71337 matches found
GO-2026-5219 Grafana OSS: Authorization bypass allows users with Editor role to modify protected webhook URLs without permissions in github.com/grafana/grafana
Grafana OSS: Authorization bypass allows users with Editor role to modify protected webhook URLs without permissions in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this...
GO-2026-5081 Gitea: Missing repository-unit authorization on issue-template API endpoints in code.gitea.io/gitea
Gitea: Missing repository-unit authorization on issue-template API endpoints in code.gitea.io/gitea...
CVE-2026-50017
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm can send user-level unscoped npm authentication credentials to a registry chosen by a repository-local .npmrc file. In the reproduced case, the user's npm config contains a default registry and an unscoped authToken. The repository does...
Security Bulletin: IBM Support for Hyperledger Fabric is vulnerable to CVE-2026-33186
Summary google.golang.org/grpc-v1.56.3 used by fabric-operations-console Vulnerability Details CVEID:CVE-2026-33186 DESCRIPTION: gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 :path...
JLSEC-2026-628 Rsync version 3.4.2 and prior contain an authorization bypass vulnerability in the rsync daemon's...
Rsync version 3.4.2 and prior contain an authorization bypass vulnerability in the rsync daemon's hostname-based access control list enforcement when configured with chroot. Attackers can bypass hostname-based deny rules by controlling the PTR record for their source IP address, allowing...
keycloak: Group-Admin Escalation to Realm-Admin
A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 FGAPv2 is enabled, an attacker wi...
keycloak-policy-enforcer: Keycloak Policy Enforcer: Authorization bypass via incorrect URI comparison
A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access UMA permission checks. By including the configured access-denied page path within a request URL, either as a path...
keycloak: Keycloak: Denial of Service via malformed Authorization header
A flaw was found in Keycloak's ClientRegistrationAuth component. A remote unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with a malformed 'Authorization: Bearer' header to any client registration endpoint. This can lead to an...
CVE-2026-9800
A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access UMA permission checks. By including the configured access-denied page path within a request URL, either as a path...
CVE-2026-9099
A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 FGAPv2 is enabled, an attacker wi...
CVE-2026-54027
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the POST /api/files/images endpoint allows any authenticated user to upload files into any agent's toolresources e.g., context, executecode without verifying ownership or EDIT permission on the target...
CVE-2026-50017
pnpm is affected prior to versions 10.34.0 and 11.4.0. In these versions, during normal metadata/install workflows, pnpm can bind user-level unscoped npm authentication credentials to a repository‑selected registry (as configured by a repository-local .npmrc) and transmit them in an Authorization...
CVE-2026-9099
A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 FGAPv2 is enabled, an attacker wi...
CVE-2026-9099
Keycloak contains a flaw in GroupResource.addChild() in the Admin REST API where missing authorization allows an authenticated user with limited admin privileges to reparent any group. Under FGAPv2, a manager of a low-privilege group can reparent a highly privileged group (e.g., realm-admin) unde...
CVE-2026-9800 Keycloak-policy-enforcer: keycloak policy enforcer: authorization bypass via incorrect uri comparison
A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access UMA permission checks. By including the configured access-denied page path within a request URL, either as a path...
CVE-2026-9800
CVE-2026-9800 affects Keycloak Policy Enforcer. The issue allows any authenticated user to bypass authorization checks (roles, scopes, UMA) by leveraging the configured access-denied page path in the request URL, either as a path segment or a query parameter. Root cause described in records as an...
CVE-2026-9800 Keycloak-policy-enforcer: keycloak policy enforcer: authorization bypass via incorrect uri comparison
A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access UMA permission checks. By including the configured access-denied page path within a request URL, either as a path...
CVE-2026-9800
A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access UMA permission checks. By including the configured access-denied page path within a request URL, either as a path...
EUVD-2026-39471
A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access UMA permission checks. By including the configured access-denied page path within a request URL, either as a path...
CVE-2026-9800
A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access UMA permission checks. By including the configured access-denied page path within a request URL, either as a path...