Home/CWE/Authorization Bypass Through User-Controlled Key
Weakness

Authorization Bypass Through User-Controlled Key

CWE-639 · Base · Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Extended description

Retrieval of a user record occurs in the system based on some key value that is under user control. The key would typically identify a user-related record stored in the system and would be used to lookup that record for presentation to the user. It is likely that an attacker would have to be an authenticated user in the system.

However, the authorization process would not properly check the data access operation to ensure that the authenticated user performing the operation has sufficient entitlements to perform the requested data access, hence bypassing any other authorization checks present in the system. For example, attackers can look at places where user specific data is retrieved (e.g. search screens) and determine whether the key for the item being looked up is controllable externally. The key may be a hidden field in the HTML form field, might be passed as a URL parameter or as an unencrypted cookie variable, then in each of these cases it will be possible to tamper with the key value.

One manifestation of this weakness is when a system uses sequential or otherwise easily-guessable session IDs that would allow one user to easily switch to another user's session and read/modify their data.

Weakness Relationships

Where this weakness sits in the CWE hierarchy. Walk up to broader classes or down to more specific variants.
Parent of this (broader)
ChildOfCWE-284 · Improper Access Control
ChildOfCWE-863 · Incorrect Authorization
Children (more specific)
ParentOfCWE-566 · Authorization Bypass Through User-Controlled SQL Primary Key

CVEs With This Weakness

1,894
A sample of the 1,894 CVEs tagged with this weakness.
CVECVE-2026-8786
CVECVE-2026-8629
CVECVE-2026-8196
CVECVE-2026-8027
CVECVE-2026-7782
CVECVE-2026-7702
CVECVE-2026-7681
CVECVE-2026-7648
CVECVE-2026-7638
CVECVE-2026-7573
CVECVE-2026-7510
CVECVE-2026-7502

Nuclei Scanner Templates

12
Open-source Nuclei templates that detect this weakness class - an actionable scan-for-it pivot. Licensed under the ProjectDiscovery / Nuclei terms.
criticalService Finder Bookings - Authentication Bypass
criticalWordPress Frontend Login and Registration Blocks Plugin 1.0.7 - Privilege Escalation
criticalTelesquare TLR-2005KSH 1.0.0 - Arbitrary File Upload
criticalZabbix <=4.4 - Authentication Bypass
criticalPopup-Maker < 1.8.12 - Broken Authentication
highMy Calendar WordPress Plugin - Information Disclosure
highWordPress acf-to-rest-api <=3.1.0 - Insecure Direct Object Reference
mediumSite Offline WP Plugin < 1.5.3 - Authorization Bypass
mediumSearchWP Live Ajax Search < 1.6.2 - Unauthenticated Arbitrary Post Title Disclosure
mediumWordPress Sensei LMS <4.5.0 - Information Disclosure
mediumEventON Lite < 2.1.2 - Arbitrary File Download
mediumWordPress Events Calendar 6.8.2.1 - Information Disclosure
External lookups - second-class, for what we don’t hold ourselves
MITRE CWE
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin