CWE-862: Missing Authorization — known CVE vulnerabilities
CVEs classified under CWE-862 (Missing Authorization), ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2026-0092: In Package Manager, there is a possible device lock controller bypass due to a missing permission check. This could lead to local…
CVE-2026-33712 — CVSS 10.0 (critical): Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the preview chat endpoint (POST /api/v1/typebots/{typebotId}/preview/startC…
CVE-2026-2031: An Improper Access Control vulnerability in several internal API endpoints for Google Cloud Application Integration prior to 2026-01-23…
CVE-2026-34976 — CVSS 10.0 (critical): Dgraph is an open source distributed GraphQL database. Prior to 25.3.1, the restoreTenant admin mutation is missing from the authorization…
CVE-2025-30416 — CVSS 10.0 (critical): Sensitive data disclosure and manipulation due to missing authorization. The following products are affected: Acronis Cyber Protect 16…
CVE-2025-46348 — CVSS 10.0 (critical): YesWiki is a wiki system written in PHP. Prior to version 4.5.4, the request to commence a site backup can be performed and downloaded…
CVE-2025-22609 — CVSS 10.0 (critical): Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the…
CVE-2024-52416 — CVSS 10.0 (critical): Missing Authorization vulnerability in Eugen Bobrowski Debug Tool debug-tool allows Upload a Web Shell to a Web Server.This issue affects…
CVE-2024-6500 — CVSS 10.0 (critical): The InPost for WooCommerce plugin and InPost PL plugin for WordPress are vulnerable to unauthorized access and deletion of data due to a…
CVE-2024-6071 — CVSS 10.0 (critical): PTC Creo Elements/Direct License Server exposes a web interface which can be used by unauthenticated remote attackers to execute arbitrary…
CVE-2024-33566 — CVSS 10.0 (critical): Missing Authorization vulnerability in N-Media OrderConvo allows OS Command Injection.This issue affects OrderConvo: from n/a through 12.4.
CVE-2024-2086 — CVSS 10.0 (critical): The Integrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files Into Your…
CVE-2026-45625 — CVSS 9.9 (critical): Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, Arcane's huma-based REST API exposes…
CVE-2026-46425 — CVSS 9.9 (critical): Budibase is an open-source low-code platform. Prior to 3.38.2, packages/worker/src/api/routes/global/scim.ts attaches only two middlewares…
CVE-2026-44442 — CVSS 9.9 (critical): ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.1, certain endpoints failed to enforce proper…
CVE-2026-39355 — CVSS 9.9 (critical): Genealogy is a family tree PHP application. Prior to 5.9.1, a critical broken access control vulnerability in the genealogy application…
CVE-2026-22172 — CVSS 9.9 (critical): OpenClaw versions prior to 2026.3.12 contain an authorization bypass vulnerability in the WebSocket connect path that allows shared-token…
CVE-2026-29789 — CVSS 9.9 (critical): Vito is a self-hosted web application that helps manage servers and deploy PHP applications into production servers. Prior to version…
CVE-2026-0488 — CVSS 9.9 (critical): An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could exploit a flaw in a generic function module call and execute…
CVE-2025-68270 — CVSS 9.9 (critical): The Open edX Platform is a learning management platform. Prior to commit 05d0d0936daf82c476617257aa6c35f0cd4ca060, CourseLimitedStaffRole…
CVE-2025-49747 — CVSS 9.9 (critical): Missing authorization in Azure Machine Learning allows an authorized attacker to elevate privileges over a network.
CVE-2025-22611 — CVSS 9.9 (critical): Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the…
CVE-2020-36837 — CVSS 9.9 (critical): The ThemeGrill Demo Importer plugin for WordPress is vulnerable to authentication bypass due to a missing capability check on the…
CVE-2024-6303 — CVSS 9.9 (critical): Missing authorization in Client-Server API in Conduit <=0.7.0, allowing for any alias to be removed and added to another room, which can be…
CVE-2023-49742 — CVSS 9.9 (critical): Missing Authorization vulnerability in Support Genix.This issue affects Support Genix: from n/a through 1.2.3.
CVE-2024-31997 — CVSS 9.9 (critical): XWiki Platform is a generic wiki platform. Prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, parameters of UI extensions are always…
CVE-2024-31987 — CVSS 9.9 (critical): XWiki Platform is a generic wiki platform. Starting in version 6.4-milestone-1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, any…
CVE-2024-31983 — CVSS 9.9 (critical): XWiki Platform is a generic wiki platform. In multilingual wikis, translations can be edited by any user who has edit right, circumventing…
CVE-2024-31981 — CVSS 9.9 (critical): XWiki Platform is a generic wiki platform. Starting in version 3.0.1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, remote code…
CVE-2024-29241 — CVSS 9.9 (critical): Missing authorization vulnerability in System webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows…
CVE-2023-34063 — CVSS 9.9 (critical): Aria Automation contains a Missing Access Control vulnerability. An authenticated malicious actor may exploit this vulnerability leading to…
CVE-2021-4368 — CVSS 9.9 (critical): The Frontend File Manager plugin for WordPress is vulnerable to Authenticated Settings Change in versions up to, and including, 18.2. This…
CVE-2021-4347 — CVSS 9.9 (critical): The function update_shipment_status_email_status_fun in the plugin Advanced Shipment Tracking for WooCommerce in versions up to 3.2.6 is…
CVE-2023-1782 — CVSS 9.9 (critical): HashiCorp Nomad and Nomad Enterprise versions 1.5.0 up to 1.5.2 allow unauthenticated users to bypass intended ACL authorizations for…
CVE-2022-41272 — CVSS 9.9 (critical): An unauthenticated attacker over the network can attach to an open interface exposed through JNDI by the User Defined Search (UDS) of SAP…
CVE-2022-24768 — CVSS 9.9 (critical): Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All unpatched versions of Argo CD starting with 1.0.0 are…
CVE-2019-15954 — CVSS 9.9 (critical): An issue was discovered in Total.js CMS 12.0.0. An authenticated user with the widgets privilege can gain achieve Remote Command Execution…
CVE-2026-12153 — CVSS 9.8 (critical): The WP Learn Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.8. This is due to…
CVE-2026-38329 — CVSS 9.8 (critical): Bludit CMS before version 3.18.4 allows Remote Code Execution (RCE) via the API Plugin. The POST /api/files/{key} endpoint in…
CVE-2026-39910 — CVSS 9.8 (critical): STACKIT IaaS API contains a missing authorization check vulnerability that allows authenticated, low-privileged attackers to escalate…
CVE-2026-8495 — CVSS 9.8 (critical): Missing Authorization vulnerability in Drupal Date iCal allows Forceful Browsing. This issue affects Date iCal: from 0.0.0 before 4.0.15.
CVE-2026-6510 — CVSS 9.8 (critical): The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation via missing authorization in all versions up to, and…
CVE-2026-26083 — CVSS 9.8 (critical): A missing authorization vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox Cloud…
CVE-2021-47932 — CVSS 9.8 (critical): WordPress TheCartPress 1.5.3.6 contains an unauthenticated privilege escalation vulnerability that allows attackers to create administrator…
CVE-2026-43575 — CVSS 9.8 (critical): OpenClaw versions 2026.2.21 before 2026.4.10 contain an authentication bypass vulnerability in the sandbox noVNC helper route that exposes…
CVE-2026-5294 — CVSS 9.8 (critical): The Geeky Bot plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.2.2. This is due to a nopriv…