CWE-639 · Authorization Bypass Through User-Controlled Key
1878 CVEs classified under CWE-639 (Authorization Bypass Through User-Controlled Key). Browse by severity and year.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-34444 | Critical | 10.0 | 2026-04-06 | Lupa integrates the runtimes of Lua or LuaJIT2 into CPython. In 2.6 and earlier, attribute_filter is not consistently applied when attributes are accessed thro… |
CVE-2025-40805 | Critical | 10.0 | 2026-01-13 | Affected devices do not properly enforce user authentication on specific API endpoints. This could facilitate an unauthenticated remote attacker to circumvent… |
CVE-2024-45032 | Critical | 10.0 | 2024-09-10 | A vulnerability has been identified in Industrial Edge Management Pro (All versions < V1.9.5), Industrial Edge Management Virtual (All versions < V2.3.1-1). Af… |
CVE-2026-52782 | Critical | 9.9 | 2026-06-26 | OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is an IDOR through /projects/<A>/settings/project_storages… |
CVE-2026-55255 | Critical | 9.9 | 2026-06-23 | Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, an Insecure Direct Object Reference (IDOR) vulnerability in /api… |
CVE-2026-45552 | Critical | 9.9 | 2026-06-10 | Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the install blueprint declares only bp.be… |
CVE-2026-27591 | Critical | 9.9 | 2026-03-11 | Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed auth… |
CVE-2025-0987 | Critical | 9.9 | 2025-11-03 | Authorization Bypass Through User-Controlled Key vulnerability in CB Project Ltd. Co. CVLand allows Parameter Injection. This issue affects CVLand: from 2.1.0… |
CVE-2023-3287 | Critical | 9.9 | 2024-07-09 | A BOLA vulnerability in POST /admins allows a low privileged user to create a high privileged user (admin) in the system. This results in privilege escalation. |
CVE-2023-38054 | Critical | 9.9 | 2024-07-09 | A BOLA vulnerability in GET, PUT, DELETE /customers/{customerId} allows a low privileged user to fetch, modify or delete a low privileged user (customer). This… |
CVE-2023-38053 | Critical | 9.9 | 2024-07-09 | A BOLA vulnerability in GET, PUT, DELETE /settings/{settingName} allows a low privileged user to fetch, modify or delete the settings of any user (including ad… |
CVE-2023-38052 | Critical | 9.9 | 2024-07-09 | A BOLA vulnerability in GET, PUT, DELETE /admins/{adminId} allows a low privileged user to fetch, modify or delete a high privileged user (admin). This results… |
CVE-2023-38051 | Critical | 9.9 | 2024-07-09 | A BOLA vulnerability in GET, PUT, DELETE /secretaries/{secretaryId} allows a low privileged user to fetch, modify or delete a low privileged user (secretary)… |
CVE-2023-38049 | Critical | 9.9 | 2024-07-09 | A BOLA vulnerability in GET, PUT, DELETE /appointments/{appointmentId} allows a low privileged user to fetch, modify or delete an appointment of any user (incl… |
CVE-2023-38048 | Critical | 9.9 | 2024-07-09 | A BOLA vulnerability in GET, PUT, DELETE /providers/{providerId} allows a low privileged user to fetch, modify or delete a privileged user (provider). This res… |
CVE-2026-12073 | Critical | 9.8 | 2026-06-30 | The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to… |
CVE-2026-44083 | Critical | 9.8 | 2026-06-09 | An authorization bypass through user-controlled key vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability… |
CVE-2026-2347 | Critical | 9.8 | 2026-05-14 | Authorization bypass through User-Controlled key vulnerability in Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website allows Session Hijacking. … |
CVE-2026-24178 | Critical | 9.8 | 2026-04-28 | NVIDIA NVFlare Dashboard contains a vulnerability in the user management and authentication system where an unauthenticated attacker may cause authorization by… |
CVE-2018-25270 | Critical | 9.8 | 2026-04-22 | ThinkPHP 5.0.23 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by invoking functions throug… |