CVE-2025-67796

IKUS Rdiffweb before 2.10.5 has an improper authorization flaw that allows an attacker with any valid or stolen access token to act as other users. The API does not enforce binding between the authenticated subject and the targeted user/tenant, so crafted requests can read or modify other users...

CVE-2025-67796

IKUS Rdiffweb is affected by an improper authorization vulnerability (CVE-2025-67796) in versions prior to 2.10.6. The API fails to bind the authenticated subject to the targeted user/tenant, allowing a valid or stolen token to read or modify other users’ data and potentially perform privileged a...

BIT-AUTHENTIK-2024-37905 Improper Access Control and Incorrect Authorization in github.com/goauthentik/authentik

authentik is an open-source Identity Provider that emphasizes flexibility and versatility. Authentik API-Access-Token mechanism can be exploited to gain admin user privileges. A successful exploit of the issue will result in a user gaining full admin access to the Authentik application, including...

BIT-GITEA-2025-68941

Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources...

GHSA-3M86-C9X3-VWM9 Graylog vulnerable to privilege escalation through API tokens

Impact Graylog users can gain elevated privileges by creating and using API tokens for the local Administrator or any other user for whom the malicious user knows the ID. For the attack to succeed, the attacker needs a user account in Graylog. They can then proceed to issue hand-crafted requests ...

Envoy 访问控制错误漏洞

Envoy is an open source distributed proxy server.An access control error vulnerability exists in versions of Envoy prior to 1.22.1, which stems from allowing access in the presence of an access token for additional requests. No detailed vulnerability details are currently available...

Forward OAuth Identity Token can allow users to access some data sources

Grafana is an open-source platform for monitoring and observability. In affected versions when a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token and no other user credentials will forward the OAuth Identity of the most recently...

Multiple Huawei Server Cross-Site Request Forgery Vulnerabilities

Huawei Tecal RH1288 V2 and others are servers from Huawei, a Chinese company. A cross-site request forgery vulnerability exists in several Huawei servers, which stems from the program's failure to use the Token mechanism for Web access control. A remote attacker could exploit this vulnerability t...