NPM: NocoDB: OAuth Token Scope Not Enforced at ACL Layer Allows Scope Escalation

NPM: NocoDB: OAuth Token Scope Not Enforced at ACL Layer Allows Scope Escalation vulnerability discovered by ? in WordPress Npm nocodb versions = 0.301.3...

GHSA-M5QG-RVJQ-727P NocoDB: OAuth Token Scope Not Enforced at ACL Layer Allows Scope Escalation

Summary The OAuth token strategy attached oauthscope and oauthgrantedresources to the request user, but the ACL middleware never consulted either. An OAuth token issued with a restricted scope e.g. MCP-only therefore inherited the full permissions of the underlying user across all routes; the...

NocoDB: OAuth Token Scope Not Enforced at ACL Layer Allows Scope Escalation

Summary The OAuth token strategy attached oauthscope and oauthgrantedresources to the request user, but the ACL middleware never consulted either. An OAuth token issued with a restricted scope e.g. MCP-only therefore inherited the full permissions of the underlying user across all routes; the...

CVE-2026-21621

Incorrect Authorization vulnerability in hexpm hexpm/hexpm 'Elixir.HexpmWeb.API.OAuthController' module allows Privilege Escalation. An API key created with read-only permissions domain: "api", resource: "read" can be escalated to full write access under specific conditions. When exchanging a...

CVE-2026-21621 Improper Scope Enforcement in OAuth client_credentials Flow Allows Read-Only API Key to Escalate to Full Access

Incorrect Authorization vulnerability in hexpm hexpm/hexpm 'Elixir.HexpmWeb.API.OAuthController' module allows Privilege Escalation. An API key created with read-only permissions domain: "api", resource: "read" can be escalated to full write access under specific conditions. When exchanging a...

CVE-2026-21621 Improper Scope Enforcement in OAuth client_credentials Flow Allows Read-Only API Key to Escalate to Full Access

Incorrect Authorization vulnerability in hexpm hexpm/hexpm 'Elixir.HexpmWeb.API.OAuthController' module allows Privilege Escalation. An API key created with read-only permissions domain: "api", resource: "read" can be escalated to full write access under specific conditions. When exchanging a...

UBUNTU-CVE-2024-41942

JupyterHub is software that allows one to create a multi-user server for Jupyter notebooks. Prior to versions 4.1.6 and 5.1.0, if a user is granted the admin:users scope, they may escalate their own privileges by making themselves a full admin user. The impact is relatively small in that...

Cloud Foundry UAA Elevation of Authority Vulnerability

UAA is a multi-tenant identity management service used in Cloud Foundry and can also be used as a standalone OAuth2 server. An elevation of privilege vulnerability exists in Cloud Foundry UAA versions prior to 74.1.0. The vulnerability stems from the fact that UAA can request a scope for a client...