CWE-639 · Authorization Bypass Through User-Controlled Key

1878 CVEs classified under CWE-639 (Authorization Bypass Through User-Controlled Key). Browse by severity and year.

Top CVEs for CWE-639
CVESeverityScorePublishedSummary
CVE-2026-34444Critical10.02026-04-06Lupa integrates the runtimes of Lua or LuaJIT2 into CPython. In 2.6 and earlier, attribute_filter is not consistently applied when attributes are accessed thro…
CVE-2025-40805Critical10.02026-01-13Affected devices do not properly enforce user authentication on specific API endpoints. This could facilitate an unauthenticated remote attacker to circumvent…
CVE-2024-45032Critical10.02024-09-10A vulnerability has been identified in Industrial Edge Management Pro (All versions < V1.9.5), Industrial Edge Management Virtual (All versions < V2.3.1-1). Af…
CVE-2026-52782Critical9.92026-06-26OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is an IDOR through /projects/<A>/settings/project_storages…
CVE-2026-55255Critical9.92026-06-23Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, an Insecure Direct Object Reference (IDOR) vulnerability in /api…
CVE-2026-45552Critical9.92026-06-10Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the install blueprint declares only bp.be…
CVE-2026-27591Critical9.92026-03-11Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed auth…
CVE-2025-0987Critical9.92025-11-03Authorization Bypass Through User-Controlled Key vulnerability in CB Project Ltd. Co. CVLand allows Parameter Injection. This issue affects CVLand: from 2.1.0…
CVE-2023-3287Critical9.92024-07-09A BOLA vulnerability in POST /admins allows a low privileged user to create a high privileged user (admin) in the system. This results in privilege escalation.
CVE-2023-38054Critical9.92024-07-09A BOLA vulnerability in GET, PUT, DELETE /customers/{customerId} allows a low privileged user to fetch, modify or delete a low privileged user (customer). This…
CVE-2023-38053Critical9.92024-07-09A BOLA vulnerability in GET, PUT, DELETE /settings/{settingName} allows a low privileged user to fetch, modify or delete the settings of any user (including ad…
CVE-2023-38052Critical9.92024-07-09A BOLA vulnerability in GET, PUT, DELETE /admins/{adminId} allows a low privileged user to fetch, modify or delete a high privileged user (admin). This results…
CVE-2023-38051Critical9.92024-07-09A BOLA vulnerability in GET, PUT, DELETE /secretaries/{secretaryId} allows a low privileged user to fetch, modify or delete a low privileged user (secretary)…
CVE-2023-38049Critical9.92024-07-09A BOLA vulnerability in GET, PUT, DELETE /appointments/{appointmentId} allows a low privileged user to fetch, modify or delete an appointment of any user (incl…
CVE-2023-38048Critical9.92024-07-09A BOLA vulnerability in GET, PUT, DELETE /providers/{providerId} allows a low privileged user to fetch, modify or delete a privileged user (provider). This res…
CVE-2026-12073Critical9.82026-06-30The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to…
CVE-2026-44083Critical9.82026-06-09An authorization bypass through user-controlled key vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability…
CVE-2026-2347Critical9.82026-05-14Authorization bypass through User-Controlled key vulnerability in Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website allows Session Hijacking. …
CVE-2026-24178Critical9.82026-04-28NVIDIA NVFlare Dashboard contains a vulnerability in the user management and authentication system where an unauthenticated attacker may cause authorization by…
CVE-2018-25270Critical9.82026-04-22ThinkPHP 5.0.23 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by invoking functions throug…