Skip to main content

CWE-862

Missing Authorization

7214 CVEs Avg CVSS 6.0 MITRE
356
CRITICAL
1582
HIGH
5095
MEDIUM
175
LOW
514
POC
8
KEV

Monthly

CVE-2026-59255 HIGH POC PATCH This Week

Improper authorization in SpecterOps BloodHound through 9.4.0 lets any authenticated user tamper with the global custom-node graph schema by calling POST, PUT, and DELETE operations on the /api/v2/custom-nodes endpoints, which enforced only that a caller was logged in rather than that they held write permissions. Because custom node kinds are a shared, tenant-wide schema construct, a single low-privileged account can create, alter, or delete node types that affect every user and tenant on the instance. Publicly available exploit code exists and a vendor patch (commit 8f79035) is available; there is no CISA KEV listing, so exploitation is not confirmed as active.

Authentication Bypass Bloodhound
NVD GitHub
CVSS 4.0
7.1
CVE-2026-49280 MEDIUM PATCH GHSA This Month

MantisBT's REST and SOAP APIs fail to enforce the $g_set_status_threshold authorization gate, allowing any authenticated user holding the UPDATER role (the default update permission) to change an issue's workflow status to values that should require DEVELOPER-level access or higher. The vulnerability is confirmed patched in release 2.28.4 with no public exploit or KEV listing. Because UPDATER is the default role for ordinary authenticated contributors, this flaw is broadly reachable on any MantisBT instance where the API is accessible without further hardening of role assignments.

Authentication Bypass PHP
NVD GitHub
CVE-2026-46459 MEDIUM PATCH This Month

Missing authorization on device receiver endpoints in ICU Scandinavia Boomerang exposes facility and quality-assurance installations to unauthenticated read and write access over adjacent networks. Any attacker with network adjacency can retrieve complete facility configurations and inject arbitrary data into the sensor database without supplying credentials, violating both confidentiality and integrity of operational sensor records. No public exploit has been identified at time of analysis, but CERT-PL's coordinated disclosure and a vendor-confirmed patch in version 2.4.18.029 indicate a concrete, addressable risk for organizations running unpatched deployments.

Authentication Bypass Boomerang
NVD
CVSS 4.0
5.3
CVE-2026-61440 HIGH PATCH This Week

Broken authorization in PraisonAI Platform before 0.1.9 lets any authenticated workspace member modify shared label taxonomy and issue-label associations they should not control, renaming and recoloring shared labels and adding or removing labels on issues created by owners or admins. The flaw (CWE-862, missing authorization) stems from label PATCH and issue-label POST/DELETE endpoints trusting workspace membership without enforcing owner/admin role checks. Reported by VulnCheck with a vendor patch available; there is no public exploit identified at time of analysis and it is not in CISA KEV.

Authentication Bypass Praisonai
NVD GitHub
CVSS 4.0
7.1
CVE-2026-14251 HIGH This Week

Denial of service in Red Hat OpenShift GitOps (Argo CD operator) lets a tenant who controls a namespace-scoped Argo CD instance delete a ClusterRole belonging to a cluster-scoped Argo CD instance by crafting a name collision. Because the ClusterRole reconciler skips ownership validation (CWE-862), a low-privileged tenant can disrupt a higher-privileged, cluster-wide GitOps instance across the trust boundary. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the cross-tenant scope change makes it a meaningful multi-tenancy integrity concern.

Authentication Bypass Denial Of Service Red Hat Openshift Gitops
NVD VulDB
CVSS 3.1
7.7
EPSS
0.2%
CVE-2026-15752 MEDIUM This Month

Missing authorization on the `/api/v1/users/` backend user endpoint in xianyu-auto-reply allows remote unauthenticated attackers to access or manipulate user account data without any credentials. The flaw (CWE-862) affects all commits up to dcb445ad97816ad65299a7580ee0c8c8f929da84 in this FastAPI-based Python backend for automating Xianyu marketplace replies. A public exploit exists (CVSS 4.0 E:P), though no active exploitation is confirmed in CISA KEV; the vendor-issued patch commit is the recommended remediation given the project's rolling release model.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-55052 HIGH PATCH This Week

Privilege escalation in Microsoft SharePoint Server (Enterprise Server 2016, Server 2019, and Subscription Edition) lets an already-authenticated network user gain higher privileges by exploiting a missing authorization check (CWE-862). Any low-privileged account with access to the SharePoint web application can abuse the flaw to perform actions reserved for higher-privileged roles, with full confidentiality, integrity, and availability impact per the CVSS 8.8 rating. Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Microsoft Microsoft Sharepoint Enterprise Server 2016 Microsoft Sharepoint Server 2019 Microsoft Sharepoint Server Subscription Edition
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-58279 MEDIUM PATCH Exploit Unlikely This Month

Missing authorization in Azure CycleCloud allows an authorized attacker to elevate privileges over a network.

Authentication Bypass Microsoft Azure Cyclecloud 8 9 1
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2026-14504 HIGH PATCH This Week

Authorization bypass in Sonatype Nexus Repository 3's component upload API lets an account holding only read/browse privileges on a Swift, Terraform, or Conda hosted repository push arbitrary artifacts, defeating the intended write-permission check (CWE-862). The flaw affects the specific upload paths for these three formats and enables unauthorized artifact publishing that can poison downstream builds. No public exploit identified at time of analysis; Sonatype has shipped a fix in release 3.94.0.

Hashicorp Authentication Bypass Nexus Repository 3
NVD
CVSS 4.0
8.2
EPSS
0.3%
CVE-2026-60119 MEDIUM PATCH This Month

Stored cross-site scripting in Hi.Events through v1.10.0-beta allows authenticated event organizers to inject arbitrary JavaScript into public event pages by embedding the raw </script> sequence in an event title, which the application's JSON.stringify() serialization fails to encode safely when placed in inline script contexts. The payload executes in the browser of every visitor to the affected event page - including unauthenticated attendees and authenticated administrators - enabling session hijacking and privilege escalation from a low-privileged creator account. No public exploit has been identified at time of analysis; a vendor-released patch is available in v1.11.0-beta.

Authentication Bypass XSS Hi Events
NVD GitHub
CVSS 4.0
5.1
EPSS
0.2%
CVSS 7.1
HIGH POC PATCH This Week

Improper authorization in SpecterOps BloodHound through 9.4.0 lets any authenticated user tamper with the global custom-node graph schema by calling POST, PUT, and DELETE operations on the /api/v2/custom-nodes endpoints, which enforced only that a caller was logged in rather than that they held write permissions. Because custom node kinds are a shared, tenant-wide schema construct, a single low-privileged account can create, alter, or delete node types that affect every user and tenant on the instance. Publicly available exploit code exists and a vendor patch (commit 8f79035) is available; there is no CISA KEV listing, so exploitation is not confirmed as active.

Authentication Bypass Bloodhound
NVD GitHub
MEDIUM PATCH This Month

MantisBT's REST and SOAP APIs fail to enforce the $g_set_status_threshold authorization gate, allowing any authenticated user holding the UPDATER role (the default update permission) to change an issue's workflow status to values that should require DEVELOPER-level access or higher. The vulnerability is confirmed patched in release 2.28.4 with no public exploit or KEV listing. Because UPDATER is the default role for ordinary authenticated contributors, this flaw is broadly reachable on any MantisBT instance where the API is accessible without further hardening of role assignments.

Authentication Bypass PHP
NVD GitHub
CVSS 5.3
MEDIUM PATCH This Month

Missing authorization on device receiver endpoints in ICU Scandinavia Boomerang exposes facility and quality-assurance installations to unauthenticated read and write access over adjacent networks. Any attacker with network adjacency can retrieve complete facility configurations and inject arbitrary data into the sensor database without supplying credentials, violating both confidentiality and integrity of operational sensor records. No public exploit has been identified at time of analysis, but CERT-PL's coordinated disclosure and a vendor-confirmed patch in version 2.4.18.029 indicate a concrete, addressable risk for organizations running unpatched deployments.

Authentication Bypass Boomerang
NVD
CVSS 7.1
HIGH PATCH This Week

Broken authorization in PraisonAI Platform before 0.1.9 lets any authenticated workspace member modify shared label taxonomy and issue-label associations they should not control, renaming and recoloring shared labels and adding or removing labels on issues created by owners or admins. The flaw (CWE-862, missing authorization) stems from label PATCH and issue-label POST/DELETE endpoints trusting workspace membership without enforcing owner/admin role checks. Reported by VulnCheck with a vendor patch available; there is no public exploit identified at time of analysis and it is not in CISA KEV.

Authentication Bypass Praisonai
NVD GitHub
EPSS 0% CVSS 7.7
HIGH This Week

Denial of service in Red Hat OpenShift GitOps (Argo CD operator) lets a tenant who controls a namespace-scoped Argo CD instance delete a ClusterRole belonging to a cluster-scoped Argo CD instance by crafting a name collision. Because the ClusterRole reconciler skips ownership validation (CWE-862), a low-privileged tenant can disrupt a higher-privileged, cluster-wide GitOps instance across the trust boundary. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the cross-tenant scope change makes it a meaningful multi-tenancy integrity concern.

Authentication Bypass Denial Of Service Red Hat Openshift Gitops
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Missing authorization on the `/api/v1/users/` backend user endpoint in xianyu-auto-reply allows remote unauthenticated attackers to access or manipulate user account data without any credentials. The flaw (CWE-862) affects all commits up to dcb445ad97816ad65299a7580ee0c8c8f929da84 in this FastAPI-based Python backend for automating Xianyu marketplace replies. A public exploit exists (CVSS 4.0 E:P), though no active exploitation is confirmed in CISA KEV; the vendor-issued patch commit is the recommended remediation given the project's rolling release model.

Authentication Bypass
NVD GitHub VulDB
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in Microsoft SharePoint Server (Enterprise Server 2016, Server 2019, and Subscription Edition) lets an already-authenticated network user gain higher privileges by exploiting a missing authorization check (CWE-862). Any low-privileged account with access to the SharePoint web application can abuse the flaw to perform actions reserved for higher-privileged roles, with full confidentiality, integrity, and availability impact per the CVSS 8.8 rating. Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Microsoft Microsoft Sharepoint Enterprise Server 2016 +2
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH Exploit Unlikely This Month

Missing authorization in Azure CycleCloud allows an authorized attacker to elevate privileges over a network.

Authentication Bypass Microsoft Azure Cyclecloud 8 9 1
NVD
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Authorization bypass in Sonatype Nexus Repository 3's component upload API lets an account holding only read/browse privileges on a Swift, Terraform, or Conda hosted repository push arbitrary artifacts, defeating the intended write-permission check (CWE-862). The flaw affects the specific upload paths for these three formats and enables unauthorized artifact publishing that can poison downstream builds. No public exploit identified at time of analysis; Sonatype has shipped a fix in release 3.94.0.

Hashicorp Authentication Bypass Nexus Repository 3
NVD
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Stored cross-site scripting in Hi.Events through v1.10.0-beta allows authenticated event organizers to inject arbitrary JavaScript into public event pages by embedding the raw </script> sequence in an event title, which the application's JSON.stringify() serialization fails to encode safely when placed in inline script contexts. The payload executes in the browser of every visitor to the affected event page - including unauthenticated attendees and authenticated administrators - enabling session hijacking and privilege escalation from a low-privileged creator account. No public exploit has been identified at time of analysis; a vendor-released patch is available in v1.11.0-beta.

Authentication Bypass XSS Hi Events
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy