CWE-285 · Improper Authorization

1350 CVEs classified under CWE-285 (Improper Authorization). Browse by severity and year.

Top CVEs for CWE-285
CVESeverityScorePublishedSummary
CVE-2026-33105Critical10.02026-04-03Improper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to elevate privileges over a network.
CVE-2026-32213Critical10.02026-04-03Improper authorization in Azure AI Foundry allows an unauthorized attacker to elevate privileges over a network.
CVE-2025-65041Critical10.02025-12-18Improper authorization in Microsoft Partner Center allows an unauthorized attacker to elevate privileges over a network.
CVE-2023-33189Critical10.02023-05-30Pomerium is an identity and context-aware access proxy. With specially crafted requests, incorrect authorization decisions may be made by Pomerium. This issue…
CVE-2022-2595Critical10.02022-08-01Improper Authorization in GitHub repository kromitgmbh/titra prior to 0.79.1.
CVE-2022-21196Critical10.02022-02-18MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior to v2.8.6.1, and PTMP C-series and A5x: Device versions prior to v2.5.4.1 does not perfo…
CVE-2021-37705Critical10.02021-08-13OneFuzz is an open source self-hosted Fuzzing-As-A-Service platform. Starting with OneFuzz 2.12.0 or greater, an incomplete authorization check allows an authe…
CVE-2021-28799Critical10.02021-05-13An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote…
CVE-2016-5788Critical10.02016-11-25General Electric (GE) Bently Nevada 3500/22M USB with firmware before 5.0 and Bently Nevada 3500/22M Serial have open ports, which makes it easier for remote a…
CVE-2026-47744Critical9.92026-05-29Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, two distinct authorization defects in the team settings allowed any authenticated panel user to t…
CVE-2026-5412Critical9.92026-04-10In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in the Controller facade. An authenticated user can call the CloudSpec API method to…
CVE-2026-30956Critical9.92026-03-10OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, a low‑privileged user can bypass authorization and tenant isolation in O…
CVE-2025-49746Critical9.92025-07-18Improper authorization in Azure Machine Learning allows an authorized attacker to elevate privileges over a network.
CVE-2025-29827Critical9.92025-05-08Improper authorization in Azure Automation allows an authorized attacker to elevate privileges over a network.
CVE-2025-30390Critical9.92025-04-30Improper authorization in Azure allows an authorized attacker to elevate privileges over a network.
CVE-2024-45387Critical9.92024-12-23An SQL injection vulnerability in Traffic Ops in Apache Traffic Control <= 8.0.1, >= 8.0.0 allows a privileged user with role "admin", "federation", "operation…
CVE-2024-43602Critical9.92024-11-12Azure CycleCloud Remote Code Execution Vulnerability
CVE-2024-25108Critical9.92024-02-12Pixelfed is an open source photo sharing platform. When processing requests authorization was improperly and insufficiently checked, allowing attackers to acce…
CVE-2024-24830Critical9.92024-02-08OpenObserve is a observability platform built specifically for logs, metrics, traces, analytics, designed to work at petabyte scale. A vulnerability has been i…
CVE-2022-2661Critical9.92022-08-16Sequi PortBloque S has an improper authorization vulnerability, which may allow a low-privileged user to perform administrative functions using specifically cr…