目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1336

100%

CWE-639 通过用户控制密钥绕过授权机制 类漏洞列表 1322

CWE-639 通过用户控制密钥绕过授权机制 类弱点 1322 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-639 属于授权绕过漏洞,指系统依赖用户可控的键值检索数据时,未验证该键值是否属于当前请求用户。攻击者通过篡改标识符(如ID),直接访问其他用户的数据记录。开发者应避免使用直接暴露的键值,转而采用间接引用或会话上下文验证,确保每次数据访问前严格校验资源归属权,从而防止越权访问。

MITRE CWE 官方描述
CWE:CWE-639 通过用户可控密钥绕过授权(Authorization Bypass Through User-Controlled Key) 英文:系统的授权功能未能阻止用户通过修改标识数据的密钥值,从而获取其他用户的数据或记录。 系统中基于某个受用户控制的密钥值来检索用户记录。该密钥通常用于标识系统中存储的与用户相关的记录,并用于查找该记录以呈现给用户。攻击者很可能需要是系统中的已认证用户。然而,授权过程未能正确检查数据访问操作,以确保执行该操作的已认证用户拥有执行所请求数据访问的足够权限,从而绕过了系统中存在的任何其他授权检查。例如,攻击者可以查看检索特定用户数据的位置(例如搜索界面),并确定正在查找的项目的密钥是否可外部控制。该密钥可能是 HTML 表单中的隐藏字段,也可能作为 URL 参数或未加密的 Cookie 变量传递,在这些情况下,都有可能篡改密钥值。这种弱点的一种表现形式是,当系统使用顺序生成或易于猜测的会话 ID(Session IDs)时,允许一个用户轻松切换到另一个用户的会话并读取/修改其数据。
常见影响 (3)
Access ControlBypass Protection Mechanism
Access control checks for specific user data or functionality can be bypassed.
Access ControlGain Privileges or Assume Identity
Horizontal escalation of privilege is possible (one user can view/modify information of another user).
Access ControlGain Privileges or Assume Identity
Vertical escalation of privilege is possible if the user-controlled key is actually a flag that indicates administrator status, allowing the attacker to gain administrative access.
缓解措施 (3)
Architecture and DesignFor each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Architecture and Design, ImplementationMake sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Architecture and DesignUse encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
代码示例 (1)
The following code uses a parameterized statement, which escapes metacharacters and prevents SQL injection vulnerabilities, to construct and execute a SQL query that searches for an invoice matching the specified identifier [1]. The identifier is selected from a list of all invoices associated with the current authenticated user.
... conn = new SqlConnection(_ConnectionString); conn.Open(); int16 id = System.Convert.ToInt16(invoiceID.Text); SqlCommand query = new SqlCommand( "SELECT * FROM invoices WHERE id = @id", conn); query.Parameters.AddWithValue("@id", id); SqlDataReader objReader = objCommand.ExecuteReader(); ...
Bad · C#
CVE ID标题CVSS风险等级Published
CVE-2026-59100 LobeChat 2.2.9 通过聊天组代理操作的错误对象级别授权漏洞 — lobehub 5.0 Medium2026-07-02
CVE-2026-59098 LobeChat 2.2.9 跨用户文档泄露漏洞 — lobehub 6.5 Medium2026-07-02
CVE-2026-58580 LobeChat 2.2.9 消息子资源写入对象级权限绕过漏洞 — lobehub 5.9 Medium2026-07-02
CVE-2026-58653 PraisonAI 未验证 project_id 导致创建/更新权限绕过漏洞 — PraisonAI 4.3 Medium2026-07-02
CVE-2026-57680 WordPress Kirki插件<=6.0.11 不安全的直接对象引用(IDOR)漏洞 — Kirki 6.5 Medium2026-07-02
CVE-2026-11896 My Calendar <=3.7.14 未授权敏感信息泄露漏洞 — My Calendar – Accessible Event Manager 5.3 Medium2026-07-02
CVE-2026-12657 LatePoint <= 5.6.2 未认证IDOR漏洞 — LatePoint – Calendar Booking Plugin for Appointments and Events 5.3 Medium2026-07-02
CVE-2026-9188 Wappointment <=2.7.6 未授权直接对象引用漏洞 — Appointment Bookings for Zoom GoogleMeet and more – Wappointment 5.3 Medium2026-07-02
CVE-2026-5348 Academy LMS <= 3.8.1 未认证不安全的直接对象引用导致私密主题泄露 — Academy LMS – WordPress LMS Plugin for Complete eLearning Solution 5.3 Medium2026-07-02
CVE-2026-5138 Foreman 嵌套请求参数验证不当导致信息泄露漏洞 — Red Hat Satellite 6.16 for RHEL 8 4.3 Medium2026-07-01
CVE-2026-5135 Foreman 主机配置未授权修改漏洞 — Red Hat Satellite 6.16 for RHEL 8 6.5 Medium2026-07-01
CVE-2026-5142 Foreman 通过分类作用域绕过实现跨租户私钥泄露 — Red Hat Satellite 6.16 for RHEL 8 6.5 Medium2026-07-01
CVE-2026-53903 MCO 直接对象引用漏洞 — MCO--2026-07-01
CVE-2026-10096 Qi Blocks <= 1.4.9 任意样式修改漏洞 — Qi Blocks 4.3 Medium2026-07-01
CVE-2026-11988 LearnPress ≤4.3.9.1 越权敏感信息泄露漏洞 — LearnPress – WordPress LMS Plugin for Create and Sell Online Courses 6.5 Medium2026-07-01
CVE-2026-12904 Kadence Blocks <=3.7.7 越权删除/读取/修改优化器数据漏洞 — Kadence Blocks — Page Builder Toolkit for Gutenberg Editor 4.3 Medium2026-07-01
CVE-2026-56230 Capgo x-limited-key-id 头绕过对象级权限验证漏洞 — Capgo 8.8 High2026-06-30
CVE-2026-58447 Invidious 缺少所有权检查导致跨用户播放列表视频删除漏洞 — Invidious 6.5 Medium2026-06-30
CVE-2026-10140 Langflow 跨租户API密钥复用与计费欺诈漏洞 — Langflow OSS 9.6 Critical2026-06-30
CVE-2026-27956 Coolify 通过 domains_by_server 接口实现跨团队应用域名枚举漏洞 — coolify 4.3 Medium2026-06-30
CVE-2026-27883 Coolify 部署 API 越权漏洞 — coolify 5.0 Medium2026-06-30
CVE-2026-27881 Coolify 通过 GET /api/v1/deployments/{uuid} 实现越权信息泄露漏洞 — coolify 5.0 Medium2026-06-30
CVE-2026-14209 Keycloak-admin-ui 暴力破解用户端点绕过权限限制漏洞 — Red Hat Build of Keycloak 4.3 Medium2026-06-30
CVE-2026-12073 ProfileGrid <= 5.9.9.5 未授权提权漏洞 — ProfileGrid – User Profiles, Groups and Communities 9.8 Critical2026-06-30
CVE-2026-34592 Coolify 未限定服务器和项目查询导致 SSH 密钥泄露 — coolify 7.7 High2026-06-29
CVE-2026-57498 Coolify 跨团队越权漏洞:Livewire组件接受未绑定的server_id和destination_uuid,可部署到其他团队服务器 — coolify 9.6 Critical2026-06-29
CVE-2026-57956 SigNoz 0.130.1 告警规则跨组织不安全的直接对象引用漏洞 — signoz 6.4 Medium2026-06-29
CVE-2026-57945 PhotoPrism 通过 PUT /api/v1/users/{uid} 接口未授权修改用户资料漏洞 — photoprism 4.3 Medium2026-06-29
CVE-2026-57943 LibrePhotos < 1.0.0 设置照片共享端点不安全的直接对象引用漏洞 — librephotos 5.9 Medium2026-06-29
CVE-2026-56781 Teable 投影参数覆盖导致未认证隐藏字段泄露漏洞 — teable 5.3 Medium2026-06-29

CWE-639(通过用户控制密钥绕过授权机制) 是常见的弱点类别,本平台收录该类弱点关联的 1322 条 CVE 漏洞。