage bridge that allows malicious pages to perform unauthorized operations on automation artifacts. Attackers can simulate runtime messages with spoofed sender identifiers to list, read, create, overwrite, or delete automation artifacts scoped to the affected tab without proper authorization checks.

Summarize prior to 0.15.1 contains a path traversal vulnerability in the /v1/summarize daemon endpoint that allows authenticated callers to write files to arbitrary directories by supplying an absolute path or directory traversal sequence in the slidesDir request parameter. Attackers can exploit this to write slide_*.png and slides.json files to any writable directory and subsequently delete matching files at the specified location through repeat extraction.

Mattermost versions 11.5.x <= 11.5.1 fail to verify channel membership when processing AI-assisted message rewrites which allows an authenticated attacker to read the content of threads in private channels and direct messages they do not have access to via a crafted request to the post rewrite endpoint.. Mattermost Advisory ID: MMSA-2026-00645

Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to properly check for permissions when processing commands in the Gitlab plugin which allows normal users to uninstall instances or setup webhook connections via the {{gitlab instance {option}}} or the {{/gitlab webhook {option}}} commands. Mattermost Advisory ID: MMSA-2026-00600

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check the create_post channel permission during post edit operations which allows an authenticated attacker with revoked posting privileges to modify their existing posts via direct API requests to the post update and patch endpoints.. Mattermost Advisory ID: MMSA-2026-00627

The Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4 is vulnerable to unauthorized modification of the Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4's license key due to a missing capability check on the 'actions' function. This makes it possible for subscribers and above delete the license key.