Skip to main content

CWE-639

Authorization Bypass Through User-Controlled Key

1591 CVEs Avg CVSS 6.3 MITRE
118
CRITICAL
484
HIGH
902
MEDIUM
81
LOW
317
POC
1
KEV

Monthly

CVE-2026-52882 MEDIUM PATCH This Month

Authorization bypass in MantisBT's SOAP API, REST API, and web-based bug update interface allows authenticated lower-privileged users to assign unreleased product versions to issues, circumventing the `report_issues_for_unreleased_versions_threshold` access control. All three issue-update pathways in versions 2.28.3 and earlier were unprotected: the SOAP handler (`mc_issue_api.php`), the web form (`bug_update.php`), and the REST command layer (`IssueAddCommand.php`). No public exploit code and no active exploitation (CISA KEV) have been identified; vendor-released patch version 2.28.4 closes all three vectors.

Authentication Bypass PHP
NVD GitHub
CVE-2026-58660 HIGH POC PATCH This Week

Broken object-level authorization in Kanboard through 1.2.52 lets any authenticated user who belongs to at least one project move, corrupt, or hide tasks in any other project on the same instance, including private projects they have no role on. The BoardAjaxController save() drag-and-drop endpoint checks the caller's role against the attacker-supplied project_id but never confirms the supplied task_id belongs to that project, and because task IDs are sequential integers shared instance-wide they are trivially enumerable. Publicly available exploit code exists and a vendor patch (commit 564cc30) is available, but this is not listed in CISA KEV and there is no public exploit identified as actively exploited in the wild.

Authentication Bypass Kanboard
NVD GitHub
CVSS 4.0
7.2
CVE-2026-59259 MEDIUM PATCH This Month

Permission bypass in n8n's external secrets handling allows authenticated low-privilege users to exfiltrate secrets they are not authorized to access by exploiting a mismatch between the platform's static validation layer and its runtime expression engine. Affected are all n8n instances running versions before 1.123.61 (1.x branch), 2.27.4, or 2.28.1 (2.x branch) that have both an external secrets provider and Advanced Permissions configured. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the confidentiality impact is high for affected deployments given that secrets such as API keys and credentials may be fully exposed.

Authentication Bypass N8n
NVD GitHub
CVSS 4.0
6.0
CVE-2026-59254 MEDIUM PATCH This Month

Unauthorized external secret disclosure in n8n before 2.28.1 allows authenticated project editors to read plaintext secret values from external secret managers by embedding references in workflow node expressions. The flaw bypasses the intended access control model: users with project editor roles - who are not granted explicit secrets access permissions - can nonetheless resolve and exfiltrate secrets via expression syntax. No public exploit or active exploitation has been identified, but the CVSS 4.0 vector assigns SC:H (high confidentiality impact on subsequent systems), reflecting that secrets stored in downstream vaults or secret managers are fully exposed to insufficiently privileged users.

Authentication Bypass Information Disclosure N8n
NVD GitHub
CVSS 4.0
6.3
CVE-2026-59236 MEDIUM PATCH This Month

Cross-tenant record injection in Roskus Prospero Flow CRM before 5.14.0 allows any authenticated user to silently insert customer, lead, and product records into a competing company's tenant by manipulating the company_id field in an uploaded Excel spreadsheet. The three affected import handlers (CustomerImport, LeadImport, ProductImport) map company_id directly from the user-controlled file without verifying it matches the authenticated session's own company, collapsing the multi-tenant data isolation boundary. No public exploit has been identified at time of analysis; vendor-released patch v5.14.0 is available and confirmed.

Authentication Bypass Prospero Flow Crm
NVD GitHub
CVSS 4.0
6.9
CVE-2026-59235 HIGH PATCH This Week

Broken function-level authorization in Prospero Flow CRM before 5.5.3 lets any authenticated low-privileged user (e.g. the standard 'User'/'Usuario' role) read every bank account record belonging to their company via GET /api/bank-account. The API route is guarded only by auth:api with no permission gate — unlike the web equivalent, which enforces can('read bank') — so any valid bearer token returns sensitive banking data (IBAN, SWIFT/BIC, account identifiers). A vendor patch exists (5.5.3) and the fixing commit is public; there is no public exploit identified at time of analysis and the flaw is not in CISA KEV.

Authentication Bypass PHP Prospero Flow Crm
NVD GitHub
CVSS 4.0
8.7
CVE-2026-11580 MEDIUM POC PATCH This Month

Kali Forms - Contact Form & Drag-and-Drop Builder WordPress plugin before version 2.4.17 allows any authenticated Contributor-level (or higher) user to duplicate arbitrary posts they do not own by exploiting a missing per-object authorization check in the plugin's AJAX post-duplication action. The attacker gains a published copy of the target post under their own ownership and can extract private post metadata, including secrets stored by other Kali Forms instances on the same site. A publicly available proof-of-concept exists per WPScan; the vulnerability is not currently listed in the CISA KEV catalog, though the low privilege bar and default-enabled feature make it an actionable risk on any multi-user WordPress installation running the affected plugin.

Authentication Bypass WordPress Kali Forms Contact Form Drag And Drop Builder
NVD WPScan VulDB
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-54052 npm CRITICAL PATCH GHSA Act Now

Cross-tenant data exposure in n8n-mcp (npm package, <= 2.56.0) lets an authenticated tenant on a shared multi-tenant HTTP instance read, delete, and destroy the automatic workflow version backups belonging to other tenants. Because each snapshot embeds full node definitions, the leaked data can include credential references and authorization headers, making this both a confidentiality and an integrity/availability failure. Rated CVSS 9.9 due to the scope change across tenant trust boundaries; no public exploit is identified at time of analysis, and it is not listed in CISA KEV.

Docker Authentication Bypass
NVD GitHub
CVSS 3.1
9.9
CVE-2026-15058 LOW PATCH Monitor

Improper authorization in Devolutions Server's secure messages deletion endpoint exposes an Insecure Direct Object Reference (IDOR) flaw allowing any authenticated user to permanently delete secure messages belonging to other users simply by supplying a target message identifier. Affected versions are 2026.2.11 and 2026.1.22; patched releases 2026.1.23 and 2026.2.12 are available per the vendor advisory. No public exploit identified at time of analysis, and the low CVSS score of 3.1 reflects constrained impact (integrity only, no data disclosure) paired with high attack complexity.

Authentication Bypass Server
NVD
CVSS 3.1
3.1
EPSS
0.1%
CVE-2026-15637 HIGH PATCH This Week

Sensitive information disclosure in Devolutions Server 2026.1.x and 2026.2.x lets an authenticated low-privileged user read the private keys of SSH key and certificate PAM credentials belonging to other users. By supplying a credential identifier they should not have access to (an insecure direct object reference), the attacker retrieves secrets the PAM module is supposed to protect. No public exploit identified at time of analysis, and it is not on CISA KEV, but a vendor patch is available. Note: the supplied CVSS vector lists PR:N (unauthenticated) while the description explicitly requires an authenticated low-privileged user — treat this as an authenticated IDOR.

Authentication Bypass Server
NVD
CVSS 3.1
7.5
EPSS
0.1%
MEDIUM PATCH This Month

Authorization bypass in MantisBT's SOAP API, REST API, and web-based bug update interface allows authenticated lower-privileged users to assign unreleased product versions to issues, circumventing the `report_issues_for_unreleased_versions_threshold` access control. All three issue-update pathways in versions 2.28.3 and earlier were unprotected: the SOAP handler (`mc_issue_api.php`), the web form (`bug_update.php`), and the REST command layer (`IssueAddCommand.php`). No public exploit code and no active exploitation (CISA KEV) have been identified; vendor-released patch version 2.28.4 closes all three vectors.

Authentication Bypass PHP
NVD GitHub
CVSS 7.2
HIGH POC PATCH This Week

Broken object-level authorization in Kanboard through 1.2.52 lets any authenticated user who belongs to at least one project move, corrupt, or hide tasks in any other project on the same instance, including private projects they have no role on. The BoardAjaxController save() drag-and-drop endpoint checks the caller's role against the attacker-supplied project_id but never confirms the supplied task_id belongs to that project, and because task IDs are sequential integers shared instance-wide they are trivially enumerable. Publicly available exploit code exists and a vendor patch (commit 564cc30) is available, but this is not listed in CISA KEV and there is no public exploit identified as actively exploited in the wild.

Authentication Bypass Kanboard
NVD GitHub
CVSS 6.0
MEDIUM PATCH This Month

Permission bypass in n8n's external secrets handling allows authenticated low-privilege users to exfiltrate secrets they are not authorized to access by exploiting a mismatch between the platform's static validation layer and its runtime expression engine. Affected are all n8n instances running versions before 1.123.61 (1.x branch), 2.27.4, or 2.28.1 (2.x branch) that have both an external secrets provider and Advanced Permissions configured. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the confidentiality impact is high for affected deployments given that secrets such as API keys and credentials may be fully exposed.

Authentication Bypass N8n
NVD GitHub
CVSS 6.3
MEDIUM PATCH This Month

Unauthorized external secret disclosure in n8n before 2.28.1 allows authenticated project editors to read plaintext secret values from external secret managers by embedding references in workflow node expressions. The flaw bypasses the intended access control model: users with project editor roles - who are not granted explicit secrets access permissions - can nonetheless resolve and exfiltrate secrets via expression syntax. No public exploit or active exploitation has been identified, but the CVSS 4.0 vector assigns SC:H (high confidentiality impact on subsequent systems), reflecting that secrets stored in downstream vaults or secret managers are fully exposed to insufficiently privileged users.

Authentication Bypass Information Disclosure N8n
NVD GitHub
CVSS 6.9
MEDIUM PATCH This Month

Cross-tenant record injection in Roskus Prospero Flow CRM before 5.14.0 allows any authenticated user to silently insert customer, lead, and product records into a competing company's tenant by manipulating the company_id field in an uploaded Excel spreadsheet. The three affected import handlers (CustomerImport, LeadImport, ProductImport) map company_id directly from the user-controlled file without verifying it matches the authenticated session's own company, collapsing the multi-tenant data isolation boundary. No public exploit has been identified at time of analysis; vendor-released patch v5.14.0 is available and confirmed.

Authentication Bypass Prospero Flow Crm
NVD GitHub
CVSS 8.7
HIGH PATCH This Week

Broken function-level authorization in Prospero Flow CRM before 5.5.3 lets any authenticated low-privileged user (e.g. the standard 'User'/'Usuario' role) read every bank account record belonging to their company via GET /api/bank-account. The API route is guarded only by auth:api with no permission gate — unlike the web equivalent, which enforces can('read bank') — so any valid bearer token returns sensitive banking data (IBAN, SWIFT/BIC, account identifiers). A vendor patch exists (5.5.3) and the fixing commit is public; there is no public exploit identified at time of analysis and the flaw is not in CISA KEV.

Authentication Bypass PHP Prospero Flow Crm
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

Kali Forms - Contact Form & Drag-and-Drop Builder WordPress plugin before version 2.4.17 allows any authenticated Contributor-level (or higher) user to duplicate arbitrary posts they do not own by exploiting a missing per-object authorization check in the plugin's AJAX post-duplication action. The attacker gains a published copy of the target post under their own ownership and can extract private post metadata, including secrets stored by other Kali Forms instances on the same site. A publicly available proof-of-concept exists per WPScan; the vulnerability is not currently listed in the CISA KEV catalog, though the low privilege bar and default-enabled feature make it an actionable risk on any multi-user WordPress installation running the affected plugin.

Authentication Bypass WordPress Kali Forms Contact Form Drag And Drop Builder
NVD WPScan VulDB
CVSS 9.9
CRITICAL PATCH Act Now

Cross-tenant data exposure in n8n-mcp (npm package, <= 2.56.0) lets an authenticated tenant on a shared multi-tenant HTTP instance read, delete, and destroy the automatic workflow version backups belonging to other tenants. Because each snapshot embeds full node definitions, the leaked data can include credential references and authorization headers, making this both a confidentiality and an integrity/availability failure. Rated CVSS 9.9 due to the scope change across tenant trust boundaries; no public exploit is identified at time of analysis, and it is not listed in CISA KEV.

Docker Authentication Bypass
NVD GitHub
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Improper authorization in Devolutions Server's secure messages deletion endpoint exposes an Insecure Direct Object Reference (IDOR) flaw allowing any authenticated user to permanently delete secure messages belonging to other users simply by supplying a target message identifier. Affected versions are 2026.2.11 and 2026.1.22; patched releases 2026.1.23 and 2026.2.12 are available per the vendor advisory. No public exploit identified at time of analysis, and the low CVSS score of 3.1 reflects constrained impact (integrity only, no data disclosure) paired with high attack complexity.

Authentication Bypass Server
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Sensitive information disclosure in Devolutions Server 2026.1.x and 2026.2.x lets an authenticated low-privileged user read the private keys of SSH key and certificate PAM credentials belonging to other users. By supplying a credential identifier they should not have access to (an insecure direct object reference), the attacker retrieves secrets the PAM module is supposed to protect. No public exploit identified at time of analysis, and it is not on CISA KEV, but a vendor patch is available. Note: the supplied CVSS vector lists PR:N (unauthenticated) while the description explicitly requires an authenticated low-privileged user — treat this as an authenticated IDOR.

Authentication Bypass Server
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy